Why would you move to the cloud?

For small to mid-size business owners migrating some or all of their systems to the cloud environments presents the usual IT issues.   Having data stored and managed remotely, by external organizations and often in multiple locations these issues infer special considerations for privacy, interoperability, data and application portability, data integrity, business continuity, and security.  There are key issues that a business owner should be aware of and factor into the decision-making process when considering moving to a Public Cloud environment.
System Complexity:   A public cloud computing environment is extremely complex compared with that of a traditional data center, and public cloud services providers typically share components and resources with other consumers that are unknown to the business owners ‘renting’ the service.
Internet-facing Services:  Public cloud services are delivered over the Internet, exposing the administrative interfaces, used to manage and service the accounts and software. 
Loss of Control:  While security and privacy concerns in cloud computing services are similar to those of traditional non-cloud services, they are amplified by external control over organizational assets and the potential for mismanagement of those assets.
Governance:  With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simplifies platform acquisition, it doesn’t alleviate the need for governance; instead, it has the opposite effect, amplifying that need.
Compliance:  Achieving industry-specific security compliance becomes more complex due to the different paradigm the “Cloud” brings.
Data Location: When information crosses geographic borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns.
Risk of Unintended Data Disclosure:  A fundamental underlying vulnerability is the difficulty of collecting meaningful consent for the processing of data available on the cloud.
There are, however, benefits of a cloud based environment from a security perspective.  Some of these benefits would include:
In general, security measures are cheaper when implemented on a larger scale.  The cloud provider or third parties can generally offer managed security services which may be cheaper than maintaining an in-house security staff full time.
Standardized Interfaces for managed security devices which creates a more open and readily available market for security services.  Rapid and smart scaling of resources which facilitates the ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.
So what can you do as a small business owner (Subscriber) to accurately assess your need to move to a cloud environment and execute the move, if required?  Here is a list of some of the best practices a business owner should use when looking at a move to the cloud.
Plan:  Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (e.g., SLA negotiations)
Ascertain:  Understand the cloud computing environment offered by the cloud provider.
Policy:  Ensure that a client-side and provider-side cloud computing solution satisfies organizational security and privacy requirements.
Continuity of Operations:   If the cost of losing access to an application is severe, it is recommended that subscribers perform the work locally unless a provider is willing to agree to pay for pre-defined damages for specific types of service interruptions.
Compliance:  A subscriber should determine (1) whether the capabilities for defining the necessary controls exist within a particular provider, (2) whether those controls are being implemented properly, and (3) ensure that the controls are documented.
Administrator Staff:  Subscribers should make sure that processes are in place to compartmentalize the job responsibilities of the provider’s administrators from the responsibilities of the subscriber’s administrators. (Who is responsible for what – and these roles MUST be pre-determined).
Legal:  Subscribers should investigate whether a provider can support ad hoc legal requests for (1) e-Discovery, such as litigation freezes, and (2) preservation of data and meta-data.
Operating Policies:  Subscribers should ascertain the operating policies of providers for their  (1) willingness to be subjected to external audits and security certifications, (2) incident response and recovery procedures/practices, (3) internal investigation processes with respect to illegal or inappropriate usage of IT resources, and (4) policies for vetting of privileged uses such as the provider’s system and network administrators.
There are plenty of other things to consider, such as:
Acceptable Use Policies, Licensing, Patch Management, Subscriber-Side Vulnerabilities, Data-at-Rest and Data-in-Transit Encryption, Physical, Authentication, Performance Requirements, and Visibility
Although this list of best practices may seem daunting, the more of these best practices that the business owner can use, the less risky, and more secure their eventual cloud implementation may be.  Let Grand Rapids Source help guide you through the maze and help you to run your business more effectively and successfully than ever before.  After all, IT is not a liability, it is an ASSET!  And http://www.grtechsource.com can help you build your company’s IT Assets.

Back to Blog