By Michael Sanchez
Oct. 20, 2011
As an increasing number of business-oriented tools and services are becoming available online, more enterprises find themselves being faced with this decision. Cisco’s Internet Business Solutions Group (IBSG) estimates that close to 12 percent of enterprise workloads will run in the cloud by the end of 2013 and that this will yield a market for public-cloud services of approximately $43 billion.
While reduced costs and increased efficiency are significant benefits of cloud computing, every company needs to consider other factors such as the security of their end devices, legacy architectures, sunk costs, and the cloud service itself. Here are five key considerations an enterprise should explore as they search for the cloud service that best fits their needs:
1. Secure data transfer. All of the traffic travelling between an enterprise network and the cloud service provider must traverse the Internet. Companies should ensure that their data is always traveling on a secure channel and is encrypted and authenticated using industry standard protocols that have been developed specifically for protecting Internet traffic, such as IPsec (Internet Protocol Security) and SSL (Secure Sockets Layer)
2. Secure software interfaces. Become familiar with the software programs or methodology used to interact with cloud services. According to the Cloud Security Alliance, “Reliance on a weak set of interfaces and APIs (application programming interface) exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability.” The CSA recommends learning how any potential cloud provider integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.
3. Secure stored data. Data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. In the cloud security report, Q&A: Demystifying Cloud Security, Forrester warns that only a small number of cloud service providers assure protection for data being used within the application or for disposing of your data. Companies should ask potential cloud providers how they secure data not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications.
4. Work-load variability. Determine which applications are most cloud-friendly. Applications that are most suitable for delivery from the cloud are workloads with variable or unpredictable resource requirements; workloads that are seasonal, such as tax season, or public-facing applications such as online sales are prime examples. Since these applications must be provisioned for peak loads there is a major cost advantage to utilizing on-demand infrastructure to run them. Applications that require quick setup, such as sales-and-marketing campaigns, and application development are prime candidates to move to the cloud as well. From a security standpoint, ensuring that availability of the data or service from the cloud becomes important as not to be subject to a denial of service (DoS) form of attack.
5. User access control. This applies to the enterprise’s end devices and a cloud provider’s overall service. Always consider the sensitivity of the data being stored in the cloud. Ask providers for specifics about who is managing the data and the level of access they have to it. Get specifics about how your data is kept secure from other businesses. Clearly define and communicate who has access to what data, how they can access the data, and what they can do with that data.
These considerations are not meant to be barriers to moving data storage and applications to the cloud, but they are considerable obstacles that will require an enterprise to carefully examine its contractual obligations, risk profile, and security infrastructure. An enterprise should be prepared to present a potential cloud service provider with detailed security and legal requirements applicable to their company’s needs, and the nature of the information being stored or transacted.
Michael “Miguel” Sanchez, a Certified Information Systems Security Professional (CISSP), is marketing manager for Small Business Security Solutions at Cisco Systems. For more information, go to www.cisco.com/cisco/web/solutions/small_business/index.html