A nip in the air?
Written by Christopher Barnatt & Deborah Ritchie
Like it or not, cloud computing is here to stay, and embracing it seems the smart option for today’s organisations. But there are clear downsides.
Over two million businesses now use the Google Apps online e-mail and office suite, with 20 per cent of companies making at least some use of the Google Docs online word processor. In February, IBM signed a contract with the US Airforce to design a secure, private cloud computing infrastructure capable of supporting nearly 100 bases and 700,000 active military personnel. A month later, Microsoft CEO Steve Ballmer even claimed to be “betting the company” on cloud computing. Like it or loathe it, cloud computing is now more than just hype.
With their own 3G internet connection, many laptops, netbooks and smartphones no longer rely on the company network. Managers wishing to experiment with SaaS applications like Google Docs, Microsoft Office Web Apps and Zoho can therefore just sign up.
Thus, every company needs a cloud computing policy. This could be as simple as ‘no employee may make use of SaaS or any other cloud service to create, store, communicate or process any form of company data’. Such a zero-tolerance position is likely to rapidly become unsustainable, however – not least because most SaaS applications also function as collaborative communications tools.
Increasingly, employees in most companies are going to be receiving invitations to share cloud computing documents created by customers or suppliers. Hence, in the same way that no company can now realistically ban the use of external e-mail and file attachments, so it is likely that very soon every business will need to put in place acceptable working practices for sharing data in the cloud.
Trusting data to third-party internet vendors is also nothing new. In fact, most of the risks related to cloud computing are perceptual. Granted, any company that allows the creation of SaaS documents is trusting the reliability and security of a cloud vendor such as Google or Microsoft. However, any business that distributes documents via e-mail attachment is already trusting every company responsible for the internet infrastructure over which their data travels. Although some may not have realised it, we long ago mortgaged our collective souls and a great deal of company data to the web.
What cloud computing does make critical are policies and procedures governing access device security. The biggest cloud security risk is not that anybody will break in to a cloud vendor’s data centre. Nor is it that a vendor will be unavailable. Cloud vendor service levels in fact already far exceed those of most internal IT departments. Rather, by far the greatest risk is that hackers will exploit security vulnerabilities at the user-end of the cloud computing chain.
In January 2010 it was widely misreported that the Google accounts of some Chinese dissidents had been hacked by the Chinese Government. However, what had actually happened was that spyware had been planted on dissidents’ PCs in order to obtain usernames and passwords that were then used to ‘legitimately’ access their Google accounts. The result may have been the same. However, what this incident ought to hammer home is that companies concerned about cloud computing security ought to get their own house in order before worrying about a cloud vendor who knows full well that their entire business and reputation rely on good security and service levels. Unpatched operating systems, poor anti-virus protection, out-of-date browsers, and ineffective password management, are the real cloud computing security vulnerabilities and yet they are something that any company ought to be able to control.
Creating and sharing documents online may also lessen corporate exposure to risk. Many small companies do not implement and sometimes cannot afford adequate measures to ensure that their data is always securely backed-up off-site. However, anybody using Google Docs immediately benefits from Google’s practice of ‘synchronous replication’ whereby all data is automatically backed-up across two Google data centres. Users of cloud computing office packages also have no need to carry data around on USB keys, optical disks or those other storage devices regularly lost on trains. Rather, they can always access files from any computer without ever making a local copy. With appropriate measures in place, cloud computing can therefore allow company data to be more securely ring fenced than it sometimes is today.
Over the next decade, some firms may even opt to close their own data centres and to move their core business systems to the cloud. The extent to which this will happen is as yet debatable. However, what is fairly certain is that by the time this year is out, the e-mail and office applications used in most businesses will be cloud based. With Office Web Apps now forming part of Office 2010, this is something that even Microsoft accepts. It is also pretty much certain that most new business applications – such as those involving augmented reality, visual search and online text and audio translation – will also be cloud based.
Simon Withers, strategy and development, cloud computing and managed services, SunGard Availability Services points out that on-demand elastic technology allows organisations to shift operations based on capital expenditure to ones funded through an operational expenditure. “In fact,” he enthuses, “With CIOs and IT departments under continuing pressure to reduce costs and increase efficiency, whilst continuing to grow, we investigated the relative cost of ownership of adopting SunGard’s Infrastructure-as-a-Service model and found that this can, on average, reduce a firm’s total IT running costs by between 35 and 55 per cent.
With larger enterprises eager to capitalise on the efficiency benefits the cloud can deliver through orchestration and automation but unwilling to risk the chance of compromising their data, the recent emergence of the private cloud has helped drive further adoption of this technology.
In the right hands, a private cloud is a highly controlled and customisable environment yet offers far greater flexibility to the organisation, often without the need to re-engineer an existing business computing model to fit it.
The majority of public cloud providers do not provide the ability to audit or permit the ability to run virtual security checks like penetration or vulnerability scanning. Whereas with a private cloud all compute resources in this operating environment tend to be dedicated to one business alone – which means that it’s a highly controlled and customisable environment and can provide greater flexibility in both the contract, commitment and the understanding of the risks. Software and security for instance, are configured to meet the organisation’s precise requirements rather than the general market.
With regards to the private cloud, there’s one thing to remember: security in the cloud is exactly the same as security in an on-premise or outsourced hosted environment and should be approached in the same way.
What future for the cloud in terms of standards/regulation? A major concern is the need for appropriate standards which address the portability of the data into and out of a cloud. In essence, where an organisation or end user does not suddenly find itself locked in to a cloud provider with nowhere to go, the need for greater relationships are required in the integration amongst the cloud providers, application providers and the organisations that utilise such resources and services, to support predicted growth.
Indeed, according to Peter Bauer, CEO and co-founder of cloud-based email management firm, Mimecast, “Gartner’s call for clearer communications adds to a growing clamour for greater regulation and scrutiny of the cloud computing services on the market. While the benefits of cloud services are well-known, the market is crowded and noisy and with no clearly defined industry standards and few SLAs in place, it is hard for customers to tell the difference between a cloud vendor with a properly architected delivery infrastructure and one that has patched it together and is using cloud as a ‘badge’.
“It’s all about the desirability of emerging technology, and the increasing risks of these,” says Mike Osborne, managing director of ICM Continuity Services. “Cloud providers do get the fact that security is the biggest concern, and moving forward, the differentiator will be security.
“One of the first conversations you should have with a provider is how do you reverse out of a cloud if you want to, and very few people are yet talking about how you recover from the cloud.”
For now, there is nothing to say that companies need take an ‘all or nothing’ approach. Some firms may feel that some or part of their IT can be provided through the cloud, according to the call for the application or the data’s value.
Christopher Barnatt is associate professor of computing & future studies, Nottingham University Business School, and author of 'A Brief Guide to Cloud Computing'
Deborah Ritchie, Editor of CIR Magazine, talks to Thomas Coles and Philip Nunn.
Deborah Ritchie provides a summary of some of the latest stories in business risk, insurance and resilience
Business Continuity Awards 2015 – shortlist announced!
BSI issues top ten tips for business continuity planning
UK government publishes report on cyber insurance initiative
BLM and Cunningham Lindsey launch claims JV
GCHQ launches cyber security pilot sponsorship scheme
UK product recalls of Chinese goods in downward trend
Shipping losses lowest in a decade though threats from mega-ships and cyber attack loom
Egress Software wins Ealing school data security contract