Security

10 things your cloud provider may not tell you

When you're evaluating cloud solutions, make sure you get the whole story. Here are 10 critical issues you should bring up (because the vendors might not).

I am a true believer in the value cloud computing can bring. But as with any technology or product, the onus is on the purchaser to do appropriate due diligence and separate the facts from the fluff (no pun intended). In the case of cloud, this can be challenging, as all cloud solutions promise the best ease of use, low cost, fast deployment, and absolute security. But we know all clouds are not created equal, and I recommend you look beyond the marketing claims to the fine print and even the stuff that is not written anywhere.

1: The issue of integration

To be fair, some cloud providers do talk about integration upfront, but those are the cloud integration vendors. For most others, this is a missing message. If your company is looking to add SaaS applications to your environment or leverage a PaaS for building Web apps, make sure you think about integration going in. What happens if you use SAP today and you have a branch office installing NetSuite? Well, good luck moving critical ERP data between them without integration. Don't jump to the cloud and then find out you have integration issues. Build this cost, management, and implementation into your deployment upfront.

2: Hidden costs or future pricing tiers

Because cost savings is such a fundamental pillar of the cloud, it's vital you look beyond the initial monthly subscription fees. Make sure you fully understand the complete pricing model and how your cost might change based on increased number of users, capacity, features, etc. Does the vendor charge a "per support" charge? Are upgrades to new versions included?

Also, there are often pricing tiers or "buckets," and when you hit that tier, your costs can significantly increase. Finally, look for a way to clearly show your ROI or success metrics for this solution. Align your costs with your expected results, whether quantifiable or qualifiable. This is particularly important if your company is new to cloud consumption, as your ability to show success with an initial deployment will influence future implementations.

3: Real uptime numbers

You'd think cloud providers have found the secret formula to uptime, as nearly everyone claims four or five nines. Let's be clear, all networks go down, but how quickly they recover or how the infrastructure is architected for failover and disaster recovery is key to the impact any downtime has on your business. While few vendors will fully disclose their metrics for absolute uptime, you can ask for reports on the past few months, ask about their maintenance schedules, check with other customers, etc. Some vendors are leading the way in this area, such as Salesforce.com, which puts all statistics on a public Web page.

4: You are ALSO responsible for cloud security

While the cloud vendor should have best practices around security at all layers -- data, application, infrastructure, and personnel -- don't assume you have zero responsibility. A survey by the Ponemon Institute on the Security of Cloud Computing Providers revealed that neither cloud providers nor customers feel responsible for data security in the cloud. In fact, a majority (two-thirds) of cloud providers believe it is their customers' responsibility to secure the data they store. That's not good, because it means both sides will be pointing fingers if a data breach occurs.

Make sure you know what you are responsible for and what the cloud vendor handles when it comes to data protection. Don't assume the cloud solution covers all security aspects. You may still need to handle your own encryption or policies. For IaaS and other infrastructure-related clouds, chances are you could be fully responsible for the security (and reliability) of your cloud instance.

5: Who holds the key

In this case, I'm talking about the encryption key. How your data is protected is vital, but beyond overall security and privacy, the details around encryption are rarely discussed. First make sure your data is encrypted at ALL times, both in motion and at rest. Then, find out how the vendor manages and secures the encryption keys, specifically around access control rules and policies governing encryption key management. This is vital for all companies, but particularly if you are in a regulated industry, such as healthcare or finance.

6: The real speed of data restoration

Cloud-based data storage and backup can solve real data protection issues, but the backup is only as good as the data recovery. Once your data is safely in the cloud, can you get it back, and quickly, when you need it? Don't just ask questions about data restore -- test this before you buy. Ask the vendor for any performance data they might have that shows real-world examples. Oh, and data restore is not just dependent on the cloud solution or provider's capabilities, it also depends on your bandwidth. Don't believe the published numbers your ISP provides you. Run your own tests and make sure you know what is possible based on your actual upload and download times. This affects not only data restore but the initial data seeding to the cloud.

