The cloud - the combination of Software as a Service (SaaS) and the increasing use made by business of the public (web-based) IT infrastructure out there - is being heralded as the key way organisations can reduce investment in running their own hardware, software and IT staff going forward.
Many of the "buy" reasons around the cloud are, indeed, very strong. But security and privacy concerns are just as pertinent here as they are in all other areas of IT - and, in fact, whether you subscribe to SaaS or implement web services on our own in-house servers, cloud computing does not make these issues go conveniently away - indeed, they may even end up magnified.
Again, as stated, that is not to belittle the positives. When you subscribe, for example, to a SaaS service, you avoid the overhead investment associated with implementing and supporting conventional systems. An on-going monthly expense is easier to incorporate into your budget than a large one-time outlay. When you subscribe to a web-hosted application, you free your team up from supporting high-cost, time-consuming in-house IT functions.
However, the economies of scale that software as a service brings as a result of "multi-tenancy" (where many customers have their needs met by the same unit of software) do lead to increased security concerns. Luckily, approached with some forethought, such security issues can be headed off at the pass and the subscription-based computing model offers some benefits that cannot easily be ignored, especially in the current economic climate.
In the normal course of tackling security compliance issues, one needs to address a range of essential topics, including ISO27001 compliance, secure development lifecycles, threat profiling and security testing, and secure coding guidelines. Data stored on the SaaS supplier's servers is exposed to the same hostile electronic environment - and data compliance requirements - as your own.
So when considering a SaaS subscription, find out: what are the security arrangements at the supplier facility - and are they in place 24/365? What type of infrastructure do they use to host data? What virus protection is there? Do they contract with an independent third-party for vulnerability scans and penetration tests? How often are the systems backed up and how well rehearsed are system recoveries? What level of data encryption is used to protect website transactions? How do they ensure compliance with relevant data privacy regulations?
Then, on the datacentre side: start off by asking for a service level agreement that guarantees a specific percentage of uptime. In addition, find out whether they offer full hardware redundancy, in case of equipment failure. Also, does the datacentre have generator backups, in case of a power failure? Is the server farm scalable? And is it monitored 24/365?
Finally, on the data side - a key area of concern, since your application data is stored on the supplier's servers rather than on your own servers - does the proposed provider have a data back up process? Where and how are backups stored? Is data exportable in a format that can easily be re-used? And how are backups encrypted and secured?
Following these questions can help put the right safeguards in place to maximise the potential for a cloud approach to IT application provision - which may be just what any CIO wants to hear right now.
Alan Calder is chief executive of IT Governance Limited