By Todd R. Weiss
Cloud computing offers your business a myriad of benefits, from lower IT costs to simpler infrastructure to freeing up your IT staff from generic tasks so they can work on core business projects that can drive growth and revenue. The biggest worry, however, can be security in the cloud.
That's why businesses and IT leaders need to hire cloud providers who will keep their critical business data secure in the cloud, come hell or high water.
And that, said Ryan Kean, a co-author of a new cloud security study from the non-profit Cloud Standards Customer Council (CSCC), is where many people make some very costly and debilitating business mistakes that can have serious consequences for their operations.
"They see something at a conference or get a call from a vendor" who asks them if they need a cloud provider, said Kean. So they jump in, hear all the hoopla and promises and sign service contracts, without grilling the vendors on all of the tough security questions they need to ask to be sure they are being well-served. "Sometimes their exuberance can lead them down a bad path," said Kean. "I see it happen in talking with peers at conferences."
To help prevent those kinds of mistakes, the CSCC has just issued a free report, "Security for Cloud Computing: 10 Steps to Ensure Success,"to help business owners and IT managers learn more about what they need to ask, know and demand of their cloud providers when it comes to data security.
Kean, a senior director of enterprise architecture for a major U.S retail company (he asked that the name of the company be withheld), said it's important not to listen to all of the hype when talking with cloud vendors about data security.
Instead, business owners need to key in on issues, such as what makes one cloud provider more secure than another, so they can dive in with lots of probing questions, said Kean.
The cloud security study includes a list of steps, along with guidance and strategies, to help business owners ask the right questions in discussions and negotiations with cloud companies so they can best protect their business operations and data security.
So what are the 10 steps for ensuring your company gets the best data security it can find in the cloud, according to the study?
- Ensure effective governance, risk and compliance processes exist
- Audit operational and business processes
- Manage people, roles and identities
- Ensure proper protection of data and information
- Enforce privacy policies
- Assess the security provisions for cloud applications
- Ensure cloud networks and connections are secure
- Evaluate security controls on physical infrastructure and facilities
- Manage security terms in the cloud SLA
- Understand the security requirements of the exit process
Together with a previous study conducted by the CSCC for business cloud customers on contracts and Service Level Agreements (SLAs), the latest study is aimed at giving good information and advice to people who don't have deep security expertise, said Kean. "It's a step- by-step 'here's how' for how you can get through the process with some cautions."
Three of the steps are most critical, he said.
First, "really understand the data that you're putting out there, and all the requirements around it," said Kean. "If you are a healthcare company, for instance, you need to understand the regulatory requirements under HIPPA. It is a given but a lot of people overlook things like that."
Another key area often left out of the equation is portability – making sure that you ask prospective cloud providers about how you will get all of your data out of their cloud if you should choose to move it, according to Kean.
"A lot of times companies know they are going to engage a cloud provider, but they're only interested in how they are going to get their data into it," he said. "But it's such an immature market, with a lot of consolidation and new players coming into it." You need to be prepared for that and be ready to pull all of your data completely and be able to move it elsewhere. Only if you have such talks with your cloud provider will you know how they handle such steps and know that they will completely remove your data from their infrastructure, he said. "You want to make sure when your data is gone that you don't leave any fingerprints behind."
So far, universal cloud standards across the board don't yet exist, but are being hashed out by a number of industry groups that are working to make transfers and service from multiple providers easier in the future.
"We continue to talk about the need for standards across different providers to help with some of this," he said. "It's not always easy or possible to transfer your data to another provider today."
Lastly, when negotiating service contracts with cloud vendors, be sure that you build security terms into the contract and SLA with your provider, said Kean. Surprisingly, that's not always done because customers often don't know what to ask or they expect more than the vendor will deliver.
"I've read a lot of contracts and SLAs that different providers have put on the Internet today and you'll find a lot of variables," said Kean. "If I'm a cloud provider and I'm calling a business user about services, the user will make those assumptions and not get into the [minutia] of getting into that stuff. The customer figures it is all in there. They can take things for granted and not do that research on their part."
To prevent that, "ask everything and assume nothing," said Kean. "But smaller businesses aren't necessarily going to have a big hammer to wield in negotiations in such talks so they're going to have to make some compromises."
That could mean they'll have to accept some contract terms that they don't like, such as service disruption penalties against the vendor that won't actually cover true business losses that could come from a service outage.
"If you pay $50 a month for a service and it's critical to your business, then it goes out for a month, you're only getting a service credit for $50 but it may have had a $1 million impact on your business," said Kean. "You need to understand that you must have cloud providers who can honor the true value of your business data. You should know the true value of your business data and have a mitigation plan."
Such a plan can include a second cloud provider for redundancy or a swift move to paper transactions if necessary to get through a service outage, he said.
"Always have a Plan B," said Kean.
Kean was joined by eight other enterprise IT experts who helped write the study. The CSCC calls itself an "end user advocacy group dedicated to accelerating cloud's successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud." With those goals, the group is working to drive standards development to help create best practices and use cases to assist other enterprises.
Created in April 2011, the group includes IBM, Kaavo, Rackspace and Software AG as its founding members. It also includes other well-known names such as Lockheed Martin, Citigroup, State Street and North Carolina State University among its more than 375 members. The group welcomes qualified members and charges no membership fees.
So what's it all mean for your business?
To me, it means that you don't have to go in alone when looking at cloud contracts and talking with cloud vendors. Take the advice in this report as a start and start asking questions and demanding answers from your vendors.
And if you care about emerging cloud standards, get involved in groups like the CSCC to help ensure that businesses like yours get the cloud infrastructure and services that you need.
No matter what, don't go into a cloud contract with so much exuberance that you leave your company's business data security out in the cold. It's easy to be overwhelmed, but help is out there.
Todd R. Weiss is an award-winning technology journalist and freelance writer who worked as a staff reporter for Computerworld.com from 2000 to 2008. Weiss covers enterprise IT from cloud computing to Hadoop to virtualization, enterprise applications such as ERP, CRM and BI, Linux and open source, and more. He spends his spare time working on a book about an unheralded member of the 1957 Milwaukee Braves and watching classic Humphrey Bogart movies. You can follow him on Twitter @TechManTalking. You can contact him at firstname.lastname@example.org