17/11/2014

By Richard Blanford, Fordway


One of the reasons organisations frequently cite for not using cloud computing is security. They’re worried that they don’t know where their data will be held, or that it will be accessed by third parties.

Although they’re right to be wary of unsecured public services, which are not designed for business information, I’d argue that in most cases their fears are overstated, and the issues that concern them are more about general risk management than security.

I believe that most cloud service providers will implement and manage considerably better IT security controls than internal IT departments. A bold claim? Perhaps – but I think it’s justified. Here’s why.

Firstly, ensuring good security is vital to the success and well-being of the cloud provider’s business. If they can’t guarantee it, or experience a security breach, they will soon go out of business. For this reason most reputable providers hold and maintain ISO27000 and PCI DSS best practice information security certifications. If you’re considering cloud services, check this before you enter into detailed discussions with a supplier.

Second, many cloud providers host data from public sector and regulated industries. To do this they have to gain and manage separate pan-Government security accreditations which require them to be regularly security tested by independent government approved security testers. This adds a second level of reassurance.

Third, they can afford the best security technologies and the staff to maintain and update them as this cost is shared between all their clients. This is particularly relevant to medium-sized businesses, who may not have the resources to employ a full-time security expert or be able to afford the latest security technology. Why spend a lot of time and money on something when you can pay a fraction of the cost of buying it and receive the full benefit?

In my view the more important aspect of security is supplier risk management, which is reliant on the supplier’s financial security and terms of contract. Issues such as lack of service availability, capacity and performance guarantees or undefined failure remediation are much more of a threat to your business.

The good news is that all of these issues are addressed by the better service providers. Choosing the right partner is crucial. If you carry out effective due diligence on your potential supplier, and are prepared to walk away if they can’t provide the guarantees you require, you should be able to manage the risk effectively. You may, however, need to work with multiple providers to create a hybrid solution tailored to your organisation’s specific needs.

Here’s a checklist to help assess the risks of using a third party provider for specific services:
• Will the supplier still be around in five years’ time?
• Is their infrastructure up to the job?
• Are the Service Level Agreements (SLAs) understandable, viable and agreeable to you?
• Do they have genuine expertise in the areas they will be managing?
• Will you as an organisation have access to that in-depth expertise, or will your needs be handled by a junior member of their team?
• Are they flexible enough to respond to changing circumstances, or so tied up in red tape that any change requires a lot of work?
• Are you just another customer or does providing a first class service genuinely matter to them?

It is important to remember that moving applications and services to the cloud is a migration process, so you either need to have the skills and time to move the applications and services or work with organisations which have the appropriate expertise.