Privacy and Security in the Cloud

In my previous post, “Is your company ready for the Cloud?,” I mentioned that there are issues that needed to be included in any in-depth analysis concerning the use of cloud or hosted services for business. The most serious of these, which are applicable to all companies performing such an analysis, are related to data ownership, security, and privacy laws and regulations.

Even in some of the most highly regulated nations, governments have largely failed to address these concerns in relation to cloud-based services, while simultaneously strengthening the regulations concerning the protection of consumer data that businesses must comply with. This creates a serious conundrum for companies looking to utilise cloud or hosted solutions.

Data Ownership

Even though a hosted solutions service provider might state that the customer owns their data, in many cases there are very limited, if any, provisions for getting local backups of your data. For many cloud-based services, there are few provisions for exporting your data off the service if you wish to terminate or migrate to a different solution. In fact, many business owners who use a cloud service don’t spend much time considering this issue; of those that do, many dismiss it as being a trivial concern. This is usually due to a lack of understanding of the possible long term consequences of this grey area: after all, it’s your data, you own it, the service provider has assured you of this, it’s in the service contract, so it’s not a problem.

However, it’s one thing to state that the hosted data belongs to the client company, but an entirely different idea to ensure that client companies retain complete control of their data.

You only have control of your data if your hosted solutions provider offers you the following:

  • A local backup and copy of your data that is local, current, complete and usable
  • A guarantee that you can remove all of your data from the hosted servers at the termination of your contract

Without these, the guarantee of data ownership becomes mooted.

This is especially an issue when dealing with large, multinational hosted service providers who utilise data farms all over the globe (Microsoft Hosted Services, Google Apps, Salesforce, IBM Blue Cloud, etc.), but it applies to all levels of hosted and cloud service providers.

For example: what happens if your service provider goes bankrupt, or experiences a major natural disaster? What are your options in such a scenario? What are your contingency plans? Have they been tested, and how effective are they? Can you provide access to searchable archives of all your data, like email, going back several years, as would be required if you were served with a legal notice to grant such access?

Security

In recent years, file sharing services like DropBox, Windows Live Drive, and SugarSync, have become increasingly popular among consumers, largely due to their simplicity and convenience. You need access to your files from any location, and you can have it. However, it’s this very simplicity that can create large problems for a company. Of increasing concern is the recent rise in use of these services in companies by users, especially road warriors. Disregarding some of the inherent security issues intrinsic to these services, the greater threat is that they can be used to easily circumvent the IT security policies of your business.

You’ve spent time and resources ensuring data security and privacy compliance, only to have it all mooted by your users sharing corporate data through public file sharing services. This can be particularly dangerous to a company in the case of employee terminations and layoffs, as you have no control over where copies of all those files may now reside – potentially giving former or disgruntled employees the ability to damage your business.

Even the strict enforcement of internal policies may not be sufficient to protect you from this becoming a threat. You have the option of trying to completely block access to these services from your network, requiring stringent network monitoring and security protocols, or you can allow employees to use these services by issuing company controlled accounts. In this scenario, the company has control over the access rights and can easily disable a user’s account prior to termination, or as needed.

However, no matter how stringent your internal security policies are, no matter how much due diligence is given to securing your data from a corporate perspective, you have no true control over access to your data from within a hosting provider’s company. Add to this that many widely used cloud services, like DropBox and Google Apps, have experienced security issues within the services themselves that compromises security of hosted data. Going forward, these hosted service providers will increasingly become more enticing targets; and it’s a known fact that most security measures are reactive to threats after they become known. Given current legislation, any resultant damage, or violation of regulations and laws, is still the responsibility of the companies using the cloud services.

Privacy

US and Canada have fairly stringent privacy laws that dictate what a company is allowed to do with customer data, and what measures they need to take to ensure customer privacy. However, there are some significant disparities, and outright conflicts, between the laws of these neighbouring nations.  The onus of complying with laws protecting your clients’ data is on you, but the laws have not addressed the role of cloud and hosted services in this area. In case of a breach at the hosting company, it is you who are liable if your customers’ data is compromised.

