The cloud - the combination ofSoftware as a Service (SaaS)and the
increasing use made by business of the public (web-based) IT
infrastructure out there - is being heralded as the key way
organisations can reduce investment in running their own hardware,
software and IT staff going forward.
Many of the "buy" reasons around the cloud are, indeed, very
strong. But security and privacy concerns are just as pertinent
here as they are in all other areas of IT - and, in fact, whether
you subscribe to SaaS or implement web services on our own in-house
servers, cloud computing does not make these issues go conveniently
away - indeed, they may even end up magnified.
Again, as stated, that is not to belittle the positives. When
you subscribe, for example, to a SaaS service, you avoid the
overhead investment associated with implementing and supporting
conventional systems. An on-going monthly expense is easier to
incorporate into your budget than a large one-time outlay. When you
subscribe to a web-hosted application, you free your team up from
supporting high-cost, time-consuming in-house IT functions.
However, the economies of scale that software as a service
brings as a result of "multi-tenancy" (where many customers have
their needs met by the same unit of software) do lead to increased
security concerns. Luckily, approached with some forethought, such
security issues can be headed off at the pass and the
subscription-based computing model offers some benefits that cannot
easily be ignored, especially in the current economic climate.
In the normal course of tackling security compliance issues, one
needs to address a range of essential topics, including
ISO27001 compliance, secure development lifecycles, threat
profiling and security testing, and secure coding guidelines. Data
stored on the SaaS supplier's servers is exposed to the same
hostile electronic environment - and data compliance requirements -
as your own.
So when considering a SaaS subscription, find out: what are the
security arrangements at the supplier facility - and are they in
place 24/365? What type of infrastructure do they use to host data?
What virus protection is there? Do they contract with an
independent third-party for vulnerability scans and penetration
tests? How often are the systems backed up and how well rehearsed
are system recoveries? What level of data encryption is used to
protect website transactions? How do they ensure compliance with
relevant data privacy regulations?
Then, on the datacentre side: start off by asking for a service
level agreement that guarantees a specific percentage of uptime. In
addition, find out whether they offer full hardware redundancy, in
case of equipment failure. Also, does the datacentre have generator
backups, in case of a power failure? Is the server farm scalable?
And is it monitored 24/365?
Finally, on the data side - a key area of concern, since your
application data is stored on the supplier's servers rather than on
your own servers - does the proposed provider have a data back up
process? Where and how are backups stored? Is data exportable in a
format that can easily be re-used? And how are backups encrypted
and secured?
Following these questions can help put the right safeguards in
place to maximise the potential for a cloud approach to IT
application provision - which may be just what any CIO wants to
hear right now.
Alan Calder is chief executive of
IT Governance
Limited