Ask an IT manager whether he's worried about the security of his Cloud computing provider, and you'll probably get an answer that sounds a lot like the one Karen Holt gives.
As head of information services at the Australian National Maritime Museum, Holt was recently charged with modernising a creaking IT infrastructure to support around 137 staff and 800 volunteers. Faced with tight constraints on IT capabilities, her solution included "a little degustation of public Cloud services." That is, shifting messaging, VoIP, backup and other functions into the Cloud.
"We judged that the security of the vendor was probably far greater than the security we could ever have managed ourselves onsite," she says of the risk assessment made during the systems modernisation.
Cloud computing also solved issues such as the five-day-a-week IT team's inability to provide seven-day support for systems required for seven-day business activities, such as venue management for the many functions held at the museum over the weekend.
"A large, global vendor was happy to take that off-premise into their data centres and give us 7-day-a-week support, upgrades, and development," Holt recalls, "and it turned out to be slightly less expensive than it was having five-day support on premise."
If Holt's latter comment testifies to the convenience of Cloud computing, the former confirms the attitude of many organisations now taking the jump. Cloud vendors' businesses, after all, depend on their continuous availability — and many businesses correctly point out that those providers have invested more to stay online than the average business could ever hope to do.
Hope, meet reality
This sort of quiet confidence — fuelled by IT managers' seeming happiness that, at last, they have someone else to blame if the lights go out — has helped secure many customers' trust in emerging Cloud providers.
"People seem to compare the security of Google versus perfection, rather than comparing the security of Google versus what we actually have today," says Ben White, CIO of real estate chain Ray White, which recently abandoned internal systems to move hundreds of employees to Google Apps productivity tools. "But the security we have in legacy systems is not at all appropriate — and this move has been all upside."
Yet recent history has shown that even this model isn't infallible: consider the hacking and destruction of 4800 customer websites at now-defunct hosting provider Distribute.IT, the compromising of Sony's millions-strong Playstation Network, the occasional catastrophic Google Gmail outage, and numerous other examples of well-intentioned Cloud providers falling victim to malicious happenstance.
These and other attacks proved that not even the big guns are completely safe from security breaches and unintended outages. No matter what provider they choose, IT staff need to make sure they're satisfied with the level of day-to-day security procedure being conducted.
"Whilst a lot of infrastructure compute and storage services are readily available for you to use and reuse, there are interesting questions in the Cloud for enterprise organisations to think about," says Dr Anna Liu, a UNSW professor and research leader with NICTA specialising in performance engineering techniques as they apply to Cloud-computing strategies.
How, for example, do you know who's patching the servers and who's backing up your data? Can you be sure there are people doing application-level monitoring to spot performance issues, and that any security issues are quickly identified and remedied? These tasks are all part of the IT manager's normal prudential obligations, and simply shifting them a Cloud provider won't be an adequate excuse if something goes horribly wrong.
Even if the Cloud provider invites penalties by violating a written SLA, there's still the little matter of actually getting the business back up and running. This is hard enough on an internal network — but when there are outsourced services to consider as well, IT managers need to be sure they can extend their management and remediation efforts across both internal and external systems with equal veracity.
It will become increasingly important for IT managers' security strategies to straddle the organisational perimeter, says Liu, because hybrid public-private Cloud models are likely to persist no matter how enthusiastic any particular company is about the possibilities of Cloud computing. For this reason, Cloud providers must be treated as partners — with all the attendant risk management that entails — rather than simply replacements for a company's own IT.
"Enterprise organisations are going to have to deal with hybrid Cloud environments," Liu explains, "because the traditional environments — local servers, and environments with private, sensitive data — will not go away. They will not be moved to the public Cloud service scenario, and you'll just have to keep the lights on and keep working on them to get as much out of them as possible."
Over the page: Sizing the security challenge