Evaluating the Cloud-Based Services Option Part II

Wednesday, July 06, 2011

Mike Meikle


(This article is part two of a two-part series on Cloud Computing and its usage by companies located in Richmond, Virginia)

A question that was fielded by the panel was what is the process when organization decides to switch between cloud providers.  

Mark Eichenberger of Microsoft responded by saying if a customer in the Public Cloud space decides to switch providers Microsoft will send the data to the customer.  If the customer is on a Private Cloud, the data is sent to the customer and the drives that were used to store the data are shredded.

All the panelists agreed that both the provider and consumer of the Cloud service should plan their exit strategy on the front end of the Cloud services agreement.  How the data will be transferred and the contract terminated must be agreed to up front to ensure that expectations are set and understood by all parties before the cloud service commences.

Jason Carnes of VMWare stated that Cloud consumers should ensure that they avoid “vendor lock-in” to a specific cloud service.  VMWare attempts to avoid this issue by only working (co-branding) with cloud vendors that meet VMWare’s support framework.

As for moving information from Cloud Provider A to Cloud Provider B, there are no standards or agreements in place amongst the big cloud players.  There are are specific instances where a cloud consumer can engage a web services firm to move their data from one cloud provider to another, but this is a case-by-case basis.  

Mark Eichenburger stated that a standard protocol amongst cloud providers will be a long way off.  As an example of lengthy industry standard development efforts, HTML5 has been in development for over a decade and is only now moving toward agreement and implementation.

The next topic posed to the panelists was the security of the Cloud.  Mr. Eichenberger stated that this is one of the first topics that a customer talks to Microsoft about as they look to move toward the Cloud.  It is Microsoft’s strategy to assuage a potential customer’s security concerns before they move deeper into developing a solution.  If the client still expresses significant discomfort at the thought of their data in the Cloud, Microsoft will not pursue the relationship.

Mr. Lowland of MeadWestVaco stated that Identity Management for users would address some of the security concerns that Cloud consumers would have, but the technology still has a long way to go.  This applies to the Cloud due to the issue of identifying what users are accessing specific data and if that access or modification can be validated.  Currently users identify themselves via an ID and password.  However this information can be comprised and in most organizations does not drill down to the data level.

To address some organizational security and risk concerns, those firms seeking a Cloud provider should weigh the benefits of using a provider who is compliant with a recognized audit or security standard, stated Jason Carnes of VMWare.  This audit standards include SAS 70, ISO/IEC27001, PCI DSS, etc.  However, if a Cloud provider is compliant with one of these standards, it potentially could be an extra cost to utilize those compliant services.

Both Mr. Loveland and Eichenberger discussed the ramifications on provider and customer in the event of a data breach.   Basically, if the consumer of the Cloud service was the party at fault for the data breach, they are held responsible.  The same standard is applied to the Cloud provider.  Both customer and provider should ensure that data breach clauses are discussed and agreed upon during the procurement process.

Organizations will have to determine what their most important data is stated Mr. Loveland.  Normally 20 percent of a businesses data is considered the “crown frakels” and should be heavily protected and potentially not placed into the Cloud environment.  For example, Chris Burroughs of Mondial stated that her organization does not place credit card data in the cloud due to potential security risks.

Risk Management and tolerance becomes a key factor in determining if a Cloud solution is a viable choice for the organization.  Mr. Lowland stated that the business will have to weigh the risk of moving a service or application to the Cloud with the potential for additional profit or cost savings. 

For example if the organization identifies a moderate breach risk if certain data is moved into the Cloud with a potential to gain significant profit, risk management will have to educate the executives to this risk and ensure they understand the ramifications of their decision.

Mr. Eichenberger added that certain industries do not fit into the Cloud model yet.  These include the Department of Defense, Financial and Utilities due to the regulatory and security concerns those areas face.

The topic of vendor management and how Cloud providers differ than other service providers was raised.  Chuck McBride of Tredegar Film Products stated that the internal IT team now has the responsibility of daily interacting with the Cloud provider. 

This responsibility now takes the place of previously managing the internal application or platform.  Mark Eichenberger of Microsoft echoed his thoughts and added that internal staff can now re-focus their time to addressing customer-focused solutions instead of running the actual platforms or applications.

The panelists were asked what were some of the best candidates for Cloud computing.  Mr. Eichenberger stated that email, customer relationship management or other commodity applications are excellent candidates for Cloud services.  Legacy applications that are based on older technologies were not good fit for the cloud he added.

Bandwidth costs will have to be factored into the total cost of pursing a Cloud Computing solution (how many users and how much data).  Jason Carnes stated that in some cases bandwidth costs will drop due to files being edited in the Cloud and not downloaded and uploaded locally.  

As an example, he mentioned that email spam will be left in the Cloud and not dragged into the corporate network.  Also, remote workers will no longer be directly accessing the corporate WAN to access their files, reducing the bandwidth requirements.  However, network latency may effect the performance of other applications and must be factored into the decision making process for pursuing a Cloud strategy for a certain platform.

The final query to the panel was where do they see the current Cloud market.  Mr. McBride stated that Cloud Computing is still in its infancy, with a lot of room to grow.  Cloud services will allow employees to increasingly collaborate and test the limits of the technology which will drive new products and services.

Jason Carnes added that Cloud Computing is still near the top of the “Hype Cycle” and has a long road ahead of it as the vendors, technology and standards shake out over the coming years.  Mr. Eichnberger concluded the panel saying that if an organization does not provide a specific service that is conducive to doing business, your employees will find a public service that fills their need.

I’d like to hear your thoughts on the article, so please feel free to submit your comments below!

Cross-posted from Musings of a Corproate Consigliere

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Risk Management ROI Vendor Management Managed Services Data Center
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.