Recently I have been talking to a number of people about Cloud Computing. Everybody is talking about the Cloud: the companies that started the computer age over 50 years ago like IBM and Unisys, the middle-aged companies that started the personal computer era like Microsoft and Oracle, teenagers (or close to it) like Amazon and Google, and the hundreds of youngsters who are trying to make the Cloud work by providing consulting, services, and hosting.
If you ask more than one person what the Cloud is, you will get more than one answer. You should expect that. Cloud Computing is a concept that allows you to move or extend some portion of your information technology into the Internet. What makes sense in your situation will likely be different from others.
I’ve been paranoid about protecting data for decades, so I will always ask questions about how you intend to handle your data in the Cloud. I usually either get a detailed description, or a blank stare. I have been told by some that since they aren’t storing their data in the Cloud, they don’t have a problem. While almost always the vast majority of their data is still in their control, whatever services they are accessing over the Internet are using some of their data and returning new data that needs to be integrated into their environment. That data in motion also needs to be controlled.
Senior information technology managers are always concerned about the confidentiality, integrity and availability of their data.
- Confidentiality means that only those people who are supposed to see their data can see it. In the military environment, that has two attributes: right to know and need to know, and you need both to be allowed to see data. Because I’m in marketing I have the right to see things like product plans, but because I’m not working on Project Alpha I do not have the need to see Project Alpha’s product plans. Depending on the importance and sensitivity of Project Alpha, you might want to make sure I can’t see its data.
- Integrity means that only authorized processes are allowed to modify data and only in very specific ways. For example, it means that the transaction I send to the Cloud arrives unchanged at the service provider, and the response comes back to me unmodified. It means data stored in my archive hasn’t been changed while it is just sitting there for years.
- Availability means that the data is accessible when needed. If in order to satisfy my customers I need to respond to them in less than a second, I need to make sure I can always get any required response from the Cloud in time to meet that need. Ignoring any Internet related delays, it takes over an eighth of a second to get an answer from the other side of the Earth.
Compliance is usually defined in terms of these three attributes. Staying compliant is certainly necessary, but as a number of companies have demonstrated you can be compliant and still have problems with confidentiality.
All data is not created equal, and the requirements for confidentiality, integrity, and availability may vary substantially across different classes of your data. The only way to have a single solution is to treat all data as if it has very restricted access, very high integrity, and always-on availability requirements. This can get very expensive.
If you are contemplating Cloud Computing, in the middle of an implementation, or comfortably using the Cloud, here are some questions to consider. Hopefully you already have answers for these at least in your pre-Cloud environment.
Ten Questions About Your Data in the Cloud:
- Where is your data?
This is probably the most fundamental question because it impacts many of the remaining questions.
- Who has access to your data?
This includes the administrators, help-desk personnel, support and repair personnel, even the janitors. How much of this functionality has your Cloud supplier outsourced, and therefore opened up channels into their environment and your data? Who has access to the data as it travels within your partners’ facilities?
- How is the data secured?
Of course you are using encryption. Is it appropriately strong for each class of data? Who controls the keys? Who has access to the keys? How often are the keys changed? How are the keys protected from loss? Is the data ever decrypted in the Cloud? Where, how, and who has the ability to do that?
- How are the applications secured?
Are they your applications or provided by a partner? Who controls updates? Who has access to the applications?
- Can you meet your response time goals?
You probably have service level agreements (SLAs) with you customers, whether they are internal or external to your organization. These SLAs probably vary with different applications. Does your Cloud implementation allow you to meet these SLAs? What is the cost of missing an SLA? What do you do if you start consistently missing an SLA?
- How does the Cloud impact your data life cycle management?
Does your pre-Cloud life cycle management system integrate your data in the Cloud? How does the Cloud impact your archive and audit functionality?
- How does the Cloud impact discovery orders?
If a court orders discovery of data around specific topics, can you provide it quickly, inexpensively, and completely whether the data is in the Cloud or not?
- How do you get your data into the Cloud at the beginning?
One of the trickiest challenges with migrating to the Cloud is the transition. For any data you plan to store in the Cloud, you have to somehow move it to Cloud without shutting your business down. There are, of course, tools to help. But be careful that the use of those tools doesn’t compromise the confidentiality, integrity and availability of the data. These ten questions should be answered specifically about the transition period.
- How do you get it all back when you leave the Cloud?
At some point you will change something, a universal truism. One of your Cloud suppliers will go out of business, merge with one of your competitors, or otherwise become unacceptable. Some new technology or company will offer a better alternative, or your own business goals will require significant changes. Unlike moving into the Cloud, you may have a short time window and everybody may not be in the same cooperative mood they were when you transitioned in. Make sure you have an exit strategy, and make sure that exit strategy allows you to be sure that your data is no longer accessible through any prior partner.
- How does the Cloud impact your backup strategy?
Can you answer questions one through nine about your backup data?
The last word:
Now that you have answers to these questions, do you have the information and certifications you need to convince someone else that you do? There are lots of people who may want assurance: your auditors, chief security officer, chief compliance officer, chief financial officer, compliance organizations, your customers, your suppliers, your stockholders and potentially the courts.
Keep your sense of humor.