It's all over your TV: Commercials with soft music and puffy white clouds floating by. All the while, a reassuring voice commands you: Go and do your business on the cloud. Its seductive siren song has even convinced the Obama administration to invest heavily in bringing cloud computing to its governmental processing centers.
Cloud computing, a process that allows companies to store data and applications on remote servers (often involving third-party companies), is an alluring proposition. It removes the burden of server maintenance from your information technology (IT) department. It saves money because you pay only for the services you need. It encourages collaboration and cooperation between different company divisions. In short, cloud computing, in the abstract, is as idyllic as the commercials imply.
But it's not as simple as saying you're going to do it and then just doing it. Moving your data to the cloud is an IT-heavy process, and during the migration it's critical that your IT team take the lead. It will be up to them to ensure there are safeguards in place -- on your end and on that of your vendor -- to ensure your data and applications remain safely in your hands.
| Graham Speake: "Security on the front portal needs to be tough. . . . It's not a set-it-up-and-forget-it system." |
"It's the major question," Van Ommeren says. "How can I be sure my data will be as safe on the cloud as it was when I was running my own database in-house?"
Barmak Meftah, chief products officer for Hewlett-Packard Fortify, says that problems with security on the cloud are more optical than reality. "Most cloud computing providers are doing a good job of protecting your information once it's in their possession," he adds.
Your data should be heavily encrypted to avoid accidental security breaches, no matter who is handling your data on the cloud, says Graham Speake, principal systems architect for Yokogawa IA Global Marketing Center. He also urges manufacturers to ensure the workers who are accessing information on the cloud have strong password protection.
"Security on the front portal needs to be tough," Speake says. "What a lot of people forget, too, is that when you make changes to the software -- upload a Microsoft patch, for example -- you have to recheck your security. It's not a set-it-up-and-forget-it system."
Dennis Hurst, chairman of the Cloud Security Alliance's education committee, says companies should ask the following questions about their cloud computing supplier:
- Are their security protocols as tight as yours?
- Is security addressed in the service-level agreement (SLA)? (Hint: If it's not, it should be.)
- Who owns the data, and how can you get your data back should you decide to terminate the contract?
- What happens to your data if the company shuts down for any reason? What happens to your data if the company goes out of business?
"Get your IT security people involved early," Hurst says. "They're the experts, and they'll be able to walk you through just how secure your data is on the cloud."
In addition to getting the IT people in early, Ommeren says companies should get their lawyers involved as well. "If the legal team is going to say, no' to an agreement, it's much better that they do it early in the process," he adds.
Harold Moss, chief technical officer of Cloud Security Strategy at IBM Security Solutions, says another question manufacturers should ask is whether or not the SLA provides for backing up the data. When most people see the word "backup," they assume it means the data. Sometimes, they are sorely disappointed.
"Usually, what most cloud computing companies mean by backup is their infrastructure," Moss says. "They're not necessarily backing up your data. If you expect them to do so, spell it out in the SLA."
The most serious security concern, according to Meftah, is at the application level. He says companies can't just load their applications on to the cloud without first ensuring on their end that they are secure.
"If you don't test your applications, find the holes and fix them, you're going to end up with problems," Meftah says. "You can't expect your cloud computing provider to sprinkle pixie dust on your applications and make them secure. It's up to you to make them secure first."
Ultimately, experts say it's a collaborative effort between the manufacturer and ITS cloud provider that will determine how safe the information is.
"Just remember, no security system is completely foolproof," Speake says. "All you can do is make sure that you and the company you're working with take all the precautions you possibly can while you're doing business up in the cloud."
IBM Predicts Seismic Shift in IT Spending