Infosec 2012: Education is key to safer cloud contracts, says Suffolk CIO

Many businesses are discovering some nasty security surprises from their cloud providers, but that is no reason to shy away, says Mark Adams-Wright, chief information officer, Suffolk County Council.

Many businesses are discovering some nasty security surprises from their cloud providers, but that is no reason to shy away, says Mark Adams-Wright,CIO at Suffolk County Council.

"There are concerns, and these need to be worked through, but they are not concerns that should stop people doing the great things that are out there to do in the cloud," he told Computer Weekly.

In this time of austerity, he said, cloud services offer organisations the opportunity to reduce costs, move away from legacy applications, and build additional capabilities, such as mobile working.

Education, Adams-Wright said, is key to ensuring that organisations can reap the benefits of lower costs and flexibility of cloud services, without the security risks.  

"There is nothing to fear if you approach it in a professional way, which is all about recognising the need for education; understanding the new world of cloud and taking on board all the learnings you can get from other organisations, market analysts and researchers," said Adams-Wright.

Research firms, Gartner and Forrester, he said, have been very useful in terms of understanding where the market is going and the problems and pitfalls that should be avoided.

Suffolk County Council plans to migrate to cloud services wherever possible, but it has sought advice from a wide variety of sources and drawn up a check list for choosing services and suppliers.

This process has included the council's procurement and legal departments to ensure that everyone involved has the best understanding possible of the cloud services marketplace.  

The plan is to end up with a master check list, said Adams-Wright, who believes the council has made a good start for public cloud services.

"At the moment we are trying to use as many public cloud services as possible because of the exponentially greater cost benefits," he said.

However, Adams-Wright said this will change and the check list will have to be refined as the council moves into some areas of the private cloud where public services do not suit its needs.

Engaging with cloud services providers as partners to help develop their offering is another strategy the council has used to improve its understanding of the world of cloud computing.

"For example, in the could-based management systems we are using, we have helped the service providers to build other parts to it. By engaging with providers, we are getting a lot more out of it," said Adams-Wright.

But when it comes to signing up to cloud services, he warns there is no short-cut. "A lighter approach to getting things done in IT does not necessarily mean a lighter approach to the due diligence that needs to be done," he said.

Involving an organisation's legal and procurement teams from early on in the process is vital, said Adams-Wright, who believers that cloud means there needs to be better communication between the IT department and their legal and contractual management colleagues than ever before.

It is also essential for organisations to have a thorough understanding of the data they hold and what they can and can't do with it to ensure there is no uncertainty, said Adams-Wright.

"We have to be honest about our data to ensure we get the basic stuff sorted out. Cloud is not a fast track to getting past the necessary hard work that needs to be done to get internal infrastructures ready for the cloud," he said.

Adams-Wright will be joined by Des Ward of the Cloud Security Alliance to discuss the topic in more detail at Infosec Europe 2012, 24 – 26 April in London.

The discussion will focus on creating an effective cloud contract, no matter what the service so that businesses know what it is they have signed up for and just exactly how secure it really is at 13h45 on Thursday 26 April in the keynote theatre.

Read more on Cloud computing services