When your data is housed in a data centre in another country or countries, whose laws and regulations differ vastly from those of your home country, you have even greater concerns. Some of the fastest growing providers of data centre services are located in countries like India and China, who have almost no effective consumer data privacy regulations, and where government agencies can demand unrestricted access to data stored on servers in their countries.

Additionally, the laws relating to data ownership and access by 3rd parties have not yet been clearly set out, and very few precedents have been set to determine if the data owners need to be notified if the hosting provider is required, for instance, to give access to client data by legal agencies. For example, under various Canadian and US laws, companies must secure and ensure the privacy of their clients’ information; they must also maintain processes for archiving and retrieving data in case of audits or subpoenas. Most of these laws and regulations protect and spell out the rights of privacy, and requirements of access by legal entities, of data stored on a company’s servers and computers; the same applies to SOHO’s, and consumers’ home computers.

This landscape becomes very murky when it comes to data stored at data centres by hosted or cloud service providers: there has been very little progress made in addressing whether a service provider’s client data is protected by the same laws and regulations covering that client if they were hosting all their data on their own on-site systems. The landscape becomes obscured in a veritable fog when dealing with data stored in data centres on foreign soil. In fact, there has been greater progress on regulating greenhouse emissions for data centres than there has been on regulating the contents of data centres!

Conclusion

The topics I’ve touched on in this post cover issues which are not technical, but legal and procedural. As such, any business seriously considering employing cloud services in their environment needs to include these aspects in their exploratory analyses; you should consult lawyers versed in the respective laws and regulations governing your specific industry, to ensure that you understand exactly what requirements you need to meet to stay in compliance. This will allow you to determine what types of cloud and hosted services you can utilise, to what extent, and what specific terms you should be looking at including in your service contracts with the providers.

You need to understand what their business models are and how your business will be affected by them. Make sure you thoroughly analyse your risks, and include measures in your planning to mitigate them, as well having contingency plans in place for if and when things go awry. Without considering these issues, you risk exposing your business to being vulnerable on several different fronts.

The cloud services industry is still relatively young and these are issues that are finally beginning to be addressed in a legal and political framework. However, even if each nation enacts effective regulations addressing these issues, and their ramifications, the much larger grey area of international regulations will still need to be addressed. Given the way governments work, this may take a while.

This doesn’t mean that you should avoid hosted and cloud solutions completely: the advantages to the cloud may be great enough to be worth it. What you should do, however, is explore options, as much as possible, which are local, or ones which are situated within your nation’s borders and subject to the laws of your home country only. In cases where the best of breed solution is one which utilises a globally distributed infrastructure, you should perform both risk analysis and opportunity-cost analyses to determine whether there are enough mitigating factors, or if you can implement them, to make it a viable option.

Advertisements

Is Your Company Ready for the Cloud?

As an IT professional, I’ve been hearing and reading about the promise of The Cloud for about a decade now: how it’s the next evolution of IT, how it’s going to change the way in which we work, live, play, and essentially exist as a species.
As with all new technology, the hype frequently outstrips reality, and ignores some fundamental issues that need to be considered by any company considering a move to cloud computing and services.

Cloud photo courtesy of William Warby

Currently available cloud-based services and solutions are numerous, varied, and, from a technological perspective, fairly mature. It’s a constantly evolving field, with services which were once deemed in-house options now becoming widely available as hosted solutions. This, naturally, raises the cloud’s attractiveness to companies, large and small, who are looking for ways to reduce their IT budgets without reducing their capabilities.

 

Avoiding Major Cloud Migration Pitfalls

A move to the cloud isn’t risk-free, nor is it a one-size-fits-all type of thing. It’s something that has to be evaluated on a case-by-case basis: every company has its own idiosyncrasies, its own specific needs and requirements; its own personality, if you will.

That said, every company needs to follow a set of steps to determine the viability of cloud migration. The length and extent of these steps will depend, again, on the company’s personality, but they are crucial components nonetheless.

