Everywhere you turn people are talking about the cloud. I recently returned from an advisory board meeting and one of the key topics was the public cloud. Points of discussion included a variety of technologies and whether there was truly a market for many offerings currently on the drawing board. Others expressed nervousness over security and SLAs.
I firmly believe in the cost and flexibility advantages of the cloud model, especially when serving the needs of the SMB. But whether you believe the cloud hype is just the coming of ASP 2.0 or you are actually entertaining moving processes to a cloud provider, there are more than a few things to consider. Before continuing, let me state that our organization currently utilizes public and private cloud services, offers them to clients, has participated in the development of SAAS products, and has assisted in the implementation of these offerings.
While the ASP model never quite had the success Gartner predicted, it did lay the foundation for many SAAS “software-as-a-service” providers. Many of these early adopters had good success specifically in the CRM market where several companies have done rather well. That said, many providers (including some that have been around for a while) still seem to have some major issues to overcome. While recently interviewing and vetting a couple of potential vendors with interesting solutions, we became alarmed at their lack of a detailed security posture. One did some application testing with an open source tool but then tried to interpret the results without outside assistance. Another claimed they had never found any issues. Yet another had a rather small staff with limited training in security. Also of concern was the fact that they relied on a third party to host their application. When one of the underlying hosting vendors was contacted, they would not share how they patched their servers, whether they did penetration testing, how often this testing was being done if it was being done at all, how the system was backed up, what would happen in the event of a breach, etc. When we discussed this with the cloud provider, they were surprised at our concern and said that no other customers had brought this up yet. We loved the software and even offered some guidance on how they could correct the issues. So far both parties have been quiet.
What to Ask Cloud Providers
Based on these experiences and others, here is a quick checklist of things I think every cloud provider should be asked. Based on their responses you can make a decision with your eyes wide open.
1) Check to find out if they regularly test their applications and environments (including servers, OS, routers, firewalls, etc.).
2) Check to see if they use an outside vendor to help them analyze and audit these results.
3) Find out how and when they implement fixes when a problem is found. If they say they haven’t found any problems, this is a major warning sign that they are not doing enough.
4) Check to make sure all sensitive data is encrypted.
5) Find out if the vendor is seeking or has obtained any type of accredited standardization such as SAS 70 or ISO 27001.
6) Is the company financially stable? In this economy, it is better not to take chances with a company that might be forced to cut corners.
7) Understand the SLAs and what they really mean to your business.
Check to see if they have any customers using the service that require serious compliance measures to be operative such as HIPAA or PCI, and see if they have satisfied these requirements.
As a final note, understand that one of the biggest potential “gotchas” of the public cloud is the unknown. Since public cloud technology is relatively new, this in itself is a risk. Many publicly debate how well a public infrastructure can actually be secured and still serve the needs of the many at an affordable price point. At this point there really aren’t any industry-wide data handling and security standards for cloud providers. There are legal issues that haven’t even had precedent set yet. Many compliance measures such as HIPAA and Sarbanes-Oxley where not written to address public cloud architecture which makes it difficult to enforce them in these solutions. Until these issues are addressed, the public cloud computing movement will not be able to reach its full potential.