For Logiq³ Inc., the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility.
A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud.
BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.
There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. Although Logiq³ isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.
Logiq³ is far from alone. While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. It's a comparatively new service area where risks are unknown -- "which in itself is a risk," says Jay Heiser, an analyst at Gartner Inc. "If I can't figure out how risky something is, I have to assume it isn't secure."
The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at Web sites like Linkedin.com's Cloud Computing Alliance. So far, there have been few instances of a successful, large-scale data breach on a public cloud. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.'s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers.
It is, in other words, early days yet in the cloud computing industry. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out just exactly what the risks are and how to counter them.
Divvy up responsibility
A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who has responsibility for securing and protecting what components of the IT infrastructure, which often spans both companies' systems. Sometimes, particularly with an IaaS provider, the division of labor is negotiable. For example, at Logiq³, Westgate decided to let BlueLock handle patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies LLC.