Subscribe
About

Not my problem

Companies looking for a piece of the cloud computing action must avoid some costly errors.

Perry Hutton
By Perry Hutton, regional director of Fortinet for Africa.
Johannesburg, 07 Jun 2013

This year, cloud computing is definitely poised to gain importance among enterprises. CIOs are now convinced that when properly implemented, cloud computing can dramatically improve the firm's agility and productivity, while cutting infrastructure cost.

Companies large and small will move significant parts of their operations to the cloud in the next year or two.

While every organisation wants a piece of the cloud action, not all of them will get the results they desire.

Here are the top five mistakes to avoid:

1. Not opting for the right cloud model

Companies moving to the cloud can choose from public clouds, private clouds, community clouds or hybrid clouds.

* Public cloud: this is owned by a cloud provider and made available to the general public on a multi-tenant, pay-as-you-use basis.
* Private cloud: this is owned and deployed by an organisation for internal use as a single tenant.
* Community cloud: this is co-operatively shared by a set of tenants, often from the same industry.
* Hybrid cloud: this spans the cloud deployment models listed above, enabling applications and data to move easily from one cloud to the other.

Each type of cloud deployment offers its advantages. The factors to consider before adoption are the business criticality of the applications the firm wants to move to the cloud, regulatory issues, necessary service levels, usage patterns for the workloads, and how integrated the application must be with other enterprise functions.

2. Not integrating cloud security into the corporate security policy

Cloud security and corporate security policies must be integrated. Instead of creating a new security policy for the cloud, companies must extend their existing security policies to accommodate this additional platform. To modify policies for the cloud, consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

When properly done, adoption of cloud computing can be an opportunity to improve a company's security policies and overall security posture.

3. Counting on the security of the cloud-based service provider

Do not assume company data is automatically secure just because a service provider is being used. A comprehensive review of the provider's security technology and processes must be done to check how they secure the company's data and their infrastructure. Specifically, look into the following:

Never think that outsourcing applications or systems means responsibility for a data breach can be abdicated.

* Application and data transportability: does the provider allow companies to export existing applications, data and processes into the cloud? Can the companies import these back just as easily?
* Data centre physical security: how does the service provider protect its physical data centres? Is it using SAS 70 Type II data centres, and how well trained and skilled are its data centre operators?
* Access and operations security: how does the provider control access to physical machines? Who is able to access these machines, and how are the machines managed?
* Virtual data centre security: cloud architecture is key to efficiency. Find out how the individual pieces, like the compute nodes, network nodes and storage nodes, are architected, and how they are integrated and secured.
* Application and data security: to implement company policies, the cloud solution must enable the company to define groups, roles with granular role-based access control, proper password policies and data encryption (in transit and at rest).

4. Assuming the company is no longer responsible for securing data

Never think that outsourcing applications or systems means responsibility for a data breach can be abdicated. Some SMEs have this misconception, but understand that a company is still ultimately accountable to customers and other stakeholders for the sanctity of its data.

5. Not knowing which local laws apply

Data that is secure in one country may not be secure in another. In many cases, though, users of cloud services don't know where their information is held. Currently in the process of harmonising the data laws of its member states, the European Union favours strict protection of privacy. In America, laws such as the US Patriot Act give government and other agencies virtually unlimited power to access information belonging to companies.

Always know where the company's data is held. If necessary, store this data in more than one location. It is advisable to choose a jurisdiction where the company will still have access to its data, should the contract with the cloud provider be unexpectedly terminated. The service provider should also be able to provide flexibility on where the company wants its data to be held.

The bottom line is that the adoption of cloud technology must come with risk mitigations steps, and firms are well served to plan for and act on these steps from the outset, so returns on their cloud investments can be maximised.

Share