Avoiding the costs of on-premise infrastructure can make good business sense. But it is only worth saving on costs if you avoid the downside risks. Peter Galdies, director, DQM Group, offers some advice on how to choose the right solution and service provider.
The rise of cloud-based services for business has been meteoric. It’s possible today to use third-party cloud based infrastructures to provide all manner of business functions, from financials through sales, marketing and operational delivery. Many of these functions handle, gather, hold and produce data - much of it relating to customer details and other personal information.The many benefits are now well understood. They include reduced entry costs with no expensive software purchases, reduced IT overhead and reduced staffing. Cloud-based services can offer great scalability without having to upgrade to expensive programs or hardware. Often such services include automatic updates - this reduces the need to seek additional budget and saves IT support time.
Location independence is another benefit with employees, partners and clients being able to access and update information wherever they are, rather than having to be in the office.
Business continuity is often improved (particularly for SMEs). In the event of a disaster, such as fire or flood, individuals are able to access third-party cloud-based functions from anywhere on any machine with an internet connection. Using a spread of cloud service providers can help this further.
While the benefits are clear, the issues and concerns that all wise businesses should consider with every cloud application adoption are perhaps less so. These centre around:
So let us look further at the risks, legislation and what you can do mitigate potential problems prior to cloud adoption.
Early in 2011, the US-based online email marketing company Epsilon suffered an attack where personal information was compromised, including names, email addresses and preferences belonging to at least 2 per cent of its clients. This may not sound like much, but with a client base of 2,500 global brands, including Best Buy, CapitalOne, Chase, Citigroup, Disney Destinations, JPMorgan Chase, Marks and Spencer, and Marriott, among others, that could mean 50 household names were affected. The exact quantity of stolen records was never revealed, but considering Epsilon sends out approximately 40 billion emails per year, the number of affected records was probably very high.
The consequences for Epsilon were big, with one source, Cyberfactors, estimating $225 million in stock devaluation and consequential costs. What is even more disturbing is the estimated consequential costs to Epsilons clients with Cyberfactors calculating a total damage of $412 million - some observers have even estimated that the real costs may be in the billions.
This is an extreme example of the security risks of using a third-party shared service model, but it serves to demonstrate a key point – if large organisations with well-developed security infrastructures can be exposed to this sort of risk, then what of smaller organisations both using and providing such services?
Prospective purchasers should be aware of their responsibilities under the law. The Data Protection Act says: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” The responsibility for the security of personal data always rests with the data owner and not the cloud service provider.
So how can prospective service users ensure compliance? Firstly, does the service provider have appropriate security certifications? ISO 27001 or DMA DataSeal are good, but there are others. And don’t take their word for it – ask to see the certification. Ask about security - have they been penetration tested? What is their testing regime? If they are unwilling to discuss or give hesitant or vague answers, you should be concerned.
Check user stories on the internet for bad news, but always treat these sources with some scepticism – look for a body of evidence. Protect yourself by keeping data on the service to a minimum – It won’t reduce the risk, but it will reduce the scale of any damage. Consider the location of the servers – are they in a professionally-run, large infrastructure environment (although these are not immune to attack)? If credit cards are involved, has the company got a valid PCI DSS certification? If sensitive data is to be held (medical, political, criminal, religious, ethnicity and soon probably financial variables), then perhaps a cloud-based should not be used – or at least, only after a thorough audit of its procedures and facilities. And remember - the ICO now have the power to fine data owners up to £500,000 for negligent or deliberate breaches of data protection legislation.
Privacy and Compliance
It is the responsibility of the data controller, not the cloud service provider, to ensure that personal data is retained for no longer than is necessary. Prospective service purchasers should ensure that such services have an easy-to-use provision to enable the selective removal of personal data.
Make sure that you ask about and understand the service provider’s back-up policy and ensure that data is deleted in accordance to your data retention policy. If you don’t have a policy (even an informal one), then think about it. Amassing personal data with no valid reason is not only illegal and increases security risks, it probably costs you money and performance, too.
Principle Eight of the Data Protection Act can easily be compromised when working with cloud-based services. It states: “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” Cloud service providers often have their servers based outside EEA. Unless you can demonstrate that they have adequate safeguards in place (for example, the Safe Harbor scheme in the USA), transferring personal data to them may well be a breach of the Act. In practice, this area of the act is complex and suitable legal advice should be considered.
In any event, assure yourself as much as possible about the service provider’s security - consider an audit if the value is large or the data is highly personal and/or of some value. Get the service provider to agree to a suitable security contract and make sure they deliver on it.
In-house services can fail. It is arguable that such a failure is less likely by a specialist cloud-based service created to provide one function, because it should have a more optimal infrastructure to support it. Yet businesses should still consider the impact of service failure when planning the utilisation of a cloud-based service - it does happen.
Heroku is a good example. The start-up business offers a platform-as-a-service proposition based around the Ruby on Rails open source web development framework. It started off 2011 with an unexpected, and not very nice, surprise. On 2nd January last year, all of the high-capacity Amazon Elastic Cloud 2 instances that run its popular, cloud-based application and development service just disappeared. Twenty-two virtual machines, which charge around $20,000 per month in hosting fees for the high-memory instances, vanished, leaving Heroku's estimated 44,000 running applications in the limbo.
This case study illustrates the “house-of-cards” potential for disaster that exists with cloud services. In this case an electrical storm causing a one-hour outage at Amazon’s Virginia data centre sent Heroku’s client applications into limbo. The platform provider has subsequently remodelled its service to assume that virtualised instances can on occasion vaporise.
According to a CA Technologies survey, “small enterprises lost, on average, more than $55,000 in revenue due to IT failures each year, while midsize companies lost more than $91,000 and large companies lost more than $1,000,000. A data center outage by itself can cost an average of $5,600 per minute.” Whether your operations are run in-house or in the cloud, losing accessibility means losing money.
If you need a very high resilience, mission-critical environment for a specific application, then great care should be taken selecting cloud based services to host it. Some basic business prudence may be called for - check out the company before you use it via credit references, user reviews, the age of the business and the SLAs on offer.
At some point, you may wish to migrate to another provider (or in-house), so consider the following when choosing a provider:
The advent of cloud-based services is ultimately a massively good thing for SMEs and other enterprises looking to get great services at a reasonable cost. However, that comes at the expense of some added risk to data security, privacy and, potentially, service failure.
If the provider is open to contractual negotiation, then some of this can be mitigated with good contractual clauses. These might include:
Getting the balance right between corporate responsibility, prudence and commercial advantage is never easy. Using cloud-based services offers businesses (particularly smaller ones) considerable benefits. But business owners should go into such relationships aware of the downsides. In other words - caveat emptor!