Archive for March, 2011

Cloud Computing – Managing the Risks

March 5, 2011

While cloud computing has many advantages but being a smart user is important:
The advantages of cloud computing include scalability, technical expertise, pay as you go, among others. 
However, cloud computing can have its disadvantages. As the recent incidence at Gmail brings to light for the 130,000+ users who lost their email.  According to, “Google has acknowledged a problem with its popular Gmail email service after users reported missing emails, labels and contacts”.  Thankfully for my friend, who put all his files in addition to his emails in his Gmail account, this loss was temporary and later rectified.  But what if it wasn’t?  It gives us good reason to look at cloud computing and how to manage the risks both as an individual and for your business.
Let’s start first with how to avoid the “loss” experienced by Google Gmail users. 
Provider Failure: In case of provider failure, there are back-up systems for files, emails, etc. that can and should be used. One such firm is Carbonite ( who for a fee ($60 per year) provides online back-up of your files. Competitors of Carbonite include Mozy, Omnidrive, Xdrive, ADrive among others.

Now let’s look at a few of the other risks and how to control them.

Availability: There are many cause interruptions in service (from bandwidth constraints to distributed denial-of-service attacks) that create issues for businesses. You have no control over what else is running on the cloud that could degrade performance. Check your vendor’s bandwidth; put in your vendor contract service level agreements.

Data Integration: Integration of data that is in cloud silos (perhaps due to multiple platforms, format, etc.) can be difficult. To be prepared, businesses should organize their data sets to use across multiple platforms. Also firms should get into the habit of encrypting data, tagging fixed data and consolidating storage repositories in order to prevent a huge integration effort down the line. Further, firms should try to limit the number of cloud platforms that have to be supported. Finally, use ETL (extract, transform, and load) tools to simplify the conversion of data from one format to another. The goal is to convert information into one common format, such as the extensible markup language or XML, to make it more portable and searchable.

Shared Resources: The vary nature of cloud computing is sharing resources. The dependency of multiple tenants sharing a single cloud creates a potential for catastrophic risk. Check to see how your cloud computing vendor is mitigating risk. Is it through insurance, contracts with other providers, or merely hoping that nothing will happen to them?

Security on the Network: Security includes data protection and privacy, physical security, and application security.
Among IT executives, security is the number 1 concern. Check out the provider: ask questions about their security policies, and visit the data center to ensure physical security. To protect your data, consider encrypting your confidential outgoing data. Set control, implement them correctly and monitor.

Record Retention Compliance: New regulations for the financial services, health care, insurance and other industries place restrictions on where data physically can reside and how long it should be kept and where. The onus is on cloud customers to make sure that cloud providers are compliant with the regulations affecting their company’s data. Check with the provider upfront on where the data resides and insert in your contract terms for retention and what happens at the end of that time.

Identity Management: Passwords are problematic, especially because malefactors now have the computing capacity, ironically available on public clouds, to break them. The federal government, through a newly formed National Program Office within the Department of Commerce, is taking a leadership role in the development of a federated ID ecosystem that would protect against cyber fraud. Passwords should be changed regularly, include in the passwords of at least 6 preferably 8 or more characters that are combination of letters, symbols and numbers.

Vendor Viability: Cloud computing already has 10,000 providers. There will be fall-out/failure and consolidation of vendors. Choosing the right provider is one of the critical decisions business owners and IT executives will make. Some times when the providers go out of business, the data is just gone. To minimize your risk, carefully check the viability of the vendor and what happens in the vendor goes out of business, gets taken over – be clear on your rights and protections, and the vendor’s responsibilities.

Vendor Lock-in: If you want to move to another vendor, this becomes more difficult if the vendors are inoperable. Check for interoperability of your vendor. Examples: Inc.’s once proprietary development platform supports Java application development; and Microsoft’s Azure platform, which is tied directly to .NET, now has an open source software development toolkit for developers working with the PHP script language.

Manageability and Visibility: On the cloud, you no longer own the infrastructure to maintain performance. You have no control over what else is running on the cloud that could degrade performance. Seek out vendors who provide end-to-end view of on-premises and cloud applications. There are vendors, such as Quest Software, LogMeIn, Veeam Software, Compuware, Precise Software Solutions, as well as Microsoft that have announced monitoring tools and plans for providing end-to-end visibility from the enterprise to the cloud.

Legal Ambiguity: Cloud computing is still relatively new, so there are a lack of precedent from public cases.
Cloud liability is a work in progress. If a connection goes down, your providers may waive hosting fees, but there’s no remuneration for lost business. To protect your business write into your contract that the cloud computing vendor must comprehend regulatory issues and share the liability.

Finally, it is extremely difficult to go back, some believe there is No Going Back.

This is reality, more than a risk. When you go to cloud computing, you give up your in-house knowledge base. Sure you might keep an IT expert to act as interface with the vendor(s), but the work, knowledge is outside. It is very expensive and time consuming to bring it in-house.

So think long and carefully before going outside and act smartly to lower and manage your risks.