With cloud-based services, storage and infrastructure becoming steadily cheaper and easier to access, the arguments for embracing the cloud are strong and getting stronger.
But historically, the cloud has suffered from a perception that when it came to security and continuity it was just not robust enough for enterprise-class companies to do anything other than experiment. However, the recent glut of companies awarded with ISO27001 certification has shown that as a serious proposition for big companies, the cloud may be coming of age.
On the cusp
"Cloud and shared model cloud computing is really on the cusp of widespread adoption," said Stephen Moffatt, cloud computing leader with IBM Ireland.
"For large enterprise level companies, even six months ago it was still a question of ‘is cloud computing right for us?’ Now, it’s no longer a question of if but when and what are we going to do with it? SMEs leapt on the cloud three of four years ago because it was cheaper and freed up their money. It addresses some of their major concerns, freeing up cash for things like payroll and working capital. Large enterprises are different, they’re more conservative."
Two things that have given these larger enterprises more confidence, in Moffatt’s opinion, are increasing levels of standardisation between cloud providers, and third party security and continuity accreditations.
"Things like ISO 27001 are crucial to this growing acceptance, and it’s only quite recently that the cloud industry got that level of accreditation. We secured ours in the middle of last year and we were one of the first. It takes a huge investment in keeping your compliances and standards up to date, but that’s something that enterprise class customers are increasingly looking for," said Moffatt.
Driving the growth in demand for this type of accreditation is the need for cloud providers to differentiate themselves in the market.
Trust issues
"What it comes down to is trust-how much can you trust the people you’re depending on? This is fast becoming how you can tell who’s offering the better value service," said John Shorten, technical director for Telecity Group Ireland.
Shorten says that standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and the ISO27001 information security management standard are fast becoming key commercial selling points in a competitive industry.
"ISO27001 shows that you have a security structure built on a ‘plan-do-check-act’ continuous improvement methodology, whereas something like PCI DSS means you have your finger on individual checklists and that you’re totally in control of all phases of what happens to your data," he said. "If I was in the market, that’s what I would be looking for in my cloud service providers."
Anyone considering hosting in the cloud should have a list of questions for the hosting provider to make sure the due diligence has been done and their data will be secure.
Secure hosting
"This is at the forefront of what customers are looking for," said Shorten. "There are so many different cloud service providers offering similar-sounding services, but the truth is that the workings behind the scenes can be really different. The processes, procedures and security mechanisms can vary wildly."
Shorten’s point is that just because two providers are offering something that sounds identical does not mean you will get the same level of service. This is a common observation made by certified and accredited cloud service providers-cheaper does not necessarily mean better value, it often just means cheaper.
Service and cost
"There are companies starting up that are two guys working out of home with a couple of servers that they bought to make a really low quality data centre, and you have to be able to make the distinction if you’re competing for enterprise level business," said Joe Brady, chief technical officer for Digital Planet, a subsidiary of Hibernia Evros. "They can make themselves look good, but they’ll usually be competing on price and there’s a reason for that lower price."
Set against this background, it is not hard to see why companies that have secured ISO27001 and similar security standards are keen to use them to differentiate themselves.
"We’ve had customers who made it clear that they if we had certain accreditations, then they’d be willing to host more of their environments with us. So there is real awareness out there of the importance of this," said Brady.
"We invested quite a bit to get ourselves ISO27001 certified and that’s not a process you undergo for the fun of it. It’s hard work, even though we already had a lot of the controls in place. Formalising those controls was very important, and our customers know what it means. We’re seeing more and more of them moving not just their storage but their production workloads to the cloud, and to make a good case for that we have to be able to demonstrate that they’re not making a bad decision."
Shorten of Telecity Group Ireland agrees. "We’ve gone through various certification processes over the last few years like ISO 27001, and while they’re not a silver bullet that answers all security concerns, they do show that as a company the way you approach security has the right fundamentals behind it," he said.
"It shows you’re documenting all your processes, analysing them, identifying and addressing gaps and then going back to the start and doing it again. It’s a continuous process-you’ll never have a totally secure system from day one, but if the fundamentals and culture of your organisation is good, then that’s a good start."