The greatest pitfalls with cloud implementation arise when a company has failed to do the following:

  • Perform an in-depth and thorough analysis of the current business practices and procedures.
  • Understand where your business is now, and where you want it to be in the future.
  • Look beyond sales pitches. Assess the usefulness of the cloud system, not only in terms of the effect on the bottom line, but in terms of productivity for specialized employees.
  • Consider the possibility of combining hosted and in-house services – not every company can migrate 100% to the cloud right away.
  • Allocate enough time and/or resources to the migration.
  • Develop processes to integrate the old technology with the new platform.
  • Prepare the company properly for the transition through testing, training, and supply of adequate documentation.

The results of failing to perform any of these steps can range from mild frustration to complete disaster. At worst, it can lead to having reverse portions (or the entirety) of migration to the cloud.

Look (At Yourself) Before You Leap

One of the first questions that I ask new and prospective clients is, “Where do you see your business in 5 years?” It was a rare occasion when I wasn’t met with blank stares.  Occasionally, a client would mutter, “Pretty much where we are now, I guess….”

However, when I ask clients about what advantages they are seeking in moving to the cloud, they can’t stop talking! Invariably, I receive voluble responses about how ‘great’ the cloud is, and how they can do ‘stuff’ from anywhere. It’s essentially a verbatim recitation of sales pitches they have been bombarded with from vendors at conferences and industry fairs. When I ask the follow-up questions, such as whether any of these services will integrate with their current practises, there is suddenly more silence.

I’ve been evaluating cloud and hosted service options for clients for several years now, and the first thing I learned was how to tell a client that they were not ready for such a move, yet. In almost every situation where a client was unprepared to move to a hosted solution, it was due to two basic reasons:

  • The client did not know enough about their own business processes.
  • The client had no clear long term view or strategy for either the company as a whole or its IT infrastructure.

Before even contemplating cloud solutions, a company has to evaluate its current processes and work flows and methodologies it uses on a daily basis to maintain productivity. It must look at how their employees perform their tasks, what tools and resources are being employed, and why they use the methods and processes they do. It’s crucial to perform a through analysis of your company’s IT budget, including its operating costs and how it impacts the company’s efficiency. Only once this data is compiled should an exploration of cloud solutions be initiated. After all, as in life in general, if you don’t know where you are, you’re not going to have much luck figuring out where you should go next.

Any honest IT consultant will tell you that if you don’t have realistic answers to questions about your own business practises, then you have a lot of investigation to do before you will be ready to start exploring something like hosted solutions. A company has to be sure that any migration from one platform to another is going to pay off with increased productivity and efficiency.

I’ve rarely found that a single template will meet the requirements for all companies.  New implementations of any kind will require modification and personalisation, and cloud implementations are no exception. Company executives looking to implement a hosted solution must learn to tune out the sales pitches, and focus on the needs of their business. IT professionals must ensure that the final architecture meets the needs of the company, and not the wishful pitches of the vendors. In other words – stay away from the Kool-Aid.

Research Your Hosted Options

Once a company has established their current position and goals for the future, it’s time to start exploring the numerous options available in terms of cloud solutions. Options may seem overwhelming at first; from SaaS ERPs, to hosted email services, hosted servers, comprehensive services like Google Apps and Microsoft BPOS, the levels of functionality are many.

Here’s where a second analysis needs to take place: you now need to isolate the services that are going to be useful and beneficial to your company, and perform a cost-benefit analysis on each of them. This is the point when it becomes clear if there is good reason for your company to shift to cloud services at all.

For some companies, there may not be any actual advantage to the move. This can be disappointing, but the cloud isn’t (currently) the solution for every business. For others, it may make sense to shift their whole IT infrastructure to the cloud.

Cloud-Traditional Combos Often Work Best

What usually happens is that companies discover that the highest savings and greatest efficiencies can be achieved through hybrid solutions: a mix of in-house and hosted services. The exact composition of that mixture will depend on the corporate and physical structure of the business.

