In Forrester’s article titled “ A Close Look At Cloud Computing Security”  by Chenxi Wang, Ph.D. Wang states “While cloud computing is able to deliver many benefits, organizations should not jump on the “cloud” wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud.”

Forrester includes data protection, disaster recovery, and identity management as some of the areas under security and suggest that an audit of the potential cloud provider to see what level of security is actually provided.

As for compliance, the user should analyze how the cloud may or may not impact one’s compliance requirements.

For legal and contractual issues, Forrester advises that one understands who owns/is responsible for what, between the user and the provider (the data, the infrastructure, etc.)

Another article by Network World’s Jon Brodkin titled “Gartner: Seven Cloud – Computing Security Risks” he talks about seven security risk areas.

1. Privileged user access, sensitive data processed outside the enterprise.

2. Regulatory compliance, how does the cloud provider match your guidelines?

3. Data location, where exactly is your data housed?

 4. Data segregation, understand that your data is “sitting” next to other’s data

 5. Disaster Recovery, what happens when there is an outage?

6.  Investigating inappropriate or illegal activity may be impossible in cloud computing,

7. Long-term viability, what happens if your provider “goes away”?

Another article in Network World that reported on the RSA conference, and stated that the former technical director of NSA, Brian Snow is very concerned about vendors offering cloud computing from a security point of view. He is concerned about vendors not addressing current security issues and about new issues that cloud computing will create.   Ironically another panelist was concerned about “Big Brother” listening in on cloud computing and how this might impact enterprises’ privacy and compliance issues.

So to wrap up, the internet has security issues, and since cloud computing is in the internet, cloud computing will have those security issues, ones listed above, and ones yet to be discovered. It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company.  If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations. 

Have you conducted an adequate risk assessment before deciding to move to cloud computing?

RHL 03/10/10

What is cloud computing? Well right off, there are various and numerous definitions. In the same breath you will hear about, hosted solutions, managed solutions, virtualization, Internet Service Providers (ISP), Software as a Service (SaaS), grid computing, utility computing, security, and platforms, just to name a few.  We will discuss all of these and more in later postings, but first what is most important is seeing if cloud computing is right for you. So in the spirit of simplicity, here are definitions for cloud computing.

First a definition from Wikipedia:  

Cloud computing is Internet- (“cloud-”) based development and use of computer technology (“computing”). In concept, it is a paradigm shift whereby details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet.

Whoa that was clear!  Try this one:

Cloud computing consists of shared computing resources that are virtualized and accessed as a service, through an API.¹ 

 If it is still not clear try this analogy; for people who have a home, and you if do your own lawn care then you might own the following pieces of equipment; a rake,  shovels,  a hoe, hoses, lawn mower, fertilizer spreader, an edger, leaf blower, seed, fertilizer and other variety of tools. Instead of owning all this equipment and taking up the time to maintain your lawn, you can hire someone to do this and therefore pay a fee per application usage, letting the lawn care company provide all the equipment and materials and work. The benefit to you is no cost for the all the equipment; they come when you want them and you only pay if the service is performed to your satisfaction. You can spend that saved time golfing or just reading a few novels.  Now the equivalent for an IT enterprise is they must have servers, cables, infrastructure, routers, switches, a data center, massive power supplies, and software applications to support the various lines of businesses.  Cloud computing is like the lawn care company; all the hardware (except for some form of a terminal), applications and services are in the internet cloud.

Again, the benefits of cloud computing to the enterprise are: scalable, instant access and cost savings.  A little more about the proposed benefits:  Scalable, in the current environment, as your business grows and more people use your systems you will need to add more servers, more connections to support the additional traffic and more infrastructures. This impacts your costs and eventually a limit to the amount of scaling you can actually achieve.  With cloud computing you not only can scale but you only pay for what you are actually using.

Instant access; again in the current environment, applications might not be available or limited to the number of users it can support or not even exist. Cloud computing you can have access to applications you currently use and even new applications.

Costs; your capital expenditures decrease considerably and you are paying on a usage basis, thus you are maximizing on your returns. For small businesses the barrier to entry is greatly reduced and thus one can compete with larger enterprises, by using the same applications.

Now like anything in life, there are pros and cons.  Cloud computing might not be good for every enterprise. One example is, a small or medium enterprise that has an efficient infrastructure might find that cloud computing could be more expensive than the current mode of operation. Another consideration is your installed quality of communication versus the quality of communication services or service level agreement (SLA) that is provided by the cloud provider. Other issues to consider are what type of security and maintenance are being provided by the “cloud”?

Like I have said many times before, first make sure you have a strategy and see if cloud computing supports the strategy.  Key factors in determining if cloud computing is right for you are:  the need for scalability, access to applications, availability of skilled IT resources, security, service level agreements, economics, reliability, and maintenance.

But at the end of the day the real issue is cost; is your cost to run your IT for today and tomorrow less then the potential cost of using the “cloud”?

Next time we will go into the next level of discussion regarding cloud computing.

RHL 2/9/10

1. www.appistry.com

In obtaining this information, the buyer readily gives up some information about himself.  At a minimum, his/her name and email addresses; more detailed information about his/her company, buying intentions and other demographic data if he/she wants a particular white paper or is promised a discount or savings.

This information flows into the Marketing department and usually into an automated Customer Relationship Management (CRM) tool, often under the control of the CMO but maintained by the IT department.

The video below, produced by the ACLU a few years ago, is a tongue-in-cheek representation of what might happen if this information becomes freely available.  However, with data mining tools and loose security it is not too far fetched.

Ordering Pizza in the Future

It is important to note that the EU has an entirely different view of data privacy than the US.  If you work within a multi-national and/or are collecting information about people from outside the US, you need to take added steps to secure this information.

As CMO, are you comfortable that your customer information is secure and cannot slip out of your company?  If not, do you know what steps to take to make it secure?

RHM

11/19/2009