(ID999) INCIDENT RESPONSE - Tel: UK 0044 1732 897 601

Stuart Hargreaves (Spambrella) - Cloud Services, Benefits & Risk

LinkedIn Profile

What is cloud computing?

Cloud computing is a general term for anything that involves delivering hosted services over the Internet. These services are broadly divided into three categories:

  1. Infrastructure-as-a-Service (IaaS),
  2. Platform-as-a-Service (PaaS)
  3. Software-as-a-Service (SaaS)

What is cloud computing addressing?

Justification and reasoning differs within each industry, but trend has shown that businesses express a wish to outsource the maintenance obligation of internal infrastructure such as servers and applications. Cloud outsourcing enables escalation of systems on-demand whilst also guaranteeing businesses only pay for storage or resource adopted.

Business continuity can be addressed with the ability to access data from anywhere with an internet connection. Many vendors can now guarantee 100% uptime for email communications and filtering as well as access to archived storage. Cloud enables smaller businesses to access enterprise-class technologies they previously could not afford to buy and/or maintain.

Is cloud computing the key to the future of IT?

It is widely reported that cloud computing is key to the future of the technological world. The term ‘cloud computing’ is like a mother ship term for a number of different trends. Each of these trends is dependable upon the internet to provide businesses with simplified options to use computers and extend their capabilities.

Vendor claims are strong and often report radical differences between the various forms of cloud computing. In any growth industry there is a tussle for market dominance and some vendors offer more benefits than others. To truly understand the benefits of cloud computing education is paramount, addressing the value of benefits to your purpose should then be a simple process. Many vendors have a variable list of flavours to address sector specific business requirements thus enabling them to best replicate requirements outside of on-premise infrastructure.

What is utility computing and capacity management?

Utility computing and capacity management play a critical part of ensuring that the business is getting the performance and functionality it needs from resources. Ensuring the required infrastructure resources are available to conduct everyday business and also ensure that just enough money is being spent to do so. Cloud computing, virtualisation, and other innovations are revolutionising utility computing. Businesses do not generate their own energy supply, this is brought in from external resource and arguably essential technology services can be managed and resourced better externally also.

The overlap of understanding

It is very important to note that there is a considerable overlap of definition between SaaS, PaaS and IaaS. With the evolving vendor service name changes of those 'baby ships', definitions are continually mistranslated. In fact many cloud services may be listed or categorised into either of the three depending on who is making the categorisation. Research has shown that developers, system administrators or IT Managers will apply IaaS, PaaS and SaaS directly to themselves and their responsibilities whilst also addressing the business.

Key challenges of cloud adoption

  • Efficiency of service provisioning
  • Effectiveness of service usage and control
  • Service delivery and billing – transparency
  • Information security
  • Data privacy
  • Ability to integrate with on-premise infrastructure
  • Data portability – between cloud providers
  • Compliance

Justifying your organisations cloud adoption

Cloud services are being advertised to a variety of market verticals in today's business environment. Some have called cloud a visionary adoption, whereas others look to the economics of change and business impact. Then there are those who regard it as a trend required to enhance their company's position against competition.

Adopting a cloud environment to any extent should make sense for your business from both a financial and operational perspective. In order to achieve this, a business must not only be knowledgeable in the benefits of cloud services but must also know exactly what can be migrated to the cloud and what should not. Knowing exactly what resources make sense to move to the cloud justifies the effort of migrating.

The key advantages of cloud adoption

As previously mentioned, there are varying degrees of optimisation for a business's software and systems. The below advantages are inherent:

  • Reduced capital investment – Hardware such as servers and infrastructure
  • Reduction in software costs
  • Personnel with less responsibility
  • System maintenance overheads reduced
  • Flexible with respect to system configuration
  • Scalability in size and speed of your system
  • Global access and 24/7 uptime for DR and BCP
  • Security and control

Offset responsibility and reduce operational costs

Many leading email and web filtering companies such as Messagelabs, Spambrella and Websense enable re-routed services for outsourced cloud filtering management. With many IT departments low on staff the offset responsibility through service level agreement is welcomed with open arms and enables businesses to concentrate on core duties.

Cloud adoption delivers unparalleled advantages to businesses of all sizes. Recent economic times have halved the head count of many IT departments and added burden through workload, training and responsibility. The cloud enables businesses to reduce costs, both in terms of initial outlay ‘capital expenditure’ and on-going operational costs ‘operational expenditure’ such as IT resource and energy.

What is software-as-a-service (SaaS)?

Software as a service (Saas) is a software delivery model in which software and associated data are centrally hosted within a cloud environment. SaaS is accessed by users using a thin client via the internet.

