Today's round-the-clock information culture means organisations are becoming more reliant than ever on continuous access to applications and data. Whatever the cause, a break in continuity negatively impacts business - whether it's the inconvenience of a few hours' lost productivity while email is down, or complete operational paralysis when business-critical processes such as transactional systems experience an outage.
Malicious Denial of Service (DoS) attacks are on the increase, as high-profile companies are targeted for business disruption rather than information theft. Despite sweeping defence cutbacks in the recent government spending review, funding for measures to counter cyber attacks was given a £650m boost, highlighting the serious national implications and the threat level of this modern form of hostility., accidental interruptions - whether internal or external, unforeseen or unpreventable - resulting in no-fault incidents, can also leave your business in the dark.
These risks pose serious questions for anyone contemplating the adoption of a model. Handing over some or all of your IT estate to the safekeeping of an outside organisation is an act of trust - but it shouldn't be one of blind faith. When evaluating any potential cloud provider, there are two key areas in which you should demand hard evidence of risk mitigation: security and availability.
Security - bringing substance to the cloud Much like in your own data centre, cloud security falls into three distinct categories: physical - the measures to prevent attackers from accessing a facility; digital - the software safeguards in place to protect your applications and data; and human - the people with access to your systems and data. But because your infrastructure will be out of your line of sight, there are additional questions to ask with respect to the cloud that you may not have previously considered in such depth for your in-house facilities.
Location, location, location The term "cloud" is inherently vague, so ask your provider where the facility that will house your IT assets is located and whether data will be moved from system to system as demand fluctuates. International data privacy laws differ from country to country, and as the volume and complexity of cross-border data flows proliferate due to increasing globalisation, it's vital that you know which country your data physically resides in. Geography is especially relevant if your business is required to demonstrate compliance with measures such as the Payment Card Industry Data Security Standard (PCI DSS), SAS 70 or Sarbanes Oxley.
Bricks and mortar Knowing where the "tin" is kept can also help you form a clearer picture of the likelihood of disruption due to external factors.
Does the provider own as well as manage the facility?
Is the building in an area of high flood risk or a city subject to power shortages?
Is its location a potential target for terrorist attacks? Bear in mind secondary factors such as transport infrastructure in the surrounding area - if shut down, this could affect the ability of the cloud provider's staff to come in to work.
Are there sufficient physical defences and security guards in place to deter and prevent intruders?
Is the facility in a secure subterranean location, and is there sufficient power available to support the entire data centre into the future?
Currently, there's no across-the-board means of defining a data centre's integrity. Many facilities claim to be Tier 3 or 4 rated, but this is a US classification and, as such, is not a reliable indicator outside North America. What security standards or certifications does the provider uphold, and is the entire organisation accredited or just one department or business unit? For example, look for evidence of ISO 27001 certification and PCI DSS compliance if required, then determine who carried out the audit and whether the part of the organisation that was certified will actually manage your cloud infrastructure.
Ascertain who has access to your data. How is their background verified, for example, are they CRB-checked? How is access to the data floor by the provider's staff and other customers' technicians controlled? What measures are in place to provide continuity of staff cover in the event of something beyond the provider's control, such as a flu pandemic?
Get a clear statement of what firewalls, anti-virus and other protection from DoS attacks are in place. And ask what ongoing programmes or policies the provider has implemented to keep pace with evolving and emerging threats. Nuisance neighbours In a typical public cloud, your business runs the risk of collateral damage from another tenant's activity - a threat that is heightened if the vendor doesn't vet its clients for business operations involving gambling, pornography or restricted items, for example. Additionally some providers assign a finite number of shared IP addresses to a cloud, which means that if a tenant is caught spamming, the IP address will be blacklisted, resulting in the loss by association of your organisation's email service.
- the importance of the SLA It's astonishing that any business would entrust its infrastructure to a cloud vendor who was unable to provide a minimum level of assurances, but some vendors still can't or won't offer a service level agreement. Consider the SLA as your passport to the cloud - nothing should leave your data centre without it.
for purpose Look for a robust, enterprise-class SLA that reflects the "must-have" nature of information availability to your operations - one that allows you, the customer, to validate the safeguards that are in place to support its warranties. Understand how the formulae are calculated and what recourse you have if you feel Quality of Service falls below that outlined in your contract. Be clear about how credits will be measured in the event of outages or service interruptions.
One of the most attractive benefits of Cloud Computing is the ability to scale capacity according to your needs - unlike an in-house data centre, the resource pool is geared to handle spikes in load. What lead time can your provider guarantee for provisioning incremental resource? This may be key if a sudden event causes unplanned or exceptional demand - for example, helping your website cope with a dramatic uplift in traffic in response to a successful promotional campaign.
The pay-per-use aspect of cloud is also a key draw for many businesses, but like any utility, you need a valid way of metering your usage. However, many providers are unable to offer a breakdown, which may be required if you need to split charges across different departments and cost centres. Check whether a provider can offer itemised billing that will give you the visibility you need.
While 100% uptime is the holy grail, things happens - from a cataclysmic external event to something as simple as pulling a plug out of its socket. The key is to understand what to expect in the event of a service interruption. What secondary environment(s) will be invoked as fail-over? Is there a one-hour or a one-day recovery plan and is this sufficiently aligned to the needs of your business?
Flexibility Reliability comes at a premium. To harness the savings of cloud, determine your tolerance for downtime. Do you really need to pay for "five nines" availability of archive data? Ask your provider whether they can tailor your service - and the warranties of the SLA - to accommodate different availability levels for your data and applications.
The final analysis Finding the right provider starts with asking the right questions. Ultimately, security and availability concerns are amplified by the devolution of control that comes as part and parcel of the model. So it pays to challenge any prospective cloud vendor about its credentials in these two areas and consider how your existing business continuity and disaster recovery provisions can be integrated with - and bolstered by - your provider's. In focusing on the potential pitfalls, don't neglect the fact that a leading vendor with established capabilities in the cloud may offer tighter security and higher availability than your business can currently support in-house, where time, cost and complexity may be prohibitive. After all, it's their core business, and they stake their own commercial success and reputation in the marketplace on their ability to satisfy multiple enterprise customers' demands.
Your chosen supplier's ability to satisfy your enquiries will lay the foundations of trust on which to base a long-term relationship - one that can grant you access to sought-after skills, experience and consultancy that your business might not otherwise have access to - smoothing your transition to the cloud.