If there’s one word that dominated IT in 2009, it was ‘cloud’. And for good reason; the rapidly maturing market of cloud services is growing closer to realising its true promise of reducing IT costs, increasing automation, flexibility and mobility of end users and, arguably, allowing IT managers and their staff to spend more time on innovation.
Along with these benefits the cloud has also introduced a new set of IT management complexities, regardless of whether it is the public, private or hybrid model. The need for visibility is a major area of focus, followed by the control of the management of both physical and virtual environments while ensuring that data is secure, protected and compliant. IT managers must also consider issues around interoperability and the need for automation.
Securing the nebula
The security ramifications of the of the cloud have dominated discussions about cloud management. Detractors will argue that the cloud is inherently insecure. Proponents counter that it is safer than traditional computing and therefore an aid to IT management.
Spearheading the latter argument, Peter Coffee, director of platform research at Salesforce.com, argues enterprise-grade cloud service providers can apply a higher level of expertise, under far more stringent scrutiny, while spreading the costs of rigorous security across a far greater number of customers than the data centres of even the largest enterprises and government agencies.
“People are intrigued to discover that in a cloud services installation, it may actually be more difficult for an administrator to snoop or to misappropriate information than is the case in the on-premise data centre — where a sizable fraction of administrators admit, anonymously, to doing these things,” he says. “People need to be aided in recognising that the cloud should be compared, not to a theoretical ideal, but to the facts of the costly but inadequate security that most organisations tolerate now.”
Coffee’s argument is supported by Asia Pacific IT solutions practice manager at Verizon Business, David Rosengrave, who says customers of the company are deliberately moving testing and development environments which require external collaboration into the cloud.
In the ‘cloud security must be managed’ camp, IDC analyst, Linus Lai, says that despite improvements in security, IT managers should look to reviews, assessments and verification of cloud service provider’s security practices as the first step in managing the risks.
A security review should also cover aspects such as disaster recovery, failover plans and access to management systems.
There will always be data that is too sensitive to leave your business. The priority, according to Clearswift managing director, Peter Croft, lies in the routes between your business and the cloud, not the cloud itself.
“The potential for data getting in to the wrong hands starts from the moment it leaves an organisation, and it’s therefore at this boundary between the organisation and its external environment that security has to be the key priority for those looking to use cloud-based services,” he says.
“Some have suggested a standardised security Kitemark system [BSI Group’s quality certification mark] for cloud providers could be the answer, but the commercial considerations and logistics involved in this render it a long term possibility at best.”
In addition to choosing which apps and data suit the cloud and which should be left on-premise, IT managers must also think about the security back into their organsiation from the cloud.
“If you’re letting applications in the cloud talk back into your internal organisation, does that mean that anyone one that external cloud can access my internal applications and data?” asks Melbourne IT’s chief technology officer, Glenn Gore. “You need to look at how you create virtual private networks between yourself and the public cloud provider. Tracking the use of information and data flow between the public and private cloud is important.”
Robert Yue, general manager, Australia, HP Software and Solutions says trusting your data to a cloud service provider doesn’t mean your company is off the hook for ensuring its protection.
“The cloud raises risks that some service providers may not address,” he says. “For example, a cloud service provider’s logging and record retention schemes may not meet company-specific regulatory obligations, which may cause an organisation to fail a security audit. Many cloud service providers offer no service level agreements. That means companies have no guarantees about data availability, privacy or data protection.”
Next: Governance, risk and compliance