11.full
Content
Downloaded from itnow.oxfordjournals.org at Pontif?cia Universidade Cat?lica do Rio Grande do Sul on February 8, 2011
INCLOUDS WE TRUST
If you are thinking about storing data online you need to ask yourself several questions as to where the data is stored, how it is protected and more, says Jim Damoulakis, CTO of GlassHouse Technologies.
Over the last year the concept of cloud computing has been widely discussed and businesses have started to explore the opportunities it can bring. Many have realised that giving a third party control of part of the IT infrastructure can help reduce capital expenditure and maximise asset utilisation to provide a quantitative return on investment (ROI). Cloud can also remove resourceconsuming administration from the IT department as network drives are mapped to the cloud for the business to access data, allowing IT staff to focus on strategic projects and optimising efficiency. However, when utilising cloud services, it’s important to assess the service options meticulously to ensure they benefit the business objectives. Fundamentally, for the cloud, the same key attributes as for any IT initiative need to be considered. However, two factors set cloud services apart, which mean closer scrutiny is warranted: the first is that cloud is a new concept and so longestablished, business-as-usual policies and processes associated with traditional IT initiatives will need to be modified to accommodate the cloud. Second, with public and other external cloud services, the reigns of control are in part handed over to another party, making it critical to fully understand the implications. A good starting point in evaluating any cloud service is to ask some key questions: Where is my data? While business data may logically reside in the cloud, it’s physically sitting on storage in one or more locations. This could be anywhere – even in another country. Find out which locations, as this has implications regarding both availability (is it residing in a single data centre situated in an area prone to extreme weather conditions?) as well as regulatory and legal matters (inadvertently storing sensitive information in a foreign country with conflicting governance rules). How is my data protected? This is a multifaceted question in that it encompasses areas such as availability
March 2010 ITNOW 11
doi:10.1093/itnow/bwq142 ©2010 The British Computer Society
DATA SHARING
Downloaded from itnow.oxfordjournals.org at Pontif?cia Universidade Cat?lica do Rio Grande do Sul on February 8, 2011
and recoverability as well as security. Let’s consider traditional data protection concerns; how is the data being protected against loss and corruption; is it mirrored, replicated, backed up or checksumed. Ideally, multiple copies of data are geographically distributed. Who can see or access my data? In the interest of efficiency and financial viability, most cloud services employ a multi-tenancy model, i.e. data resides with another company’s data often within the same database. It’s important to know how access and visibility is managed and recorded and what steps are in place to ensure security and confidentiality. This also extends to the personnel of the cloud service provider. What exactly can their administrators see or not see? Many cloud providers use co-location or hosting facilities, so there may in fact be a hierarchy of service providers with varying degrees of accessibility depending on the host services being provided. Additionally, it is important to understand capabilities relating to common concerns, such as intrusion detection, hacker attack or post attack containment. Is the business protected against security violations? One of the main concerns when moving to a cloud computing domain is whether proper security agreements are in place between you and the cloud computing provider and its third party service providers. For instance, how passwords are managed, assigned, protected and changed. It is important to gain information about third party suppliers that could access business data and ensure security agreements are in place
12 ITNOW March 2010
after proper due diligence to protect your business from any security violations. Is effective education about security requirements and measures in place? This includes increased awareness of the security policy and its contents. Lack of information about security policy, both internally and externally, is a recipe for disaster. It’s important to ensure that internally staff is properly trained on security policy and aware of their security responsibilities, and externally all security agreements are in place with the cloud service provider. The silver lining While there are certainly a number of questions to answer regarding data protection in the cloud, the news is not negative. For many who venture into the cloud, there are advantages and enhancements to data availability and protection. In an effort to allay the concerns discussed, some cloud service providers have instituted data security measures that may well exceed those currently available internally in organisations, particularly smaller ones. In areas such as network intrusion prevention, detection and access control, more mature policies and processes and better monitoring may be in place. Recently, data encryption technologies have started to emerge, which provide encrypted data access from client to cloud infrastructure. As time progresses the technologies and the methodology around these systems will harden. From a data availability and protection perspective, a cloud vendor that distributes data over multiple geographies may offer a step up in
disaster recovery and, in some situations, even improved user access response (consider geographically dispersed users accessing a distributed cloud service in comparison to data access through a slow link to corporate headquarters). It may even be the case that the cloud provider may be offering more robust data backup and it may be able to do so at a lower cost. Reporting and audit control security and data protection is another challenge in many organisations. A cloud provider, particularly if they offer comprehensive service level agreements (SLAs), may produce more complete data protection reporting easing some regulatory burdens. Utilising the cloud Many organisations have already deployed cloud-based applications via software as a service (SaaS) providers rather than hosting and managing it in-house. Others are taking advantage of cloud services at the middleware, server and storage services levels, and the multitude of offerings available range from those offering little or no security and protection features to others with high levels of data security (e.g. access control and encryption) as well as other forms of protection. An organisation considering cloud services should have a solid understanding of the service level attributes that it currently has with regard to data location, accessibility and availability. The key is to understand requirements and align the cloud service adopted appropriately so that the provider adheres to internally generated SLAs and improves efficiencies. For more articles go online to: www.bcs.org/articles
INCLOUDS WE TRUST
If you are thinking about storing data online you need to ask yourself several questions as to where the data is stored, how it is protected and more, says Jim Damoulakis, CTO of GlassHouse Technologies.
