We re-posted the story on the definition of the “cloud” so we could take a deeper look at where it has come in the last two years and how it has changed. Our parent company, NetHawk Interactive, Inc., has used the cloud for its CRM files and we park our mail servers at our IT provider’s location so they can watch it. If Google had gotten their act together, and provided a suitable Office suite along with a domain nest, we may have dumped our too long relationship with Microsoft. No joke. Our reasoning back in the late nineties was that as a marketing company, maintaining an in-house IT staff was essential, if we wanted to build a network that would scale. In those days, we still weren’t sure which way the wind would blow and we thought we were buying innovation in the process. That proved to be nonsense, as our IT staff became entrenched and we were not able to separate the innovations and their expenses from the status quo. We soon quit trying to build a formidable online automated service and got back to what we know best: finding sales leads for IT companies.
So while the mid-nineties represented a time when owning racks of servers was some sort of status symbol, today all that iron is an albatross around the necks of many small and medium-sized companies. The cloud as it is now framed is not new or different. The only real difference is the security situation and the techniques used to manage the wide area network we call home. With our team scattered around the world, that demands enough of our bandwidth.
So now the decisions for companies to make are inundated with fear and loathing on the way to the cloud and its accoutrements. As Dr. Alastair MacWillson, the global managing director of Accenture’s global security practice, puts it, “It’s certainly justified for an organization to worry about theft, loss or legal noncompliance.”
The good doctor lists Five (5) major points for us to address when assessing the situation:
1. Know your appetite for privacy and security risk.
2. Expect to share responsibility.
3. Demand transparency and accountability from cloud providers.
4. Use the cloud to address identity and access management issues.
5. Architect solutions that address the risk.
The first point is dynamic and changing as fast as the markets, and, as MacWillson points out, much faster than legislation on things like privacy and compliance. For us it was simple, since the IT provider that now manages our data and our iron is the same as we used when we had all our racks on premise. He also mentions Common Assurance Maturity Model (CAMM) and the introductory video below explains how you might use these services to help ascertain you are covering your data correctly.
Secondly, he reminds us that we will have to share responsibilities, not really new but a bit different, than managing in premises servers.
|Does Your Cloud Have a Silver Lining?|
“It is critical to clarify the roles of the data owner and cloud provider (and systems integrator, if applicable) in delivering legally compliant solutions. While the law doesn’t state any clear division of labor as long as certain things get done, many data owners and cloud providers have misconceptions about their responsibilities.”
In his third point, he provides a template for how to negotiate your requirements and I strongly urge those considering moving their data to a third party to meticulously follow these points. Questioning cloud providers requires a variety of checklists and an open framework with which to insure your risks are managed correctly. If you are not comfortable, there are many consultants versed in these situations and you should consider having someone experienced make sure you are covered.
Number four is about identity issues which you must look carefully at before you make any decisions. In a recent post, we discussed the intrusions and options. Review that post for a more fluid approach to assessing your options. There are some, like phone id’s but those have other challenges. If the secure ID’s are replaced, this may drive it. Stay tuned on that one.
Number five is a bit of mystery to this writer because I am really not sure how any of the architected choices are any different. If Google is as vulnerable to the threats that they seem to be, if Amazon hasn’t got all of this wired, than I would say smaller vendors, like Lan Logic, which we use, are on an equal par. Check it out and let us know what you learn, what questions you are not able to find answers to and what advice you would like to share with others going through the same pain staking analysis.