Security

You cannot throw a stick in any direction without hitting a cloud-based application or service. The many offerings from so many vendors blur lines differentiating vendors, and ultimately, responsibilities.

Consumers appear to be the most trusting, and from recent experiences, embrace cloud providers willingly and without much investigation. Sadly, consumers have as much to lose as any corporation, yet due to the ubiquitous nature of consumer clouds, they continually fail to take responsibility for their own protection.

While that statement sounds like a condemnation of the consumer, it really shows how immature the entry-level cloud can be for this user community. Blind optimism that many consumers have about data protection and access credentialing seems to be a holdover from the good old days when clear-text transmission of financial and PII (Personally Identifiable Information) was commonplace and accepted. Sadly, cost is normally a key factor when consumers search for providers, with a secondary selection factor based on features provided, disregarding several crucial elements. The real selection criteria for consumers as well as enterprises should be security first, accessibility second, followed by the appropriate focus on features and cost.

Before you dismiss this introduction as a setup for a consumer-focused article, allow me to allay your fears. I am merely setting a foundation for the need to change attitudes about how we view and use the cloud. Sometimes bad habits learned from being consumers influence our business decisions, often with disastrous results. Complacency is too common and is not our friend.

The “cloud” is touted as offering many models; software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS), with definitions based on NIST Special Publication 800-145. Deployment can be further designated private cloud, public cloud, hybrid cloud, or as newer categories with finer granulations such as community cloud, distributed cloud, intercloud and multicloud.

One of the thorniest issues with cloud implementations has been the diverse culture surrounding duties and responsibilities: This has become a hot topic and subject of great disappointment for many customers. Sadly, the cloud is not a panacea for all applications. The same issues pertaining to duties, responsibilities and implementations faced with traditional data centers still exist. Yet there appears to be an overwhelming urge to move everything to the cloud regardless of value. The promise of major cost saving by various cloud providers has driven the business model to a frenzy of outsourcing activity, but motivations may be skewed based on hype and hard-to-quantify promises.

Have you developed a business justification for moving to a cloud? Have you looked at all costs as well as duties and responsibilities? Absolutely nothing is for free; not in life, and most certainly not within the cloud!

Rule Number 1: If you put data into the cloud, you must ensure it is secure and protected from unauthorized access and alteration. No matter how you look at it, this requirement is the one that has so many large corporations up against the ropes. The news media is awash in stories of stolen data (Target, Benesse Holdings Inc., Neiman Marcus, P.F. Chang’s, eBay, etc.), yet we within the IT community continue to resist the solution: encryption of all data in-flight and at rest. The issue has always been the cost of such an implementation, but what of the cost for failing to protect data? Unfortunately, this affects both the enterprise as well as the consumer; a double whammy with worldwide implications.

Several large corporations and federal agencies have jumped on the cloud bandwagon by outsourcing common applications such as email. Their thinking is that by moving this type of standardized function to a bulk service provider, costs will be significantly lower. Email in the cloud offers several compelling benefits such as availability (always accessible from anywhere), elastic data storage (it can grow as required; i.e., the more you use, the more you pay) and offloading operational duties.

If you are bad at managing your internal IT infrastructure, the cloud may offer some respite from inability to protect your own assets. Just ask the IRS about email retention and recoverability. They were arguably incapable of managing email internally so perhaps the cloud would have been a better implementation, albeit with caveats.

3 Pages