Over the last year the concept of cloud computing has been widely discussed and businesses have started to explore the opportunities it can bring. Many have realised that giving a third party control of part of the IT infrastructure can help reduce capital expenditure and maximise asset utilisation to provide a quantitative return on investment (ROI). Cloud can also remove resourceconsuming administration from the IT department as network drives are mapped to the cloud for the business to access data, allowing IT staff to focus on strategic projects and optimising efficiency. However, when utilising cloud services, it’s important to assess the service options meticulously to ensure they benefit the business objectives. Fundamentally, for the cloud, the same key attributes as for any IT initiative need to be considered. However, two factors set cloud services apart, which mean closer scrutiny is warranted: the first is that cloud is a new concept and so longestablished, business-as-usual policies and processes associated with traditional IT initiatives will need to be modified to accommodate the cloud. Second, with public and other external cloud services, the reigns of control are in part handed over to another party, making it critical to fully understand the implications. A good starting point in evaluating any cloud service is to ask some key questions: Where is my data? While business data may logically reside in the cloud, it’s physically sitting on storage in one or more locations. This could be anywhere – even in another country. Find out which locations, as this has implications regarding both availability (is it residing in a single data centre situated in an area prone to extreme weather conditions?) as well as regulatory and legal matters (inadvertently storing sensitive information in a foreign country with conflicting governance rules). How is my data protected? This is a multifaceted question in that it encompasses areas such as availability
March 2010 ITNOW 11
doi:10.1093/itnow/bwq142 ©2010 The British Computer Society
DATA SHARING
Downloaded from itnow.oxfordjournals.org at Pontif?cia Universidade Cat?lica do Rio Grande do Sul on February 8, 2011
and recoverability as well as security. Let’s consider traditional data protection concerns; how is the data being protected against loss and corruption; is it mirrored, replicated, backed up or checksumed. Ideally, multiple copies of data are geographically distributed. Who can see or access my data? In the interest of efficiency and financial viability, most cloud services employ a multi-tenancy model, i.e. data resides with another company’s data often within the same database. It’s important to know how access and visibility is managed and recorded and what steps are in place to ensure security and confidentiality. This also extends to the personnel of the cloud service provider. What exactly can their administrators see or not see? Many cloud providers use co-location or hosting facilities, so there may in fact be a hierarchy of service providers with varying degrees of accessibility depending on the host services being provided. Additionally, it is important to understand capabilities relating to common concerns, such as intrusion detection, hacker attack or post attack containment. Is the business protected against security violations? One of the main concerns when moving to a cloud computing domain is whether proper security agreements are in place between you and the cloud computing provider and its third party service providers. For instance, how passwords are managed, assigned, protected and changed. It is important to gain information about third party suppliers that could access business data and ensure security agreements are in place
12 ITNOW March 2010
after proper due diligence to protect your business from any security violations. Is effective education about security requirements and measures in place? This includes increased awareness of the security policy and its contents. Lack of information about security policy, both internally and externally, is a recipe for disaster. It’s important to ensure that internally staff is properly trained on security policy and aware of their security responsibilities, and externally all security agreements are in place with the cloud service provider. The silver lining While there are certainly a number of questions to answer regarding data protection in the cloud, the news is not negative. For many who venture into the cloud, there are advantages and enhancements to data availability and protection. In an effort to allay the concerns discussed, some cloud service providers have instituted data security measures that may well exceed those currently available internally in organisations, particularly smaller ones. In areas such as network intrusion prevention, detection and access control, more mature policies and processes and better monitoring may be in place. Recently, data encryption technologies have started to emerge, which provide encrypted data access from client to cloud infrastructure. As time progresses the technologies and the methodology around these systems will harden. From a data availability and protection perspective, a cloud vendor that distributes data over multiple geographies may offer a step up in
disaster recovery and, in some situations, even improved user access response (consider geographically dispersed users accessing a distributed cloud service in comparison to data access through a slow link to corporate headquarters). It may even be the case that the cloud provider may be offering more robust data backup and it may be able to do so at a lower cost. Reporting and audit control security and data protection is another challenge in many organisations. A cloud provider, particularly if they offer comprehensive service level agreements (SLAs), may produce more complete data protection reporting easing some regulatory burdens. Utilising the cloud Many organisations have already deployed cloud-based applications via software as a service (SaaS) providers rather than hosting and managing it in-house. Others are taking advantage of cloud services at the middleware, server and storage services levels, and the multitude of offerings available range from those offering little or no security and protection features to others with high levels of data security (e.g. access control and encryption) as well as other forms of protection. An organisation considering cloud services should have a solid understanding of the service level attributes that it currently has with regard to data location, accessibility and availability. The key is to understand requirements and align the cloud service adopted appropriately so that the provider adheres to internally generated SLAs and improves efficiencies. For more articles go online to: www.bcs.org/articles
Sponsor Documents
Recommended
No recommend documents