By: Colin Bertram

Are you utilising cloud computing technologies? Is your firm considering the cloud? Concerned about security? You should be – but don’t let this stop you!

Cloud providers generally follow one of three service models, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS).

Under the Infrastructure as a Service model, the vendor will provide the physical hardware associated with mass data storage and access to it, including CPU processing, data storage and network connectivity, and continue to maintain this infrastructure and you, the customer, are responsible for the operating system and software applications.

Vendors providing Platform as a Service will typically offer the use of their infrastructure AND operating system and server applications but rely on their customers to still provide their own software application of choice.

Whereas Software as a Service relies on the vendor to provide physical hardware, associated operating systems and relevant software applications which leaves minimal configuration settings for the customer to be concerned about.  This model is popular for email and collaborative file sharing platforms.

To be assured of your business continuity, you need to be certain of what can be expected, from you as well as from your vendor, in regards to data backup plans – whether that be additional costs or of the timing intervals, and if these are acceptable.  Your Service Level Agreement (SLA) will outline conditions around outages, and with guarantees of 99.9% availability still allowing up to nine hours of unscheduled outage per year, can you consider this acceptable? Will your SLA have provisions for compensations? Additionally, can your own connectivity to the cloud be compromised?

Choices for vendors at present are quite numerous.  Questions to be asked of your vendor should cover topics of data integrity, scalability and restoration.  Already knowing what their redundancy and onsite backup operations consist of, will the integrity of your data be guaranteed? And if files (including emails) are deleted, will they be able to be fully, or at least partially recovered?  And more importantly, how much additional data storage is available to your organisation as it is required?

In the event that your vendor goes into liquidation or for any other reason ceases to be a cloud provider, you should simply be able to change vendors. Should this occur, you need to know what are the ramifications to you in regards to your data and access to it.  Are protocols in place to prevent vendor lock-in?  You will want to be certain that your data will be permanently deleted and processes outlined in the Information Security Manual (ISM) for media sanitisation are satisfied.

Legislative requirements may also need to be adhered to.  The location of where your vendor physically positions their data centre could be of concern to you.  If this site is located in another country, be absolutely certain you known which foreign countries could potentially gain access to your data, both where it is geographically located and while it is in transit.  The sensitivity of your data will come in to question and whether the data encryption technologies are sufficient will need to reflect this.

Many firms have turned to cloud computing to pursue innovative business opportunities by networking with customers over the Internet giving raise to the possibility of trialling new ideas or ventures.

Converting to the cloud offers organisations the ability to reduce capital expenditure needed for computer equipment associated with a data centre and thereby only pay for the amount of data storage that is actually needed and used.  Following on from this, ongoing overheads can also be reduced as the hiring cost of support staff and technical specialists required to facilitate an operation such as a data centre is spread across the several customers and therefore shared.

Cloud computing also offers greater business continuity allowing staff to access files and documents from any physical location provided customers have network connectivity.  Disaster recovery processes are significantly enhanced as the infrastructure is normally located at multiple sites, should access to one location be unviable, access to a secondary or tertiary site is always ready to come online.

However, as a customer you need to be assured that your cloud vendor will maintain their availability ensuring your business’ functionality, that your data is protected from unauthorised access by a third party, or by your vendors other customers (potentially your rival) or potential rogue vendor employees and you should be aware of how your vendor handles security incidents.