Cloud computing offers a lot of promise for business to not only save money on IT spending, but also to rapidly scale up for important Internet advertising campaigns and the like. But a recent survey also shows there remains a lot of confusion among business executives on what cloud computing brings to the table.
The survey, The Future of Cloud Computing, showed only 40 percent of respondents are experimenting with cloud computing today, while another 26 percent said they are waiting for the market to mature before taking the plunge.
Many internal IT organizations also view cloud computing as an effective means to keep up with application backlogs and business demands. But the folks who write the checks and make the decisions — CEOs and CFOs — remain wary about security as well as compliance with federal regulations, such as the Health Insurance Portability and Accountability Act of 1996. The survey shows 31 percent of participants cite both as key obstacles to adoption.
“Cloud computing is a multibillion-dollar industry today, but many companies are still unclear on which technologies they need, how they work together, who the main vendors are and how to implement cloud technologies effectively,” says Derrick Harris, senior analyst at GigaOM Pro, which helped conduct the survey among 413 industry experts, users and vendors of cloud software, support and services.
Contracting with a cloud provider
Certainly, security in the cloud is a serious consideration, says Eric Eder, founder and president of Royal Oak, MI-based Sequris Group, an IT security specialist.
“Hackers are salivating when they look at the cloud,” Eder says. “They think, ‘If I can get to 500 companies for the same effort as attacking one, that’s great.’ We’re recommending that clients take the information security ramifications very seriously when they think about moving their data to the cloud. They also need to understand the law.”
Technology law expert Claudia Rast, a Butzel Long shareholder based at the company’s Ann Arbor, MI, office, says the business contract with the cloud provider needs to be studied carefully. She says the contract needs to ensure that the cloud vendor will provide confirmation of error-free backup. It also must spell out reliability of “uptime.” The current target standard for cloud customers is 99.999 percent. That’s 5.26 minutes of downtime per year.
Rast says the contract also must spell out how you get your information back, and how quickly. Plus if the company gets involved in any kind of litigation, claim or government inquiry where your data gets subpoenaed by a private party or the government, you want to make sure the cloud provider doesn’t deliver that information without alerting you, when possible.
Then there are the litigation hold provisions. Examples include terminating an employee who then threatens to sue. Or a vendor telling you they’re not going to pay that invoice. Or when you think you may have acted negligently. Or when you receive a legal complaint.
“In these circumstances, you are required to preserve potentially relevant information because you have knowledge of a potential claim or action against your company,” Rast says. Cloud providers may have different document retention periods or may be acting on the company’s own document retention periods. “If you don’t inform the cloud provider of a requirement to preserve certain data that may be subject to a litigation hold and the cloud provider deletes that potentially relevant information, the cloud customer could be subject to spoliation sanctions under federal or state civil procedure rules. The contract must stipulate that the cloud provider has a duty to preserve those documents until notified otherwise.”
Choosing the right type of cloud
One of the challenges Sequris finds when working with clients is the selection of the type of cloud — public, private or hybrid — as well as the cloud vendor is increasingly taking place outside of the corporate IT department. The CEO or CFO simply views it as another business procurement decision.
“It turns out security often is not considered,” Eder says. “So, from a broader sense, we recommend that system type and application type be coherent and consistent with corporate information security policy and make that the requirement for cloud computing selection.”
Security risks vary with the type of cloud environment used and with the vendor, says Mark Stanislav, a senior security consultant for Networks Group in Ann Arbor. He warns that before a company moves its data to the cloud, management must perform due diligence.
“Go with trusted companies, especially in the cloud-computing space,” says Stanislav, who spends his days performing penetration testing on websites to see if they are secure. “There are a lot of fly-by-night companies. In the public cloud, go with Amazon, Microsoft and Terremark; they are hiring the best security talent out there and have had a long-standing focus on computer security. They know how to do it.”
He says Amazon is great when eCommerce is involved. But Verizon’s Terremark is more focused on business customers. Internet search giant Google also offers safe and secure public cloud storage.
Many corporations prefer to use a private cloud, whether managed internally or by a third party and hosted internally or externally. The downside is a private cloud requires the company to spend a lot of IT management resources. What’s more, every step in the project raises security issues that must be addressed in order to avoid serious vulnerabilities.
Between the public and private cloud is the hybrid cloud. Hybrid clouds lack security and certainty of in-house applications, but provide the flexibility of in-house applications with the fault tolerance and scalability of public cloud-based services.
Arkansas-based telecommunications provider Windstream Corp., which in December 2011 acquired Paetac Holding — which previously had acquired McLeodUSA, both very big telecommunications players in Michigan — now provides cloud computing in the state. Windstream employs 40 people at its Michigan headquarters in Bingham Farms, and about 100 across Michigan.
”Hybrid cloud is the best of both worlds,” says Duane Barnes, Windstream manager of data center solutions. “It offers the advantage of the public cloud, but doesn’t need to be as secure.”
Barnes says hybrid clients make up more than half of Windstream’s cloud business. Hybrid cloud is particularly popular with providers of health care, eCommerce and retailers. Typically these clients use the public cloud for back-office applications, and connect both through a secure Ethernet connection. This allows them to use other Windstream resources such as networks, firewalls, load balancing and web servers.