OpEd Passing Shot: Overcoming cloud fears
Written by Justin Pirie, director of communities and content, Mimecast
For years, IT departments have had full control over their own infrastructure (for better and worse) and are naturally uncomfortable with anything that prevents them from being in sole control. This is likely to change with the rise of cloud computing, argues Justin Pirie, director of communities and content at Mimecast, but it isn't something to fear
Many technology professionals, including chief information security officers (CISOs) and chief technology officers (CTOs) especially, can be wary of the hype surrounding cloud computing and have nagging fears about the loss of infrastructure control, loss of data ownership, and about vendor lock-in and data security. But they are still considering introducing Software-as-a-Service (SaaS) and other aspects of cloud computing because of the potential savings and flexibility on offer.
In my opinion the key to easing these fears is to thoroughly evaluate your SaaS partner. Like any other industry that achieved popularity quickly, there are many companies that are slapping 'cloud computing' stickers on their products and positioning them as brand new. Financial institutions need to delve into the details of their partners' operations, software and license agreements to ensure they are aligning themselves with a company taking advantage of modern technology and protocols so none of their fears come to pass. Many organisations, such as the Cloud Security Alliance, are now producing guidelines to help you too.
I intend to look at the four big fears we commonly come across when delivering SaaS offerings in this article and try to provide some further reassurance.
Fear 1 - Loss of infrastructure control: This is a problem perpetuated by outsourcers during the 1990s when businesses would move from on-premise solutions to outsourced services. Back then, some outsourcers could not provide an environment in which they could deliver timely or reactive support or functionality, thus frustrating the end users. The sophistication of technology today has allowed the industry to move away from this unwanted scenario and offer the best of both worlds: the administrator retains the granularity and control that is provided by an on-premise solution while still getting timely support.
With that being said, however, all cloud vendors are not equal. Financial institutions should fully understand the architecture of a vendor's SaaS-based solution and ensure there are no single points of failure, enabling data to leak out or uptime to falter. For instance, is the vendor using a horizontally scalable, multi-tenant architecture? This is a proven method to achieving 99.999 per cent reliability because these networks are able to shift data burdens to alternate locations or across shared multiple locations should an outage or corruption occur.
Fear 2 - Loss of data ownership: Financial institutions need to ensure that data ownership is addressed in detail in the cloud licensing agreement or terms and conditions. Reputable SaaS vendors will ensure that companies always own their data, and it is not provided to anyone else or used for the benefit of the service provider. An ability to quickly return data upon demand should also be a prerequisite.
A robust administration console should allow you to set all data policies, review access information, control data users and freely interact with data. If a SaaS company cannot guarantee these types of capabilities, enterprises should be wary of partnering with them. References and past histories should also be checked, alongside any proposed partner's adherence to all necessary regulations, such as the data protection act or any FSA-stipulated reporting mechanisms.
Fear 3 - Vendor lock-in: SaaS solutions can lock customers into products by using proprietary formats for encryption and data storage that make future migration difficult. This is no different though to what all software vendors have been doing since time immemorial. The reality is that good cloud vendors make access to data easier and allow customers to export data as and when required because the technology is simply more flexible.
Fear 4 - Data security: Data security is an excuse often cited by cloud skeptics. The potential for multi-tenant systems to cross-contaminate data and allow a breach is often discussed but I don't believe these worries have any grounds in reality. Remember, a cloud vendor is a security provider too that builds protective measures and resilience into their solutions from the ground up. Often SaaS vendors can deliver massively more security and resilience to their customers, especially smaller tier two or three banks and other institutions, than would ever be possible with an on-premise solution.
Encryption and data loss prevention capabilities are a given for SaaS vendors, but you should also look at the physical security practices a possible partner employs for its servers and the processes by which data is shared with separate clients (to learn more about cross-contamination possibilities). Policies for data in the ether, at rest and in use should also be investigated.
Methodical evaluations of SaaS vendors can go a long way towards alleviating fears and ensuring that cloud computing projects, which are increasingly being piloted by financial institutions, are wholly successful. I advise you to follow the rules I've outlined above and use your common sense and record checking procedures the same as you would for any other partner.
Then you can gain the benefit of transforming the IT department from a help desk into a competitive differentiator. Funds and man hours can be devoted to innovative projects that deliver profits, while operations, low level upgrades and maintenance can be left in the cloud.