According to Gareth Price, senior security consultant with BT Ireland, chief among enterprise class companies’ concerns when it comes to moving their day to day workload into a cloud-driven environment is not so much continuity as security and compliance. Certification can help reassure nervy customers that they can rely on the services they are being sold.
Continuity needs
"Cloud providers all offer service level agreements, but given that outages have happened you still need to plan for business continuity. Can you accept the outage or use a manual workaround? I am not aware of any offering certifications like BS25999 or ISO22301 but their contracts may contain something broadly equivalent," he said.
"In general though, how can you resist the advantages of the cloud when it offers the ability to buy and configure server capacity in a web portal, 40% total cost of ownership savings and large capital expenditure reductions? The answer is you can’t."
This is something that Peter Hendrick, technical director of AirSpeed Telecom, agrees with. "The cost of storage is so low and the cost of cloud services is so competitive that you’d have to ask the question why would you buy a server yourself? Why would you spend money on your own network? It doesn’t make a lot of sense," he said.
"Meanwhile, a lot of data centres are becoming approved by specific industries, like the pharmaceutical or medical industry, and if you work in those industries, then you can use services hosted in an approved data centre once it has FDA approval and so on. That’s a kind of standard being set for a whole industry."
"More and more of that kind of thing is happening. In general we’re finding that larger enterprises are typically still doing a lot of things in-house and if they’re using a cloud server, then it’s typically a private service with a private network connecting to it. But more and more we’re seeing services that are accessed through the public network."
One further sign that we are seeing the ‘mainstreaming’ of the cloud is the calibre of the enterprise-class companies making the leap, according to Joe Baguley, chief technologist EMEA, VMware.
Perceived and actual risks
"There’s no doubt that confidence is growing in the technology as time passes and people become used to working with it. Some of the initial scares around security in the early days were to be understood and to be expected. I think over time, people will come to understand that the cloud can often be more secure than on site infrastructure," he said.
Baguley suggests that one reason for the discrepancy that exists between the perceived and actual risks of depending on the cloud for vital services is that there is a confluence of the professional and the personal when it comes to remotely delivered services.
"You get someone talking about how they’re going to site and build the infrastructure for their business and they base some of their prejudices on their personal experiences using personal cloud services. These are deemed to be similar because they’re delivered on the Internet, but actually they’re totally different," he said. "For a start they’re probably free and because of that, they have minimal or no service level agreements and no claims around security."
As evidence for the way in which cloud providers are seeking to differentiate themselves based on the level of service they can provide, Baguley points to VMware’s own VCloud initiative, which has over 220 providers in 26 different countries.
"Initially you might wonder why would 220 companies all want to stand up to the same standard-surely there will be a race to whoever can provide the cheapest service. But differentiation has appeared in this market based on a number of different factors like security," he said.
"Maybe a provider can give you a service level agreement governing up-time and data recovery, but in going the extra mile they might also provide a dedicated secure link to that part of the Internet, or cloud, that you’ve bought."
Data location
A further aspect of the maturation of the cloud among enterprise customers which Baguley finds interesting is that data location is no longer perceived to be as important as it once was.
"Initially people were concerned about where their data is, what country it was hosted in and so on. But we’re moving beyond that to being more concerned with who has access to that data. I don’t really care where my bank keeps my money as long as it’s safe and the only person who has access to it is me," he said. "People using cloud services are starting to take the same approach. That’s where the ISO security standards are stepping up and giving people some reassurance."
Baguley only sees a future where such standards become more and not less important. "I think it’s likely that we’ll see more and more large organisations set up these standards as minimum requirements for doing business with them. You won’t get to play at some of the tables unless you meet that requirement," he said.
The consequences for the industry in not pursuing a standards-based regime might not be pretty, he suggests.
Consequences
"One concern is trying to stop something happening in the data world that might be analogous to what happened with the sub prime mortgage situation. If I’m a provider of cloud services and I sell cloud services to a customer, who then goes and buys cloud services from two other providers and puts them together to make one big cloud service that he then sells on, where is the chain of liability if a problem arises somewhere down the line?"
"Naturally, customers of such a service will want to know if everyone in that chain has reached a level of certification that meets a certain standard."
Subscribers 0
Fans 0
Followers 0
Followers