A post on CIO Update discusses some questions and issues around using cloud services for businesses. Unfortunately, the article overlooks two very important areas that a business needs to consider when looking at cloud services: security and availability. This seems to becoming a theme with these so-called ‘analysis’ pieces looking at cloud services, where they tend to focus on cost-benefit questions, the impact on issues around training and scalability and the shorter timeline often involved during deployment.
There is no question that cloud-based services have allowed many smaller businesses and startups to ramp up services quickly and cost-effectively. They allow SMBs and startups to have “big company” infrastructure without having to invest in servers, space, racks, cooling, power, people and training. It gives companies the ability quickly add enterprise-ready infrastructure, and grow it as they need to. I have used, and continue to use, cloud-based services for these exact reasons. But, I suspect that a lot of companies are charging headlong into the use of cloud-based services without considering the implications on their company from a security point of view, and without understanding what it means to depend on someone else for availability.
When I talk about “security”, I really mean a few things as it relates to a company’s data: the integrity of the data, controlling access to the data and being access the data in a secure and timely fashion. As soon as your data is on a server that you don’t own and that you don’t control, you have given up some control over the data itself. You open it up to attack and access by people without you ever knowing about it (and possibly having no way to know about it). You may make it easier for outside parties accessed the data through search warrants and court orders without you having a chance to challenge and contest them. As a result, your business depends on your provider to provide some of this control, and if you read the agreements carefully, you are likely to find that they will simply turn over data based on a court order or warrant and only have to notify you after the fact.
Beyond these are requirements for privacy, because the level of protection you have to provide may be higher than the standards set by your provider. Depending on where you operate, and the nature of the data you have, you may have to comply with a myriad of local, state and federal laws regarding keeping personal data, how that data is accessed and what people can change regarding their personal data. That’s all on your company, not on your hosting provider. You don’t get to be absolved if any issues if your provider doesn’t actually provide what you need, or if they make a mistake.
You also need to review what the vendor is responsible for in terms of backups and archival, because what they provide may not be sufficient for your business. As an example, if you operate a broker-dealer and are based in New York, then you will have to archive between 7 and 8 years worth of data, and do so in a way that complies with SEC regulations, New York state law and federal electronic data preservation laws. Your vendor may not provide any of that, or what they provide may come close on some parts of the law, but not others.
In addition to security, you have to ask questions about availability guarantees, and the compensation you can expect when (not if) the cloud service is down and it harms your business. It’s one thing to be able to scale up your services to your customers. It’s another for that service to be down for hours, days or weeks at a time, and you can’t do anything to hasten recovery or mitigate the damage. Again, the service is outside of your control, and you are effectively powerless to be able to help fix the problem. And I say “when” because, even with five-9’s availability, that does mean some amount of downtime is possible.
What I am not advocating is to avoid cloud-based services at all costs. Like any technology or service, they have their place, and they can be a way for a company to rapidly add services for either internal purposes, or for customer-facing services, and work both technically and economically. What I am saying is that anytime you decide to look at some kind of cloud-based service, you need to look beyond the costs and benefits, and review what you expect to use the cloud-based service for. The more important something is to your business, the harder you need to think about the suitability of giving up control to an outsider. Alternatively, you may decide to start with the service out in the cloud, but have a plan for bringing it to your own datacenter over time. For some non-critical functions, using a cloud-based service is an easy decision. However, when looking at data that is critical to the business, and may involve regulatory or legal issues, then you have to see if a cloud-based service actually offers what you require, and whether the risks are worth the reward.