– Debra Littlejohn Shinder, MCSE, MVP (Security) a technology consultant, trainer and writer, says:
It’s becoming less an option and more a given that most businesses will (if they haven’t already) make that migration “journey to the cloud” in the near future. The advantages of cloud computing – in the form of cost savings based on economies of scale, streamlining of processes, increased accessibility to resources, and simplified administration – are becoming too obvious for even most stalwart companies to ignore.
Security concerns about the cloud have lessened over the past few years, with large cloud providers plowing millions of dollars into levels of security that go far beyond what the typical enterprise datacenter implements or can afford. Nonetheless, security is still a legitimate concern, especially for those organizations that deal with sensitive information and/or are subject to government or industry regulatory compliance requirements.
Something that is sometimes overlooked in the debate over whether or not to venture into the cloud is that it doesn’t have to be an all-or-nothing decision. In fact, a hybrid IT environment, wherein some data and applications are “cloudified” and others aren’t, is expected to become the norm for near-future enterprise computing.
But planning for a partial cloud deployment isn’t as simple as it sounds. The first step is to determine what goes into the cloud and what doesn’t. Which applications and processes are just too mission-critical or too complex to trust them to a public cloud provider? What data is so sensitive that it shouldn’t leave your premises?
To answer those questions, you have to individually evaluate each of the resources that you’re considering moving to the cloud. Of course you will also be looking at the performance and reliability aspects of putting each in the cloud, and we’ll touch on those, but we’re going to focus here on the security implications.
A realistic risk assessment for each resource involves evaluating
- What is the harm that would be done if the data were to be accessed by cloud services employees, by outsiders who gained access to the cloud storage, by the general public if the data were to be exposed on the Internet?
- What is the likelihood of a data breach or compromise, given the history of the cloud provider you’re considering and historical information about cloud services as a whole?
- What is the harm that would be done if your application or process became unavailable for a short or extended period of time, or if its operations were tampered with by a cloud services employee or an outsider?
- What is the likelihood of frequent or extended down time given the history and the guaranteed service level offered by the cloud provider? What is the likelihood of deliberate tampering based on historical evidence?
Harm can be measured in monetary terms (how much money would you lose based on estimated loss of productivity, loss of customers, etc.) and in terms of non-tangible damage such as permanent injury to the company’s reputation and the loss of potential future customers.
You need to first look at the risk associated with your current way of doing things (on premises datacenter) and then at how the level of risk would change with a move to the cloud. Keep in mind that the cloud is not a one-size-fits-all concept. There are different types of clouds: private, public, and community clouds. Any combination of these can be deployed together to create the hybrid cloud.
The next step, then, is to determine what the comfort level is for each resource based on the risk assessment. Does this particular resource require the complete control you have in an internal network/on-premises deployment? Would a private external cloud be appropriate? Would you entrust it to a community cloud (considering the other members of the particular community, of course)? Is it appropriate for migration to a public cloud?
For those resources that can be safely moved to the cloud, based on this analysis, the next step is to evaluate the different cloud services providers. That process includes doing your homework regarding the providers’ reputations, the services they offer, their pricing models, and of course a careful perusal (preferably by a legal professional) of their contracts and service level agreements. You can find a more detailed discussion of how to do that in my 5-part article on Selecting a Cloud Provider over on CloudComputingAdmin.com.