Who's guarding the cloud?
BY SARAH FISTER GALE
ILLUSTRATION © CJ BURTON/CORBIS
WHAT TO ASK
When vetting cloud vendors for migration projects, Marc Crudgington, Advantage Sales and Marketing, Houston, Texas, USA, suggests asking the following questions:
How does the center's recovery plan initiate? “You want to find out what triggers the move to the disaster-recovery site, how long that move will take and how you will gain access to the data,” Mr. Crudgington says.
How long has the vendor been in business? How many customers does it have? And how financially viable is it? “If they haven't been a provider for a long time, that might be a concern,” he says.
How do they respond to outages? “It's not the most important concern if they've had an outage. It's how long it lasted that's important,” Mr. Crudgington says.
Where is the data center located? “I'm less concerned about the safety of the neighborhood,” he says, “but I do look at the likelihood of natural disasters,” avoiding data centers in regions prone to floods, hurricanes or earthquakes.
How secure is the physical perimeter? Look at whether doors and server cages are locked, and who has access to the building and the data center.
How often do they perform penetration tests? These are conducted by third-party vendors who attempt to breach the network to determine the absolute level of security.
On the cutting edge not so long ago, cloud computing is officially mainstream.
Looking to cut costs and increase efficiencies, organizations are launching projects to move more and more data to remote servers. Sixty-one percent of 1,700 executives from around the world and across sectors reported they were using, evaluating or planning to implement cloud computing this year, according to a 2011 survey by consulting giant Ernst & Young.
The long-term forecast is also “cloudy,” with organizations reporting cloud computing's share of the IT spend will jump from 10 to 70 percent over the next decade, according to Carbon Disclosure Project's 2011 Cloud Computing: The IT Solution for the 21st Century survey,
Those high adoption rates, however, mask the serious issue of cloud security. Even mature organizations with stringent internal processes are vulnerable, because cloud computing often means involving a third-party vendor. That opens the door to technical failures at outsourced data centers, concerns about vendor longevity and an increased risk of cyber threats.
A 2011 study of U.K.-based IT managers by Kaspersky Lab found that 62 percent worried about the security of the cloud. What's more, 60 percent said those fears prevented them from moving mission-critical data to cloud environments.
The big question now is whether some fundamental project management due diligence is being skipped in the rush to the cloud.
The reasons for embracing the cloud are manifold. A November 2011 study by tech consulting firm CSC found that 93 percent of the 3,645 global IT decision-makers surveyed reported better performance in at least one area of their IT departments since adopting the cloud. Those improvements cut a wide swath:
DESPITE FEARS about information security, the U.S. federal government is rapidly launching cloud computing projects to cut IT costs and increase budget control.
InformationWeek's 2011 Federal Government Cloud Computing Survey found 29 percent of the 137 business technology decision-makers at U.S. federal government agencies said they were using cloud services, up 10 percentage points from February 2010. Another 29 percent said their agencies will tap into the cloud by February 2012.
U.S. CIO Steven VanRoekel said in December 2011 that the U.S. government has met 14 of the 25 points in the IT reform plan laid out by his predecessor, Vivek Kundra, realizing nearly US$1 billion in savings.
However, 77 percent of the respondents cited security as their biggest concern, and that has caused many projects to be delayed or scaled back. To allay these fears, the government created FedRAMP, the Federal Risk and Authorization Management Program, a centralized risk-management and security body that acts as a go-between between federal agencies and cloud providers.
A success story at the state level could provide a blueprint as well. The state of Michigan implemented an automated hosting solution for fast-track projects called MiCloud in 2011. Chief security officer Dan Lohrmann says the move has helped the state lower customer costs for storage by reducing the per-gig rate from more than US$2.80 to about US$0.38.
“It met the use needs by offering a service that did not have as much redundancy but had a much lower cost,” he says.
Moving to the cloud had its risks, Mr. Lohrmann admits, and security was a focus from the outset. To eliminate vendor issues, he chose to build a private cloud, which ranked as the preferred model for government projects by almost half of all the InformationWeek respondents.
“We built it in-house, which means we didn't have to bid the project out or use vendor technology,” Mr. Lohrmann says.
Opting to build a private cloud cost more than a shared public cloud system. It also meant his team had to ramp up its cloud computing skill set, and the department still had to purchase, configure and maintain all the hardware.
But the extra cost and effort was worth it, Mr. Lohrmann says, because he has total control over the system, ensuring that critical data stays in the state's own data centers. “I own all the pieces, and I made sure security was built into all of our project specs,” he says.
- Increased data center efficiency and use (52 percent)
- Lower operating costs (47 percent)
- Reduced waste and lower energy consumption (64 percent)
In the United States alone, organizations will save an estimated US$12.3 billion a year in energy costs by 2020 by moving to the cloud, per a 2011 report by the Carbon Disclosure Project.
