Computerworld - I've had my head in the clouds ever since I attended a meeting last week. The IT department is interested in exploring cloud computing, so I've been busy trying to identify any security risks inherent in this emerging technology.
I've done some basic reading on cloud computing, and to be honest, I've had a hard time understanding exactly what vendors are selling. Before I delved deeper, it was hard to tell the difference between cloud computing and earlier business models, some of which I have personal experience with.
Back in 2000, I worked for a start-up that hosted other companies' servers. This was a managed service provider. After it was acquired, I worked for a company that hosted a time card application. It called itself an application service provider. So, peering into this nebulous entity called cloud computing, I saw some obvious similarities with the MSP and ASP models. A closer look brought out the differences -- some of them obvious security concerns.
Issue: IT wants to explore cloud computing.
Action plan: Identify all the security risks, and be prepared to address them contractually.
The major differentiators are the location of data and the technology used. In the MSP/ASP models, we always knew where a customer's data resided: in one of a handful of data centers. We even let customers choose which regional data center their data would be served from. In the MSP model, individual servers were provisioned in a data center, with minimal interaction from the vendor. We simply hosted the physical server infrastructure, providing power, networking and rack space. With cloud computing, vendors have several data centers and use virtualization to provision servers.
There are more security concerns with this model than I can cover in this space. You'll have to conduct your own research to come up with a comprehensive list. But here are my main concerns.
First, my company has to comply with a lot of regulations. By hosting our applications ourselves, we can clearly define our control objectives and maintain the integrity of our financial data as required by law. If we were to put our financial applications into the cloud, we would certainly have to re-evaluate our control objectives to ensure that compliance wouldn't be compromised.
The second concern is the commingling of data. Cloud vendors typically store data from multiple customers on the same hardware. We need our data to be properly segmented from that of our competitors. And when the vendors back up data, do they commingle data on shared media? If we terminated our contract, would they pull only our data from the tapes? Might some of our data end up in the hands of a competitor that way?
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
