Cloud computing has the IT boffins excited, but is it secure enough for the business world to depend on?
Cloud computing has been heralded by suppliers as the latest big shift in technology.
In the 1980s, the shift was from centralised mainframe systems to a more distributed client-server infrastructure. Today, the internet is shifting data-hosting away from the established client-server architecture to having it located in “the cloud”.
What is cloud computing?
In essence, it is internet-based computing, where, subject to the type of cloud service procured, shared resources, software and information are provided to computers on demand.
The following attributes are key for a service to be regarded as a cloud service:
- Technical abstraction — users of cloud-based services have limited or no visibility of the technology used to provide the service.
- Pay per use — costs are incurred as revenue rather than capital expense, based on a utility “metering” model.
- Rapid elasticity — service volumes are elastic, readily scalable to meet the needs of changing business demand.
- Ever-present network access — IT services are made available over the network using standard mechanisms, which can support a wide range of client devices such as desktops, laptops and PDAs.
Who offers it and what is the uptake?
Globally, Amazon, Google, NetSuite and Salesforce.com are among the biggest names now offering cloud services.
Some local providers in Northern Ireland have started to offer cloud hosting, although the market at all levels is still to mature.
As organisations start to embrace the technology, the market offerings will undoubtedly develop.
In Ireland, the GAA recently made a significant move to Google Apps for email for its 6,000 officers and is planning to roll out Google sites to its member clubs.
In the UK, the government is investing in a private G-Cloud for the public sector, which is expected to be a key enabler of the £3.2bn savings per year outlined in the former government’s Operational Efficiency Programme.
What are the benefits?
For many organisations, cloud computing presents opportunities for cost improvement, because it lowers the capital investment they have in hardware, software and related property.
Instead of investing and managing these individually, organisations procure cloud services. This can lower the total technology cost of ownership, which may be a significant cost to an organisation.
The flexibility of the model allows for quick scalability, up and down, without the overhead of purchasing, implementing and maintaining an extensive IT infrastructure.
The model provides in-built resilience; allowing CIOs to focus more on ensuring their organisation has the network capacity to handle the volume of data being requested and that IT services are meeting business need.
Pricing on a utility computing basis is fine-grained, with usage-based options and fewer in-house IT skills required for implementation.
There are also potential environmental benefits, as it reduces an organisation’s requirement to manage its own data centres.
What are the risks?
Concerns on moving to a cloud infrastructure are based on risk:
- Politically — do you have the authority to put your customer data into a cloud infrastructure? This could take data out of your country of operation and into other countries. Does it present a security risk or governance issue if you or your customers’ data is hosted elsewhere?
- Economically — in a maturing market, what happens to your data if your provider goes out of business or you want to transfer to another provider? How do you get data back from a failed or obstructive cloud supplier? How does the data get wiped or sanitised? What is the cost |of transfer/sanitisation? |Who bears the cost, not just |of transitioning to a new supplier, but also of dealing with any fallout from customers?
- Socially — how much control will the organisation have over its data and the IT service provider? What level of trust and control is being given to the provider? How are permissions controlled and managed? Cloud computing offers the ability to work from home, or potentially work from anywhere with an internet connection. Moving to this model can present opportunities and challenges to organisations whose staff may want to work from home. Is your organisation ready to provide this facility?
- Technologically — will your data be encrypted in the cloud? Does it need to be? Are back-ups encrypted? How secure is your access to your data? Are there risks in allowing access from different devices, browsers or platforms? Do your offices have enough bandwidth to handle an increase in data being transferred?
- Legally — cloud computing presents interesting questions from a legal perspective, not least in terms of identifying where data is hosted. How does the UK Data Protection Act 1998 apply if data isn’t hosted in the UK?
Overcoming the challenges
CIT suppliers want to sell cloud services as being compliant with agreed standards. The question is, what standards will be acceptable for cloud computing and who will set them?
In the UK, public sector IT assurance standards are set by the Cabinet Office and CESG, the National Technical Authority for Information Assurance.
Although there are, as yet, no clear standards for the UK public sector for this model, the UK government has been developing a private cloud infrastructure (G-Cloud).
CESG has been working with the Government in respect of delivering confidence in information assurance and risk mitigation for this.
This idea of a private or semi-private cloud is also seen as a potential option for large private organisations by providing the benefits of cloud computing while also controlling risk by maintaining a closed system.
Firms should still seek reassurance that the vendor is providing a secure solution and they have independent third-party accreditation to back it up.
While it is important that the public sector gets this right to rebuild public confidence in information sharing and data protection, there may well be an impact across all sectors, as the legal framework for access, security and consent may need to be reviewed if this shift in technology is embraced as anticipated.