The Cloud's a scary place to hang out
Thursday, January 28, 2010 at 04:48PM I keep seeing articles on cloud computing, and some of them give me a chuckle. It's like a cool new toy, only it's got very sharp edges. You want to play with it, but you also want to keep all your fingers. And in a time when hacks and thefts and privacy issues are all over the news, with HIPAA and SOX and PCI standing over us with big sticks, we want to be told that it's okay to bounce back and forth between apps we host and apps that are hosted FOR us.
Cloud computing is one of those things like the web itself, where, at the outset, everybody's admiring the water but relatively few people are diving in. I remember sitting on a rental car bus in Detroit in the late nineties with an executive from a computer manufacturer, listening to him tell me that web sites were "cute" but that nobody took them seriously, and you certainly wouldn't do business on one of them. Right now, the Cloud has the same allure, and creates the same kinds of ambiguity. You want to take advantage of software as a service, and with somebody else doing all the chores. Instead of sweating all the nasty details of how things work, you instead interact with a transactional framework, a service. You give me data, I store it. You give me more data, I process it and provide the results. And don’t forget about the usual stuff you would sweat if you were hosting it yourself: on-boarding, off-boarding, and access control. Are those available as services as well? If not, can you manage identity and access remotely?
You pay for your use (out of operating expenses, because you have no capital expense), and if the cloud vendor has a hardware or software issue, it's on them, and you don't care, as long as they guarantee uptime and security.
But there's the scary part, right? Data, transactions, names, account numbers, intellectual property, they're moving in and out of your security perimeter (assuming your compliance auditors allow you to store certain kinds of data outside your own firewall). If your cloud vendor fouls up (as happened with Google docs and others) and lets your most sensitive stuff leak out, it's their boo-boo, but your liability. This means that the same kind of security audit you might perform on your own infrastructure is something you need to have on paper with your vendor.
Some parties, like certain EU countries, have policies on where your data may reside, and/or who may have "ownership" of it. This means that for some of your data, you aren't allowed to let it outside your perimeter. Remember that perimeter you should envision when performing a security audit? The one all your most precious assets need to stay behind?
When you head into the cloud, you don’t just hand over control. You need a policy on cloud security, with data security, privacy, and access control provisions, just as if you were doing it yourself.
When it comes to a cloud host, you don't just want that guarantee of uptime. You need a guarantee of safety and compliance, as well as interoperability (SSO/federation, dta transfers) with your internal apps. If you can get all that, and you can if you look hard and ask all the right questions, then everything's dandy. If not, then keep shopping, or start pricing servers.