For Logiq3 Inc., the decision to go with a cloud-based provider of infrastructure as a service (IaaS) was a matter of cost and flexibility.
A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq3's vice president of technology. So the company instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs.
BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.
There were, however, security concerns to be addressed before Logiq3 would entrust its critical systems to BlueLock's cloud. The company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books.
Although Logiq3 isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. As a result, Logiq3 needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.
Logiq3 is far from alone. While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. It's a comparatively new service area where risks are unknown -- "which in itself is a risk," says Jay Heiser, an analyst at Gartner Inc. "If I can't figure out how risky something is, I have to assume it isn't secure."
The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated among IT professionals like those in the Cloud Security Alliance's LinkedIn group. So far, there have been few instances of successful, large-scale data breaches on public clouds. Last winter, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.'s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers.
In other words, it's early days yet in the cloud computing industry. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out exactly what the risks are and how to counter them.
A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who will have responsibility for securing and protecting specific components of the IT infrastructure, which often spans both companies' systems.
Sometimes, particularly with an IaaS provider, the division of labor is negotiable. For example, Westgate decided to let BlueLock handle Logiq3's patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies LLC.