Cloud computing is a term even non-IT folks would have heard about at least once by now fueled by the concept of Software-as-a-Service (SaaS) and virtualization. The idea is that IT services and processing capabilities could be more efficiently housed in a data center and delivered over the Internet based on demand.
Dr. Dobb’s, editor-in-chief Andrew Binstock told FierceCIO that the primary advantage of relying on cloud providers is that their combined expertise on the security and reliability front is in all likelihood better than that of most SMBs and even some larger IT shops.
Bob Violino at Internet Evolution writes that cloud computing offers some clear benefits for organizations: lower costs, automated software updates, greater flexibility, and the ability for IT staff to focus on more strategic projects and not day-to-day maintenance tasks.
It’s easy to get caught up in the cloud excitement with major IT vendors such as Amazon (AMZN), Apple (AAPL), Dell (DELL), Google (GOOG), HP (HPQ), IBM (IBM), and Microsoft (MSFT) pushing the concept and rolling out cloud offerings. But organizations looking into cloud computing need to consider some key risks as well.
Larry Ellison, the chief executive of Oracle, told shareholders in 2008 that Cloud technology is a fad that lacks a clear business model. “I think it’s ludicrous that cloud computing is taking over the world,” Ellison said. “It’s the Webvan of computing.”
Richard Stallman, the founder of the Free Software Foundation, sees cloud computing as a trap that will result in people being forced to buy into locked and proprietary systems that will only cost more over time. He told The Guardian: “It’s stupidity. It’s worse than stupidity: it’s a marketing hype campaign.”
Some of the cloud risks are well documented, but as the push for cloud services continues, a few risk points are starting to come into focus:
Data Privacy. When it comes to the U.S., the Fourth Amendment states that people should “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” But web-hosted applications and cloud services are too new for the courts to have been able to offer far-reaching guidance on data privacy online. Data stored outside of the country makes data privacy issues even more complex.
Information security. A report from the World Privacy Forum discusses the issues related to cloud computing and the privacy and confidentiality of information. According to the report, “for some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared.”
Even when no laws prevent a user from disclosing information to a cloud provider, the report says, disclosure may still not be free of consequences. “Information stored by a business or an individual with a third-party may have fewer or weaker privacy or other protections than information in the possession of the creator of the information.” A cloud provider’s terms of service, privacy policy, and location may significantly affect a user’s privacy and confidentiality interests, the report states.
Data Security. There are many threats to data online. The application or service provider could go belly up, hackers could attack or just be locked out of your account. The good news is that data portability and security policies are being scrutinized closely by several organizations.
Mr. Binstock observed that no cloud storage provider will promise that they will not access your data under any circumstances. It is also common to find explicit clauses that allow law enforcement agencies access to your data.
Believing that this is acceptable because there is nothing incriminating in one’s data storage, is, in his words, “intensely naïve.” The obvious problem, notes Mr. Binstock, is that any government agency examining your data is under no contractual obligation to you to keep them safe, or even delete copies that were created.
Chenxi Wang at Forrester noted that an effective assessment strategy must cover data protection, compliance, privacy, identity management, and other related legal issues. “In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of the cloud services.”
Network. The idea of putting the network health in the hands of the ISPs is very troubling. Have you ever tried to work with an ISP to find out why your round-trip latency times are so high? can your organization confidently define: The bandwidth requirements of your apps? The end-to-end throughput needs? Where will your data really be? Will it take the same path today and tomorrow? Who will pick up the phone when you call to say “the cloud is slow?” Will you be able to understand them?
Complexity. As cloud computing evolves, “combinations of cloud services will be too complex and untrustworthy for end consumers to handle their integration,” according to a report from Gartner Inc.. Daryl Plummer, chief Gartner fellow notes:
Unfortunately, using [cloud] services created by others and ensuring that they’ll work — not only separately, but also together — are complicated tasks, rife with data integration issues, integrity problems and the need for relationship management
Finances. Cloud computing changes the way software is purchased. The model for purchasing software one time and then choose to opt to buy the newer version a few years later maybe on the way out. With cloud computing, the vendor can just raise the prices the following month. It requires a different mindset, of subscription fees as opposed to purchase. We will see how the public takes it.
These are some of the issues that must be addressed if companies are to decide that cloud computing offers benefits that exceed the ROI of providing similar services in-house without increasing risk.
rb-
Sure, “the cloud” will work for most people most of the time, but if there are a lot of users, there will be a lot of errors. With 100,000 users, 10% having problems over 10 years is 10,000 unhappy users.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
The Georgia Tech Emerging Cyber Threats Report for 2012 predicts that 2012 will feature new and increasingly sophisticated means to capture and exploit user data. “Our adversaries, whether motivated by monetary gain, political/social ideology or otherwise are becoming increasingly sophisticated and better funded,” said Bo Rotoloni, director of the Georgia Tech Research Institute‘s (GTRI) Cyber Technology and Information Security Laboratory (CTISL).
“We can no longer assume our data is safe sitting behind perimeter-protected networks. Attacks penetrate our systems through ubiquitous protocols, mobile devices, and social engineering, circumventing the network perimeter.”
Mobile Web-based Attacks – Expect increased attacks aimed specifically against mobile Web browsers as the tension between usability and security, along with device constraints (including small screen size), make it difficult to solve mobile Web browser security flaws.
“We continue to witness cyber attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises, and ordinary citizens,” said Mustaque Ahamad, director of Georgia Tech Information Security Center (GTISC).
R
