Downloaded from itnow.oxfordjournals.org at Pontif?cia Universidade Cat?lica do Rio Grande do Sul on February 8, 2011
and recoverability as well as security. Let’s consider traditional data protection concerns; how is the data being protected against loss and corruption; is it mirrored, replicated, backed up or checksumed. Ideally, multiple copies of data are geographically distributed. Who can see or access my data? In the interest of efficiency and financial viability, most cloud services employ a multi-tenancy model, i.e. data resides with another company’s data often within the same database. It’s important to know how access and visibility is managed and recorded and what steps are in place to ensure security and confidentiality. This also extends to the personnel of the cloud service provider. What exactly can their administrators see or not see? Many cloud providers use co-location or hosting facilities, so there may in fact be a hierarchy of service providers with varying degrees of accessibility depending on the host services being provided. Additionally, it is important to understand capabilities relating to common concerns, such as intrusion detection, hacker attack or post attack containment. Is the business protected against security violations? One of the main concerns when moving to a cloud computing domain is whether proper security agreements are in place between you and the cloud computing provider and its third party service providers. For instance, how passwords are managed, assigned, protected and changed. It is important to gain information about third party suppliers that could access business data and ensure security agreements are in place
12 ITNOW March 2010
after proper due diligence to protect your business from any security violations. Is effective education about security requirements and measures in place? This includes increased awareness of the security policy and its contents. Lack of information about security policy, both internally and externally, is a recipe for disaster. It’s important to ensure that internally staff is properly trained on security policy and aware of their security responsibilities, and externally all security agreements are in place with the cloud service provider. The silver lining While there are certainly a number of questions to answer regarding data protection in the cloud, the news is not negative. For many who venture into the cloud, there are advantages and enhancements to data availability and protection. In an effort to allay the concerns discussed, some cloud service providers have instituted data security measures that may well exceed those currently available internally in organisations, particularly smaller ones. In areas such as network intrusion prevention, detection and access control, more mature policies and processes and better monitoring may be in place. Recently, data encryption technologies have started to emerge, which provide encrypted data access from client to cloud infrastructure. As time progresses the technologies and the methodology around these systems will harden. From a data availability and protection perspective, a cloud vendor that distributes data over multiple geographies may offer a step up in
disaster recovery and, in some situations, even improved user access response (consider geographically dispersed users accessing a distributed cloud service in comparison to data access through a slow link to corporate headquarters). It may even be the case that the cloud provider may be offering more robust data backup and it may be able to do so at a lower cost. Reporting and audit control security and data protection is another challenge in many organisations. A cloud provider, particularly if they offer comprehensive service level agreements (SLAs), may produce more complete data protection reporting easing some regulatory burdens. Utilising the cloud Many organisations have already deployed cloud-based applications via software as a service (SaaS) providers rather than hosting and managing it in-house. Others are taking advantage of cloud services at the middleware, server and storage services levels, and the multitude of offerings available range from those offering little or no security and protection features to others with high levels of data security (e.g. access control and encryption) as well as other forms of protection. An organisation considering cloud services should have a solid understanding of the service level attributes that it currently has with regard to data location, accessibility and availability. The key is to understand requirements and align the cloud service adopted appropriately so that the provider adheres to internally generated SLAs and improves efficiencies. For more articles go online to: www.bcs.org/articles