SaaS has become a common delivery method for many business applications, including accounting, customer relationship management (CRM systems), enterprise resource planning (ERP), human content management (CM), resource management (HRM), financial control and service desk management.

The Gartner Group estimated that SaaS sales in 2010 reached $10 billion, and were to increase to $12.1bn in 2011, up 20.7% from 2010. Gartner Group also estimates that SaaS revenue will be more than double its 2010 numbers by 2015 and reach a projected $21.3bn.

Customer relationship management (CRM) is the main growth market for SaaS with the market projected forecast to reach $4.2bn (£2.6bn) in 2013.

Are there legal and compliance complications?

Outsourcing to the cloud for data processing and storage has inherent advantages but ensuring regulatory compliance is not as simple. Cloud adopting businesses are responsible for auditing data and require assurances about the data staying in compliance. Taking full responsibility for data access and how it is stored at a remote site 'in the cloud' will again vary from one businesses regulatory requirement to another. In this instance there is no 'one size fits all' however many leading outsource partners are evolving to accommodate.

For a long time organisations have arguably tightened policy bolts prior to an impending audit. This in some cases was too tight for the business to operate efficiently and once the audit had passed, the bolts were once again relaxed. This causes a continual wave of compliance followed by non-compliance and so on.

Software such as ‘user activity monitoring’ has been developed to counter the cloud ‘third party’ uncertainty. Data centres are in some instances able to assure full audit of access to any architecture within your adopted cloud. Those third parties that have had the most success have implemented software that acts like a security camera on your servers. Capturing video and text recordings of every user action also assists in satisfying PCI, HIPAA, ISO 27001 and SOX security compliance requirements.

What are the risks of cloud computing?

It is general knowledge that businesses have a reliance on the internet and its information systems. An example would be the dependencies of a human relying upon its nervous system. This dependency is better understood when an information system fails to carry out its principal function, hindering those critical functions and processes. Each business adopting cloud services is different due to the nature of infrastructure, internal staff skill sets and capacity, the type of reliance the business has on the internet and the cloud deployment model it is considering.

Key risks to justify prior to cloud adoption are defined from a strategic perspective. The following questions should be asked…

Will cloud reduce governance?

The key driver of cloud adoption over the traditional data center model is the ease of engagement and supply. The cloud offers services quicker than an on-premise IT model due to its automation and flexibility. Businesses are able to engage and adopt hosted services without going through the regular procurement processes. These IT purchases are usually operational rather than capital and it is becoming difficult to track. Businesses operating in such a fashion are at risk of adopting restrictive contracts, loss of data ownership and potential technology lock downs.

Businesses should consider classifying cloud adoption as high or critical risk and establish audit controls to manage the service level agreements. When considering cloud adoption, additional controls and monitoring systems will need to be in place especially if your business is regulated.

Will data location compromise my business?

Providers of cloud services generally have many geographic data center locations. The principle design guarantees redundancy up-time and improves SLA requirements. By distributing cloud services across multiple locations, providers greatly reduce the risk of localised events affecting their services.

Most businesses do not require overseas or geographic levels of redundancy, but providers may be utilising availability for storage and backup. This is a growing concern for governance officers in understanding business data flow and should be regarded as high risk.

Data in some European countries has set restrictions and cannot be sent outside of the border. There have been many cases whereby governmental agencies have captured entire data stores for investigation.

Who owns the data?

Businesses should guarantee they are not signing a standard contract which puts aside their rights of ownership to the data that is moving to the cloud. Cloud service providers are simply custodians of data and an organisation should be able to modify the contract if required.

Have we increased the business attack surface?

Virtualisation technologies that have created the cloud operate between the operating systems and the hardware it resides on. Cloud service providers use a wide selection of software tools to monitor, manage and automate their infrastructure.

Virtualised environments are simple but complex and managing vulnerabilities increase as these new classes of software are introduced into the IT environment. Traditional software vulnerabilities in IT systems expose a single organisation or system, whereas vulnerabilities in cloud software could expose multiple businesses or systems.

Businesses should question cloud providers ability and approach to address zero day exploits. Patching known vulnerabilities and management of cloud infrastructure is of paramount importance. Aside from zero day exploit, a DDoS attack (distributed denial of service) has grown in popularity with organised cybercrime groups such as Anonymous. DDoS attempts to overload a machine or network resource rendering it unavailable. Those approaching cloud providers must make sure that behavioral ‘intelligent’ technology is in place to counter this level of attack. Cloud providers should also be able to validate the presence of security testing in their system development life cycle on pre-defined dates.

Who is accountable?

Cloud services can be outsourced but you cannot outsource accountability.

Making Contact

Should you wish to contact Stuart Hargreaves or Spambrella directly, please navigate to the Spambrella website here (opens in new window).