7: If multi-tenancy is really isolated

Many cloud applications and platforms use multi-tenancy to separate your data or view of a solution from others. If architected correctly, multi-tenancy is a great way to enable multiple companies to leverage a single platform with absolute security and privacy. However, multi-tenancy can have vulnerabilities, depending on how the cloud provider automatically provisions virtual servers, starts up operating systems, and assigns storage, among other areas. For example, investigations by independent security consultancy Context Security found examples of security vulnerabilities in multi-tenant environments, where data fragments were at risk of being accessed or visible to others. Context recommends that users follow best practices for hosted services, such as using full disk encryption for sensitive data.

8: How to move your data to another cloud or solution

Migration or transition from one technology or application to another is never fun. But with cloud solutions, it's often catastrophic. Make sure you know upfront how you get your data "out" of the cloud and how easy or hard it is to move it to another solution. In some ways, this goes hand in hand with integration -- you need to know how to move data across clouds or between on-premise and cloud solutions all the time. And then if you move to a new solution, you again need to know how you would manage the move.

9: The fine print regarding privacy

There's a reason it's called "fine" print, as this is typically the stuff vendors don't want you to find easily and assume no one will read anyway. When it comes to privacy or your data and your personal information in the cloud, what type of cloud it is can vastly affect the vendor's privacy rules. For example, if the cloud depends on advertising for its revenue, chances are it will want to use your information to give advertisers data on its users. If the revenue comes from the end users, the vendor has an incentive to keep your information protected so you stay as a paying customer.

10: How "green" the cloud really is

It's great to feel like we're helping save the earth while using new technology, and the cloud often promises just that. However, the reality is that behind every cloud is still physical infrastructure. In fact, cloud computing is driving a massive data center build out. According to a recent Greenpeace report, nearly $450 billion dollars is being spent annually on new data center facilities. All of this is having a huge impact on our environment. The EPA reports that some 2% of North American electricity consumption comes from data centers and servers and it expects that to continue rising. Greenpeace suggests cloud computing is responsible for 2% of global carbon emissions. So if going green is one of your cloud goals, make sure your cloud is greener than others. You can use the Greenpeace scorecard to help.

Ask the questions

While we are poking at cloud vendors a bit in this article, most are willing and able to go beyond the marketing claims and provide you with information that addresses the issues above. But as with any technology purchase or implementation, you want to do the appropriate due diligence and make sure you are making a well-informed decision. And the onus is on you to make sure your data and information is safe and that the cloud provides the security, integration, and features you need for your business.

About the author

Margaret Dawson is a 20-year high-tech industry veteran and is currently vice president of marketing and product management at Symform, a cloud backup provider. She is an author and frequent presenter on cloud computing, network security, integration, and other business and technology themes.

3 comments
katebrew
katebrew

Really enjoyed the article.

Deadly Ernest
Deadly Ernest

This can be a very important factor, just look at the Megaupload case. The company is in a Hong Kong registered entity owned and run by a New Zealand resident with the servers in the USA. The US FBI have seized millions of dollars worth of assets claiming the operation is in violation of copyright infringement. The FBI claim the Safe Harbour Provisions of the DCMA do not apply, if this is upheld then there could be issues all over the place about how safe they are. The New Zealand courts have already declared the warrants issued in New Zealand at the request of the FBI weren't valid and everything they seized has to be handed back and nothing in them can be used against the accused due to the illegal seizure. Also, the US judge handling the US case doubts it will ever come to court due to faults in the case. Thus this company, operating in the cloud has been closed down due to the actions of a government agency in another country, actions that appear to have been improper and me end up being declared to be unlawful by their courts. This is a problem not mentioned or discussed by the cloud service providers.

TsarNikky
TsarNikky

What happens to your data when a government entity shuts down the "cloud" because of some violation by other users of the "cloud," i.e., child porn site, military secret site, etc.? Hope you also have an equally secure and current off-site backup available.

Editor's Picks