The economics of cloud computing make its adoption inevitable, and it will no doubt have a huge impact on how we "do" IT.
The substantial economic benefits of working in the cloud change many long-established risk-reward relationships. You'll need to take a fresh look at your organization's business strategy and appetite for risk when assessing the return on investment (ROI) of any cloud computing security solutions you decide are necessary for a switch to cloud computing. You may want to take a look at the framework created by the Jericho Forum for helping companies evaluate the risks and opportunities associated with moving business processes into the cloud.
In addition, a recent report by the Information Security Forum suggested that many of the current cloud service offerings are immature. Even the large platform-as-a-service (PaaS) vendors like Google and Microsoft have short track records with cloud-based services.
While cloud computing is often presented as a bulletproof option, surveys show that around one-third of respondents experienced an outage in their service, so you need to plan for service disruptions. Multiple service providers will give you better network diversity and business continuity. Rather than relying on one T1 line, smaller businesses may well find using a cable modem and DSL combination could be cheaper and faster, but this redundancy does mean supporting multiple carriers and the loss of bundled services discounts.
WAN optimization helps users abide by security policy rules
It's no good just concentrating on connectivity to ensure availability. Network-centric tools like VoIP, centralized data stores and Web-based apps are extremely latency-sensitive. Many cease to function when a saturated WAN link is their only route to the larger network. This causes employee frustration and creates a security risk. For example, slow file transfers can lead employees to find alternative methods to transfer files, which may well break security policy rules.
WAN optimization is a relatively small investment compared with investing in mobile software solutions or adding another data center closer to mobile employees. WAN optimization solutions like the Citrix Netscaler combine traffic management through Layer 4-7 load balancing with a Web application firewall, which is ideal.
Taking responsibility for cloud computing security
Although there is a shared responsibility with your cloud provider for the security of your data, ultimately you are responsible, and that's a role you can't outsource. Therefore it's essential to conduct a thorough review of your provider's security to ensure good governance, preferably against a proven standard such as ISO 27001. Providers should be able to share the results of independent audits and penetration tests with you if you can't conduct your own.
Certainly, by the time you're ready to move data or applications to the cloud, your IT team will have gone through a steep learning curve to adapt to the new ways of working. I'd make sure that some of the money saved is used to provide adequate training for them. In the meantime, I would recommend reading the Cloud Security Alliance's guide, which will help you understand the main areas of concern for organizations adopting cloud computing.
About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.