“The Cloud” is an all-encompassing term for a virtualized information technology (IT) computing environment in which individuals and businesses work with applications and data stored and maintained on shared machines in a web-based environment, rather than physically located in a user’s location. Google’s popular email system, Gmail, is an example of the cloud, but this is just one model.
Cloud computing is here and virtually every organization is using it in some way, shape, or form. Educating yourself and your people on the opportunities and risks associated with this technology is of the utmost importance. Let’s look at the opportunities presented by cloud computing, managing the risks associated with housing your sensitive data offsite, using virtual computing environments, and vendor management considerations as you explore your cloud options.
There are actually three cloud service models — infrastructure as a service, platform as a service, and software as a service — deployed in four types of settings — private, community, public, and hybrid clouds.
Infrastructure as a service (IaaS) provides access to server hardware, storage, network capacity, and other fundamental computing resources.
Platform as a service (PaaS) provides access to basic operating software and services to develop and use customer-created software applications.
Software as a service (SaaS) provides integrated access to a provider’s software applications.
Private cloud is accessible from an intranet, internally hosted, and used by a single organization.
Community cloud has infrastructure accessible to a specific community.
Public cloud is accessible from the internet, externally hosted, and used by the general public.
Hybrid cloud is a combination of two or more clouds.
Cloud computing provides a scalable online environment that makes it possible to handle an increased volume of work without impacting system performance. Cloud computing also offers significant computing capability and economy of scale that might not otherwise be affordable, particularly for small and medium-sized organizations, without the IT infrastructure investment. Cloud computing advantages include:
Lower capital costs — Organizations can provide unique services using large-scale computing resources from cloud service providers, and then nimbly add or remove IT capacity to meet peak and fluctuating service demands while only paying for actual capacity used.
Lower IT operating costs — Organizations can rent added server space for a few hours at a time rather than maintain proprietary servers without worrying about upgrading their resources whenever a new application version is available. They also have the flexibility to host their virtual IT infrastructure in locations offering the lowest cost.
No hardware or software installation or maintenance
Optimized IT infrastructure provides quick access to needed computing services
Environmental security — The concentration of computing resources and users in a cloud computing environment also represents a concentration of security threats. Because of their size and significance, cloud environments are often targeted by virtual machines and bot malware, brute force attacks, and other attacks.
Ask your cloud provider about access controls, vulnerability assessment practices, and patch and configuration management controls to see that they are adequately protecting your data.
Data privacy and security — Hosting confidential data with cloud service providers involves the transfer of a considerable amount of an organization’s control over data security to the provider. Make sure your vendor understands your organization’s data privacy and security needs.
Also, make sure your cloud provider is aware of particular data security and privacy rules and regulations that apply to your entity, such as HIPAA, the Payment Card Industry Data Security Standard (DCI DSS), the Federal Information Security Management Act of 2002 (FISMA), or the privacy considerations of Gramm-Leach-Bliley Act.
Data availability and business continuity — A major risk to business continuity in the cloud computing environment is loss of internet connectivity. Ask your cloud provider what controls are in place to ensure internet connectivity.
If a vulnerability is identified, you may have to terminate all access to the cloud provider until the vulnerability is rectified. Finally, the seizure of a data-hosting server by law enforcement agencies may result in the interruption of unrelated services stored on the same machine.
Record retention requirements — If your business is subject to record retention requirements, make sure your cloud provider understands what they are and so they can meet them.
Disaster recovery — Hosting your computing resources and data at a cloud provider makes the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider if they been tested.