One approach to deciding on the benefits and risks in using cloud computing

Posted on October 2, 2009. Written by Richie 1 Comment »

How can a business decide on using the cloud or not ?

Cloud computing services are increasingly being used worldwide. However there are still businesses, of all sizes, looking at cloud computing and wondering if it is appropriate for them and what benefits and costs will it involve. In fact, they are wondering how real is the cloud for them. Looking at the variety of comment on the use of cloud based services, you can see the common questions or concerns;

  • How secure is my business data ?
  • What level of service will my business receive ?
  • Are there any hidden costs ?
  • How easy can I scale my computing needs to support my business ?
  • Am I liable to break any regulations such as data protection ?

Is the cloud for me or not ?
As the concept and range of services being provided via the Cloud is still evolving, this wariness is understandable, but help is at hand.

The Cloud Security Alliance, a non profit organisation that was formed to “promote the use of best practices for providing security assurance within Cloud Computing”. The Alliance have produced a guide which I believe will be useful for businesses looking to assess the impact of cloud computing and avail of any opportunities.

I would like to summarise some of the key steps and recommendations that are in the the document in relation to the typical concerns and the full report is available here. Before going into some of the details, I would say that two of the strengths of the CSA guide is the level of detail provided on cloud computing and the grouping of recommendations to deal with each of the typical concerns. Their recommendations can be used as a process to help businesses manage the risks and reap the benefits.

How is the cloud delivered for me ?

For a business that has been used to have computing resources on-site, one of the initial questions would be on the level of service that would be provided from the Cloud service provider. The first step towards clarifying service delivery capability is to ask the provider how they have implemented the key characteristics of cloud computing;

  • The use of virtualisation to ensure that the necessary computing, network and storage resources are available for the application or service to be delivered as required by the supplier’s customer
  • The operation of an utility ‘pay as you go’ model for the customer as they are using computing resources
  • The ease of access to the required application or service as authorised by the customer without having to focus on the management of the computing infrastructure
  • The capability to scale up or down to a customer’s computing needs so that any change in requirements can be meet on-demand by the supplier

Cloud delivery models
The supplier also needs to clarify how many of the cloud delivery models that they provide;

  • Infrastructure as a service (IaaS) – where the supplier will provide the necessary servers, network and storage capability for a customer to use for data storage or running applications, without the need to focus on managing the infrastructure
  • Platform as a service (PaaS) – where the supplier will provide not only the infrastructure, but also an application(s) development environment which the customer can use to develop and run various applications
  • Software as a service (SaaS) – where the supplier provides the full infrastructure and application requirements, leaving the customer to focus on how the applications are configured to run for their business

Can the cloud’s performance be monitored ?

With an understanding of how the cloud principles are delivered and what delivery modes are available, a business is in a better position to understand the potential benefits and risks. To then move on to get further details on the supplier’s capabilities;

  • Discuss how the supplier monitors their performance and what kpi’s they use to monitor how their service are being delivered
    Clarify your businesses service level requirements and how your business would like to see them delivered with a service level agreement
  • Request access to any independent risk assessments that the provider has had and discuss with the provider what lessons were learned from the risk assessment(s)
  • Depending on the delivery model, get a clear picture of the potential cost savings that may be gained from a move to cloud based services. This is important in terms how the savings can be used as we will discuss later.

How well maintained is the cloud ?

There are risks involved with any change in how a businesses IT requirements are delivered, so it is important that an appropriate risk management process is used while assessing and progressing any cloud based initiatives. With that in mind, it is important that some of the cost savings from a move into the cloud are ‘re-invested’ in monitoring and reviewing the cloud provider’s

  • Infrastructure security capabilities, policies and procedures
  • Patching policies, procedures and schedules
  • Internal security capabilities and policies to protect against internal hacking of data

But what about data protection regulations ?

In addition, irrespective of the data retrieval and backup provisions that are included in any SLA, a business should backup it’s own data on a regular basis and restore it to ensure that the data is recoverable. In relation to data, one other concern can be on any potential risk of infringing data protection regulations.
As part of a risk management approach, the best way to allay any concerns would be to;

  • Review and categorise your own data according to the data protection regulations. Not all of your data may be impacted by these regulations
  • Review with the cloud supplier, the potential worldwide locations where the data could be stored. If necessary, preferred geographical locations can be specified as part of any agreement and enforced using storage provisioning technology
  • Review all policies and procedures related to data retention and archiving
  • Review all policies and procedures for both the cloud provider and the business if a business is requested to provide data under a legal request

Step by step & build the cloud

Finally, if a business does agree to use cloud based computing services after summing up the various benefits, costs, risks and opportunities, an appropriate transition plan should be agreed, starting with a proof of concept and a pilot involving a non-critical area of business. Progress from that pilot according to agreed milestones and the achievement of interim benefits as planned.

So, if you are undecided about how to use the cloud and think that while there may be some benefits, also want to ensure that you’re covering all the potential risks, I hope this post and the CSA document will be of benefit.

Cloud computing ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment »

 
  1. An Introduction to Adult Education – and the Role of the Private Sector in it « WETONG Blog says:
    October 8, 2009 at 5:22 pm

    [...] One approach to deciding on the benefits and risks in using cloud … [...]

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Anti-Spam Protection by WP-SpamFree