Mitigating the risks of cloud computing

Having talked in an earlier post about the risks of cloud computing, which would seem to reduce the cost and competitive benefits to be had from moving to this way of running your business, let’s now look at how we can overcome some of these risks so we can safely reap the benefits of cloud computing services.

If you recall the risks I covered were:

1. Loss of control of your data
2. Disruption of service
3. Compliance and regulation
4. Security

Most of these risks should be mitigated by your cloud computing services provider, after all one of the benefits of using cloud computing services is that you will not have the cost of mitigating these risks for yourself. So it is most important that in the commercial and legal negotiations that you have with your provider you ensure that these protections are provided.

To ensure the safety of your business, your IT functions and your information you need to have the ability  to monitor and audit how the supplier meets their contractual obligations to handle the risks you face – i.e. to make sure they are doing what “they said on the tin”. It is no use to your business to know that you can get compensation for any failures, which will probably only be paid after lengthy and expensive legal action, if that failure has closed the business down.

So what do we need to consider in each of the risk areas and what questions do we need answered and guaranteed by the provider?

• Loss of control of your data – Here you need to know what the supplier is going to do in respect of the risks to your data. How will it be protected from unauthorised access, disclosure, loss or alteration? How will the data be backed up – how quickly can it be restored? Will they be able to guarantee the data is really no longer accessible by anyone when it is deleted?
• Disruption of service – some of this risk falls on you the user in that you will need to ensure your own communication links are robust, have sufficient capacity and are resilient so that you can be sure of always having a connection to the service. The service provider’s responsibility is to ensure that the service is always available, during contracted hours, and that your data is always accessible when you need it. To achieve this they need to have proper business continuity processes defined and operational. Perhaps they will offer back up data centre’s to which you can connect in the case of failure (you need the connection to be transparent to your users). You need to check and audit that their offering works for you and your users in all situations.
• Compliance and regulation – whilst the provider will be implementing the controls on the services they provide for you, the responsibility for meeting the regulatory requirements for your business remains with you. You can look for certifications such as the ISO 27000 range from your provider to judge their own standard of security. However you will need to understand your compliance needs for this service, and you may have to ask the provider to go beyond their own standards to meet specific controls that apply to you and this service. There is a plan to introduce a new certification specifically for cloud computing providers. The Cloud Security Alliance, whose mission statement is “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing”, is working with others on this and we can expect to see something in the first half of 2010.
• Security – here you will need to work with your cloud supplier. You should identify the risks to your business and information, and your cloud supplier needs to identify the risks that their service is facing, and together you will define and implement a set of controls that will mitigate the risks your business faces in the cloud environment. There is some help available here in the form of the report produced by the European Network and Information Security Agency ENISA which can be accessed here. This report describes the benefits and risks and provides recommendations for information security in the cloud. There is also a document available from the “Cloud Security Alliance” which gives guidance on the security measures needed in a cloud environment.

So there are things that can be done to make it safe for your business to use cloud computing services and reap the great benefits to be had.

One fairly simple precaution that you can take to protect your business is to test out your venture into cloud computing on a non business critical service. That way you can learn as you go without crippling the business. Don’t put the business’s “Crown Jewels” out to cloud computing until you are confident in your supplier and in your own expertise in managing cloud computing services.