Avoiding the Storm Clouds

10/06/2009 10:58

As cloud computing becomes more commonplace and vital to our operations, it's imperative to keep in mind the security implications of running your business from “the cloud". Moving expensive and hard to maintain programs to the cloud can be an attractive  alternative to large one time investments in hardware and software. However, we need to be very aware of how this move affects our information's security. Specifically, we will be focusing on our information's availability in the cloud.

With business critical applications and services hosted in the cloud, internet access, which smaller organizations have traditionally seen as just "useful", is suddenly elevated to "vital". With your application in the cloud, slow internet means low productivity.

“Cloud computing” offers programs and applications as services that are accessible from any internet connection instead of running on computers and servers in the office. The term can refer to any of the emerging "XaaS" concepts such as "Software as a Service" (SaaS), "Infrastructure as a Service" (IaaS), or "Platform as a Service" (PaaS). Additionally, this type of service may also be referred to by its ".com" era name, Application Service Provider (ASP). The services are hosted somewhere "in the cloud", with the cloud representing the supporting network and server infrastructure hidden from the user. Access to the cloud is generally over the internet.

Once cloud computing is added to the mix, the internet is no longer just a place for research, purchasing, social networking, and games. It is now part of the core business infrastructure and vital to the organization's daily operations. The focus for availability needs to be on the network and internet services that are utilized to access the cloud.  It should be noted that many adopters of cloud computing services still maintain internal applications and servers. Thus this focus on network availability tends to be in addition to traditional server availability, not simply replacing it.

Having increased availability for the network and internet connections may require hardware upgrades to business class networking equipment such as switches, routers and firewalls. Backup power may also be desirable, to extend access over small outages and to protect the investment in more robust networking components. It may also be time to take another look at your internet access requirements.

Some questions you should be asking are...
 - How much additional internet traffic will be generated by all of my users running this application? Can my connection support it?
 - What is my SLA (Service Level Agreement) from my internet provider if the connection has a problem?
 - What is my tolerance for downtime?

You may even consider redundant hardware and services. For example, most business class firewalls can be configured for automatic failover to a spare if one of them has a problem. Additionally, multiple internet connections can be used for failover in case of a problem, and load balancing to distribute the internet traffic.

Of course, all of these considerations are assuming that service in the cloud is properly configured and highly available. You should be very comfortable with the SLA (Service Level Agreement) of the cloud resource before even considering such a move. Cloud computing can be a great way of reducing one time expenditures and easily allowing access for remote workers or offices, but the shifting in resource locales requires a reciprocal shift in our security posture.