• United States




Cloud Computing: Making the Right Choices

Apr 15, 20097 mins
Business ContinuityData and Information SecurityIT Leadership

Cloud computing is getting a lot of press these days, including excessive FUD. However, selecting a cloud solution for critical business applications is an exercise in educating yourself, asking the right questions, and making an informed decision. In other words, deciding whether to use a cloud solution and which vendor to use is no different than any other decision we make every day.

What is Cloud Computing?

Before we jump into how, it’s important to understand what. What is meant when someone talks about cloud computing? Since there are various definitions, perceptions really, of what cloud computing is, I want to make sure we’re all speaking the same language.

First, the term cloud refers to the Internet as typically represented by a cloud in network diagrams. It includes the infrastructure and applications available for use by subscribing organizations. It’s like a black box. An organization connects and drives critical business processes using applications and infrastructure it doesn’t see or manage. Data is input and data comes out. The rest is the vendor’s responsibility.

So we have part of the cloud computing definition. One article I read described cloud computing as client-server computing, but with the servers in the cloud. But, using cloud services to run your business involves more than just transitioning responsibility for system management to a third party.

The definition I like best is provided in the Open Cloud Manifesto. 

“The key characteristics of the cloud are the ability to scale and provision computing power dynamically in a cost efficient way and the ability of the consumer (end user, organization, or IT staff) to make the most of that power without having to manage the underlying complexity of the technology. The cloud architecture itself can be private (hosted within an organization’s firewall) or public (hosted on the Internet).

Source: Open Cloud Manifesto, 2009

Benefits of Cloud Computing

If there were no business benefits to cloud computing, there would be no reason to change the way we do things today, standing up a new set of infrastructure and servers for every new solution. This is followed by monitoring and maintenance, hoping we sized the hardware correctly for peak loads. However, there are several benefits to cloud computing which promise to make our lives easier from both performance and continuity perspectives.

·         Scalability. Cloud vendors have the ability to scale up processing capacity when necessary, while scaling back during periods of normal usage. This capability is cost prohibitive in most in-house datacenters.

·         Continuity. Cloud infrastructure is typically designed to provide redundancy. Depending on the agreement between your organization and the cloud services vendor, this might translate into near 100 percent up time. 

·         Cost. The cost of contracting with a third party to manage a critical system is typically lower than doing it yourself. General hardware and software maintenance, including upgrades and patching, is handled in the cloud, releasing your software, network and server engineers to perform other tasks. Further, maintaining redundant systems and scalable environments is easier for a cloud vendor. The vendor can have on hand processing potential it can apply to the customer needing it at the moment, thereby sharing costs across multiple organizations. Finally, the cost of developing and maintaining the application is also distributed across multiple customers, relieving you of the total burden.

·         Minimizing startup costs. Startups often don’t have the working capital necessary to set up and operate an in-house data center. Outsourcing this capability reduces cost and allows adjustments for potential capacity planning misses. 

This is a good list of benefits, and I’m sure many of you can think of more. So what’s the problem? 

Cloud Computing Challenges and Considerations

Contrary to what some bloggers and other journalists have written, cloud computing challenges are not insurmountable, nor should they stop you from using a vendor managed service if appropriate. Here is a list of things to consider when evaluating a cloud computing supplier:

·         Changes to developer role. Before cloud computing, the developer wrote code and then let someone else support it. In the new model, the developer is responsible not only for writing the code, but is usually responsible for responding to customer support issues. He or she is also responsible for working with infrastructure providers–if the software vendor doesn’t also host the hardware–to ensure proper performance and operation. Cloud vendors must understand this change and ensure their developers act accordingly.

·         SLA Management. Cloud vendors who only supply software, relying on other vendors to supply hardware, have to manage two SLAs. First, there is the performance and availability SLA entered into with you, the customer. Second, the cloud vendor must establish and manage SLAs with cloud hardware vendors to ensure their management and support is appropriate for the customer SLA. As the customer, it’s important you understand this relationship and how it’s managed.

·         Lack of common standards. No standards for how information is shared are established. Organizations not asking the right questions can find themselves unable to integrate cloud services from multiple vendors or easily establish B2B processes. Be sure to understand both the vendor’s approach to integration and its willingness to adjust to ensure compatibility with existing or future business systems. One way to start is to see if the vendor supports the Open Cloud Manifesto, which lists expectations for providing cloud services.

·         Vendor and data availability. Calum Murray, head of software-as-a-service at Capgemini UK recently described an incident involving Coghead, a cloud service provider. Murray said Coghead “… had its intellectual property snapped up by SAP, effectively leaving its customers 30 days to get their data off the system” (Ian Williams, 2009). Be sure to understand all the ramifications of a takeover or bankruptcy. Any cloud vendor agreement should include expectations related to changes to vendor status. The agreement should also include how you get your data back and in what format. Mitigating business impact caused by cloud vendor issues are mitigated by ensuring information returned from the vendor is easily transferrable to another vendor or to in-house systems.

·         Data security and compliance. One of the biggest drums beaten by critics of cloud computing is security. There is concern that data controlled by a vendor, residing on an off-site server, is somehow less secure than data stored in-house. This might be true, if an organization doesn’t take appropriate steps to ensure cloud service trustworthiness. However, the following can help ensure sensitive data are safe and accurate:

o   Ensure the service agreement includes a Business Associate Agreement if ePHI is involved or other clauses ensuring compliance with your company’s policies. Your policies should reflect regulatory requirements for all geographic locations serviced. This prevents the vendor from being compliant with regulations applicable to its location but not compliant with yours.

o   Retain the right to perform audits on vendor policies and processes, just as you would perform them for internal systems. This, too, should be included in the agreement.

o   Ensure the agreement includes monetary sanctions for not meeting security expectations, as defined in your company’s policies and the vendor agreement.

·         User authentication. The first question you should ask is whether your existing user accounts can be used for pass-through authentication, or, if you’ve implemented federated authentication, whether the vendor can support your solution. Processes for on-boarding and terminating employees should be simple and capable of integration into manual or automated provisioning systems. Further, 

Consistency around authentication, identity management, compliance, and access technologies will become increasingly important. To reassure their customers, cloud providers must offer a high degree of transparency into their operations.

Source: Open Cloud Manifesto, 2009

The Final Word

There are several reasons why cloud computing might not be for you. However, you won’t know until you’ve asked the right questions. And take your time. Possibly, only one or two critical processes are suitable for cloud hosting. So start with them. You don’t need to transition the entire datacenter to start taking advantage of the benefits. Finally, don’t be swayed by cloud-related FUD. Educate yourself and your team, assess risk, and make a decision based on business value.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.