There’s no doubt that organisations are approaching the cloud with trepidation. Direct substitution of on premise business applications is still a rare event and organisations are primarily utilising the technology for low-risk, low impact services, such as collaboration extranet sites and general email services. But with tight budgets and limited employees and skillsets, smaller businesses have bucked the trend and are showing an appetite for change. As the credibility of these cloud services grow, combined with the benefits of increased flexibility, customisation and utility pricing, cloud adoption is set to soar.
But there are barriers to this growth, with the security of the cloud being a key concern. This has been elevated by the raft of recent scare stories in the media and has made it vitally important for cloud service providers to be transparent with their security, service level agreements (SLAs) and descriptions. Cloud service providers can’t expect enterprise customers to buy without clear evidence of a secure and reliable service.
Another perceived barrier linked to cloud adoption is data storage. Although the risks of hosting outside the UK are perhaps more theoretical than realistic, it will have an impact on buying decisions. Obvious benefits of a UK company buying from another UK company hosting data within the UK is that if all else fails, the ability to turn up on the supplier’s doorstep and have recourse to UK law is clearly understood and gives the customer a level of comfort. The geographic location of the customer’s data, while important, is not the only peril that could be considered a risk. It now looks clear that American owned companies or subsidiaries with data held within the EU may well be required by the US Patriot Act to disclose data to the US authorities, without notification to the data owner or the EU/UK authorities.
This is in clear contravention of UK data protection laws. Only an EU/UK owned cloud provider would be clear of the grip of the US Patriot Act. As all companies have a responsibility for the security of their customers’ data, this apparent gap in the chain of responsibility may deter some UK companies from buying services from US-owned cloud providers.
Adopting to the cloud
In most cases, adopting a cloud-based platform can be far from straightforward. This approach is usually based on perceptions of risk and internal change cycles. Understanding risk in any change project is complex, combine this with the evaluation of an external supplier and external services can be overwhelming to an often overstretched IT department. Vital to a smooth adoption process is a clear IT strategy; otherwise the default ‘safe’ mode of internal hosting can be the only low risk option. Cost will become secondary, especially if the risks associated with cloud can’t be explained and quantified.
A combination of custom developed tools and procedures support businesses through the cloud adoption process, reducing risks, complexities and allowing, if required, a staged migration. Clear communication and project management help define expectations and actions needed to be carried out by both an organisation’s and cloud service provider’s team.
In the IT industry, adoption of services, particularly of standardised solutions, can be a challenge for many users and the administration function within an organisation. The level of customisation and control usually available may well be significantly reduced. Managing IT users through a self-service control panel is simply a different experience for many technical admins within an organisation. Their roles and responsibilities for user support and diagnostics must be clearly defined, with effective escalation paths to the cloud services support teams.
Securing a cloud based service
Organisations expect a high standard of security from cloud adoption, but it’s also important that security can be evaluated and validated. Many cloud providers are sensitive about sharing the full extent of their security environment and procedures and often the detail presented in proposals is a sanitised version of the cloud provider’s actual security environment.
The reasons for this are clear: detailed knowledge of the actual structure of firewalling, server configuration or even locations are useful in any attempt to compromise security. Organisations are therefore often left with some sort of external validation of the cloud provider’s security. Regular third party penetration testing under the control of the enterprise may be suitable, particularly if the infrastructure being hosted is isolated, but this can have significant costs and can be disruptive to the actual functioning of the service.
A more acceptable way of validating the security processes and procedures of a cloud provider will be external auditing of the provider under ISO27001. This internationally recognised standard is a framework of policies and procedures that include all legal, physical and technical controls involved in a cloud provider’s information risk management process. Auditing against this standard provides evidence that a cloud provider has the information management structure in place to achieve security. Organisations must understand the extent that the standard is applied within the cloud provider and should ask if there are any exceptions that relate to the services they wish to consume.
User security when consuming cloud services can seem overly complex, particularly if the cloud service substitutes an internal system. Many cloud services depend on password authentication only and the requirement for strong or very strong passwords, which adds to a level of user frustration and increased support costs. Simplifying password management with integration to the enterprises internal systems can significantly reduce user frustration, although it implies that password strength and rotation policies must not be internally poor. Two factor authentication may be a requirement for many organisations, again the cloud provider must be able to support this requirement and work effectively with the internal IT support to resolve user issues.
The future of cloud computing for enterprises
Looking ahead, cloud computing and its subsequent incarnations will change the way IT is delivered for all categories of business, from consumer, SME to large enterprise. The way it impacts users may on some levels be almost imperceptible. They may well sit at a laptop and use their familiar applications without any knowledge of the seismic changes that have occurred to deliver that ‘desktop as a service’. This is a good thing: user inertia should not be a factor in the adoption of cloud. The driving force for cloud has to be a better and more flexible IT delivery.
On this framework, new disruptive applications and services will emerge, allowing progressive companies to adopt new software services efficiently and with low risk. Computational resources will become denser, allowing increased scale and efficiency from the cloud model. Businesses will not be limited by their IT; entrepreneurial organisations will mould their IT strategy to fit the best that the cloud can offer.