The cloud is a natural extension of virtualization: Abstracted services freely float within a private cloud infrastructure, a public cloud infrastructure, or even a hybrid private and public infrastructure model.
However, almost every IT vendor seems to have some cloud-focused solution to offer, with cloud-washed marketing to make it sound indispensible. Hosted email is no longer email, but email in the cloud. To back up your files, throw them in the cloud.
IT professionals have to get down to brass tacks, and think about what the cloud really is. An IaaS cloud is nothing more than a multitenant compute environment with infrastructure resources shared dynamically across multiple workloads. An SaaS cloud is a multitenant application environment where a single application platform serves multiple customers. But both exist in a datacenter somewhere. These solutions may provide some level of replication and redundancy, that like the cloud, appears to be everywhere you need it to be.
As we walk down the cloud path looking for cloud solutions, one component is too often neglected — the security of the cloud provider environment. This shouldn’t be an overly paranoid discussion; however, it should create some fodder for conversations while making the jump.
Security discussions need to consider more than just hackers breaking into your systems, but also access, availability, stability, and a host of other components, such as:
- Data ownership: This can seem like a funny concern. You would think you own your data. But, in reality, once it leaves your control, it is hard to ensure that you retain control of it. Your data may be mined, VMDKs copied, and unencrypted network connections sniffed.
- Geographic location: The location of your data is critical to ensuring it is secure. Depending on your business model, having the data close to your users is important. Take email, for example: If you select a cloud provider with presence in the U.S. only, performance may suffer for users in Europe, Asia, South America, Africa, and anywhere in between. No one wants that. So an offering with a global reach is more appropriate.
In addition, the locations in which cloud providers place their services and your data can have an impact on its direct security. Other countries have regulations and policies regarding access to data. By placing your data with a cloud provider, you may inadvertently make your data subject to the regulations of various countries and entities inside the country.
Take the U.S., for example. The Patriot Act enables law enforcement to perform searches of your cloud-based data without your knowledge (check out info on FISA Orders and National Security Letters). Obviously, you would need to make your users aware of this. European-based cloud service providers are using this as marketing ammunition to drive service away from U.S.-based providers (such as Office 365, Salesforce.com, Amazon, etc.) and to their own services.
China’s situation is interesting as well. The well-known Great Firewall of China blocks and filters traffic to ensure the interests of China are protected. As cloud solutions develop, China is requiring non-Chinese cloud providers to team with China-based cloud providers. Ultimately, this does not bode well for cloud providers or the users.
- Accessibility: Your data is your business. To function, you need to access your data. The cloud service provider ends up being responsible for ensuring your business is up and running by providing the data and connectivity to the data.
In April 2011, Amazon cloud services suffered a 12-hour outage. The outage was caused by a network misconfiguration in one of the U.S. sites. Countless sites and services were unavailable. Think about the impact of not being able to conduct business for 12 hours. What would the impact be to your environment?
The ownership, location, and accessibility of your data are critical to ensure your environments are secure. But, they aren’t the only concerns. Tune in for a second post about other issues to consider.