Welcome to part two of our report looking at the challenges CIO's must face when choosing a good cloud service. Read part one here.
data security and accountability
The above two questions should go some way toward whittling down a CIOs list of potential cloud service providers. You've found interoperable providers who satisfy your company's legal requirements. Now it's time to look at security.
The following snippets come verbatim from the Open Web Application Security Project:
- understand how the cloud provider secures the data and how the provider detects and reports a compromise
- know the situations in which a third party or a government can sieze the data from the provider. The provider should provide advanced notification of such event
- ensure that the cloud provider appropriately protects data based on the data classification as specified by the consumer, and to address the concerns of privacy laws such as HIPPA
- the provider by default denies all access to the consumer's data. The consumer organization can explicitly grant access with specific privilege to desired parties
- the provider encrypts the data at rest, and the data in transit
- the provider logically isolates the data of multiple consumers in such a way so as to prevent any unauthorized access, modification, or deletion of the data
- understand how the cloud provider manages encryption for multiple consumers. Instead of a single encryption key for all consumers, the provider should use (at least) one key per consumer
- verify that the provider destroys deleted data in such a way that it cannot be later recreated
- in case of a data breach, make the cloud provider pay certain penalty
a plea for standards
The complexity of determining the best fit cloud service provider for your enterprise will remain one of the biggest CIO challenges. The market is so volatile that new cloud service providers are jumping into the fray regularly. The problem is one of standardisation, or the lack of it.
The ITU is leading the work to develop standards for cloud computing, but there's no time scale for completion, meaning the CIO's task likely to remain complex for the foreseeable future.
As noted here: "According to the International Telecommunication Union's (ITU) 2012 Cloud Computing Technical Report, telecom and IT firms have been too busy working separately to develop interoperability standards for cloud-resource management."
Returning to Steve Wozniak, he also sees a need for regulation to ensure cloud services deliver on their promises, writing on Gizmodo he said: "Regulation is the only way we'll own a bit of what we trust to the cloud. I believe that regulation applies to banks and that money lost due to no fault of your own is replaced, at least for large amounts. Why not for the cloud, as well? And it would be better for this regulation to begin now, not in 30 years, when it may be too late."
There's a little medium-term hope. Forrester Infrastructure & Operations Researcher, Lauren Nelson, believes standardization efforts will take until 2015. "Standards organizations are still exploring the market needs -- which means that by the time they identify where to focus and actually develop a proposed standard, it will be at least a year from now," Nelson explains.
image courteousy of Jonathan Alcorn
Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.