Cloud control

On May 14 an outage crippled several hosted Google Apps services — including Gmail, Google Maps and Google Reader.

Google downplayed the crash, saying it slowed down service for just 14 per cent of its users.

But the incident reinforces concerns many have about cloud computing, a generic term for a broad range of hosted services over the Internet.

Read related story

Cloud-computing and the seven deadly data risks

Will Gmail outage give Google and SaaS a black eye?

The issue of security over the cloud is a critical one and shouldn’t be minimized, according to Ace Swerling, director of security architecture at Avanade Inc., a Seattle-based global IT consulting firm.  

In fact, security-related concerns are typically the first ones that come up when businesses consider cloud computing, Swerling said.  

Some common questions potential adopters ask are:

  • Where will my data reside?
  • How can I be sure it will go where it needs to?
  • How would I manage transactions and control access to data and services?

The Avanade executive said firms that have a hard enough time securing their hardware-based networks and services and “want to know how they can protect something they can’t even see.”

On their part, cloud computing service providers flaunt the financial and operational benefits of the model.

Companies and IT departments do recognize these benefits. In fact, 58 per cent of IT decision makes polled by management and technology consulting firm Accenture Inc. say cloud computing will cause a “radical shift in information technology.”

The survey report (Cloud Computing – Balancing Risk and Reward) was authored by Eric Ashdown, senior executive, global security strategy and risk management at Accenture and Walid Negm, cloud computing lead at the same company.

Ashdown and Negm list five challenges firms could face when dealing with cloud computing service providers, and offer suggestions for handling these:

Challenge 1 – The company is solely responsible for security and backing up its data.  Providers of cloud services don’t guarantee data protection, though many offer a base level of security.  

What you can do:
– Get the service provider to accept some responsibility for the data in  its possession  
– Get an appropriate backend recovery mechanism
– Ensure messages and data are encrypted at rest, or tools to do this are available  
– Ensurepasswords in the cloud are not in clear text.
– Use digital signatures
– Get contractual commitment from vendors to support an investigation
– Ensure physical separation of foreign virtual machines

Challenge 2 – Cloud providers can shut down applications if they determine they are unlawful or violate agreements and policies of use. You can be shut out of services and left to deal with your customers on your own.

What you can do:
Include a disclaimer of liability clause in your client agreements. Make sure it states the limits of your responsibility when a provider of cloud services shuts down access.

Challenge 3 – The service provider makes limited up-time guarantees and no response time guarantees. Service availability suffers and in a crisis the business isn’t sure it can continue serving clients.

What you can do:
– Ensure uptime or availability guarantees are specifically included in the service level agreement
– Develop a high-availability disaster control system that operates in a separate — or even multiple locations

Challenge 4 – Cloud providers allow access to data based on laws or regulatory requests. This could affect your client’s privacy requirements.

What you can do:
– Ensure there is adequate and appropriate use of encryption
– Restrict data movement and storage to specific jurisdictions
– Record evidence and verification of data migration

Challenge 5 – Cloud providers can move data to servers located outside mandated jurisdictions. There may be instances when your data resides in jurisdictions not covered by local laws, or data may be subject to international issues.

What you can do
Make sure your cloud computing provider gives you the ability to request a hosting location.

Share on LinkedIn Share with Google+