The jury is still out on whether using cloud-based services increases or decreases the likelihood of business interruptions.
On the face of it, using a variety of diverse environments should reduce the risk of a fatal outage. On the other hand, cloud-based services
A recent report by the Information Security Forum suggested that many of the current cloud-based service offerings are still immature; even the likes of Google and Microsoft have short track records with cloud-based services. As such, the Forum recommends that companies avoid putting their most important systems into the cloud until they are sure of their supplier's reliability. A recent study by Avanade Inc., surveying more than 500 global C-level executives and IT decision makers in 17 countries found that more than 35% of respondents have experienced an outage at a service provider company. On a broader level, 30% of respondents using Software as a Service (SaaS) experienced an outage of 10 or more hours -- losing more than a full day of business. So it's vital to plan ahead for service disruptions.
Business continuity plan considerations
For business continuity plans to be effective, an organisation must fully consider the security requirements of the data it's putting into the cloud, such as minimum recovery times and e-discovery access. It then needs to review its cloud provider's own disaster recovery and business continuity plans to ensure they align with those requirements. Also, be aware of how their plans affect your own continuity of operations and access to data.
Outsourcing can invariably create confusion between providers and customers regarding responsibilities and accountability, so look to contractually specify which party is responsible for ensuring compliance with any relevant policies or standards.
If your data is held in another country, compliance with the applicable international and country laws must be taken in to consideration as well. Business continuity plans should address any compliance limitations in a cloud provider's plans, such as data deletion on rotated backup media. For instance, the Data Protection Act stipulates that personal information should be kept no longer than necessary, but it could remain on a cloud provider's backup tapes unless they have a secure deletion process when reusing backup media. This will require some frank discussions with the provider to ensure all key provisions are covered.
Also review your Internet connection. If the enterprise needs access to certain data in the cloud on a 24x7 basis, an in-house Internet outage could be disastrous. Consider multiple ISPs for better network diversity and business continuity, or opt not to use a cloud environment for data that the company must have access to at all times.
A cloud computing business continuity strategy must also include migration plans to accommodate a sudden change of cloud provider; cloud providers could go bust or dramatically increase charges, just like any other service company. Ensuring applications and data structures are vendor neutral will make the task of changing providers at the drop of a hat a lot easier. Prepare a shortlist of potential providers who meet the organization's requirements along with the costs of moving data and retraining staff on a new system. Be sure that backup companies also operate in a cloud-independent format, and independent of the machine image, moving backup copies out of the cloud on a regular basis. This puts you in control of your backup data which can be restored to the location of your choice. In an evolving area like the cloud, an external review of organization contingency plans may help throw fresh light on possible alternative approaches.
With any project, business continuity planning is always best done early on, and moving to a cloud-based service model is no exception. If a security event occurs, poor policies and procedures or poor staff training will undoubtedly increase its severity. By the time you're ready to move data or applications to the cloud, your IT team should be ready to adopt a cloud-based working mentality and appreciate any changes to their individual roles in the overall security and continuity plans.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in March 2010