For example, imagine a small company that has a significant portion of road-warriors among its employees, that utilizes several WAN-facing services hosted in-house. Such a firm will probably find that it can achieve substantial savings in bandwidth services, server and network infrastructure, while increasing reliability, accessibility, and performance efficiencies through moving those services to a hosted solution. Cloud services may also allow them to streamline their corporate network, and simplify both day-to-day IT support and management processes. This is especially true if their hosted services can be integrated with their corporate domain structure – i.e. Active Directory.

This type of setup allows a company’s IT staff to retain control over infrastructure, while offloading much of the mundane, daily maintenance tasks to the hosting service provider. There can be additional benefits to offloading duties: for example, the IT department could potentially start developing and offering new services to the company, or even to customers, that they had previously lacked the capacity to complete due to a saturated workload.

Conversely, a larger company that is primarily consolidated at a single location, or a few locations, with a largely stationary employee base, may garner little or no benefit from shifting from in-house to cloud-based services, because the long term subscription costs may end up being at par or greater than the cost of keeping everything in-house. Keep in mind, these are fairly simplified examples and should not be taken as general cases. The final determination must be arrived at on a case-by-case analysis performed by each company. (A critical component of this analysis concerns issues of data ownership, security, privacy laws, and related points. I’ll discuss these issues in a separate post.)

Allocate Adequate Time and Resources

Company execs must be ready and able to allocate the appropriate resources for this transition phase, otherwise the actual live shift could result in an extended period of uncertainty and troubleshooting as issues arise which have to be dealt with on an ad-hoc basis, with a resultant negative impact on productivity. Allocating the time and resources to deal with those things beforehand should be a priority, and if the company does not have the resources to do so immediately, then the project timeline should be extended until those resources can be made available. Taking the time to fully prepare for the final transition, and having a baked in, comprehensive implementation plan and strategy are necessary ingredients for a smooth transition.

This is not to say that there won’t be problems or issues that arise after the systems are live, but they will be easier to deal with because you will have already developed the processes and methodologies to do so.

Time is such a critical ingredient to integrating hosted cloud based services into your established business processes. For most SMBs, this evaluation process will take several months, depending on the complexity and extent of the project. Trust me – if you can’t find the time to plan for the transition, you won’t be able to spare the time to deal with the transition itself.

Test Before Implementing

Once comprehensive analyses are completed, and a suite of cloud based or hosted solutions has been identified, explored via consultations with the vendors, and decided upon, a company must start preparing for the shift in paradigm that is about to subject itself to. A key component of this preparation is going to be creating training regimes which can be deployed companywide prior to fully going live on the new environment.

The most efficient way to assess impact is through the creation of test labs, which mirror what the final live environment will look like, and designate several employees from all departments to work in the lab environment.

Test labs serve several functions. A well-prepared test lab will allow you to do the following:

  • Test the new services to locate any bugs or concerns.
  • Ensure that all the requisite functionality and productivity requirements are met.
  • Identify and deal with any integration issues that arise.
  • Aid in the creation of training manuals and regimes for the company.
  • Train-the-trainer: create a group of personnel who serve as trainers for their fellow employees. Inside trainers have the tribal knowledge to understand and address concerns and questions that their co-workers will present to them – as they will have already faced those same during the test phase.

Remember, massive server migrations take time. Even for a small company of less than 100 employees, you’re still looking at a minimum of a few months of planning and testing.

It’s an old and annoying adage that anything worth doing is worth doing well, which isn’t really true when it comes to, say, pizza or mixed drinks. But it is true of building and maintaining business infrastructure foundations like your network technology. Try to think of your network as as integral a part of your business as the people in it, and don’t let excitement over new hosted systems let you get ahead of yourself.

There will always be a cloud, and a chance to move to it. Take this one slowly.



Welcome to AKISIT

Welcome to my techblog! This is where I will spill my thoughts on everything IT related. Feel free to chime in with comments.