However, some of those companies may not have looked before they leapt. More than half of the respondents to the Ernst & Young survey had not implemented any controls to mitigate the risks of a cloud migration project. The consequences of such a process oversight can be significant: The average organizational cost of a data breach is US$7.2 million, the Ponemon Institute estimates.
“As part of any cloud project plan, you've got to understand where your data is, who has access to it, and whether you can meet expectations for backup and recovery in case of a disaster,” says Bernie Wedge, lead for the IT risk practice at Ernst & Young Americas in Atlanta, Georgia, USA.
Without a clear concept of who's doing what, a gaping security maw can open. In a two-part Ponemon study concluded in April 2011, 69 percent of cloud users said the provider was responsible for security, while only 35 percent of providers thought it was up to them to guard the data. Many major cloud providers' terms of service reflect that disconnect. The three largest cloud providers—Google, Microsoft and Amazon—all have various provisions in their user agreements absolving them from responsibility in the case of hacking.
ILLUSTRATION BY JIM KNOPP
Sources: CSC Cloud Usage Index; 2011 Global Information Security Survey, Ernst & Young; Carbon Disclosure Study Project 2011; YouGov; U.S. Cost of a Data Breach, Ponemon Institute; Interxion Cloud Survey 2011; Federal Government Cloud Computing Survey, InformationWeek
Source: 2011 report by the Carbon Disclosure Project
NO STONE UNTURNED
From the moment organizations launch cloud computing projects, they must recognize that choosing the right vendor can make or break the entire endeavor.
“Vendor reputation is the most important aspect of the vendor-selection process for cloud projects,” says Marc Crudgington, national IT director at Advantage Sales and Marketing in Houston, Texas, USA. Because the company manages personal consumer data, it puts a high priority on finding a trustworthy and secure vendor. “If that data leaks, our reputation suffers,” he explains.
Project professionals should start by creating a risk registry that defines their concerns, including protection from hackers, location of the data, user access and back-up options.
As credit consulting firm D&B (Dun & Bradstreet) opens its new office in Accra, Ghana, it sees the cloud as a faster track to ROI, says Emmanuel Ebo Freeman, PMP, head of IT and operations. But it also means coming up with a secure back-up plan should the network go down—which in Ghana is not an uncommon occurrence.
A WORD FROM THE WISE
Executives who've implemented cloud migration projects offer some advice on how to address security concerns at the outset, strengthen the business case and increase buy-in:
START SMALL. “The biggest mistake you can make is to move everything to the cloud all at once,” says Daniel E. Retzer, XSP, Birmingham, Alabama, USA. Like all IT projects, cloud transformation initiatives have risks, and you don't want to put proprietary data or critical applications in the cloud before you've worked out all the kinks. If you are new to the cloud, choose a low-priority, easy-to-deliver project, such as email storage, he suggests. “It will give you a sense of the benefits that the cloud can offer, and it will make it easier to extend this technology onto other projects, initiatives and processes.
PREPARE YOUR TEAM. “You don't want people learning as they go,” says Endre Jarraux Walls, Resources for Human Development, Philadelphia, Pennsylvania, USA. Educating the team about the latest technologies, security trends and threats ensures they know how to choose the right technology and vendor for the organization's needs.
RECOGNIZE THE NEED FOR EXECUTIVE BUY-IN. Educate stakeholders about the impact, benefits and steps you've taken to ensure data security, says Emmanuel Ebo Freeman, PMP, Dun & Bradstreet Credit Bureau, Accra, Ghana. “At the end of the day, you need funding to execute any project, and you have to have executive buy-in to make that happen.”
SHARE YOUR METRICS. Once you implement the project, measure your results and share them with everyone in the company. “That would enable the right buy-in as well as help in assessment for future cloud projects,” says Bikram Barman, senior engineering manager at Yahoo! in Bengaluru, India. Demonstrate the benefits of an operational expenditure model versus a capital expenditure model, and of scalability and rapid deployment of projects, he adds. “Organizations should address and put in the right mitigation for security, availability, interoperability and portability concerns.”
MAKING THE CASE
When it comes to the cloud, executives have heard it all, from software vendors who promise no data downtime to doomsday reports of massive data hacking. With all the hype, it may be time for a reality check to ensure the project isn't sabotaged before it even begins.
To make the case, project leaders must define the risks as well as the benefits of cloud projects. A winning ROI doesn't have to be limited to the bottom line. At automation solutions provider XSP, for example, the company's migration project has provided greater budgetary control, as more of the IT spend shifts to the vendor rather than hardware costs, says Daniel E. Retzer, managing director and CTO of the company in Birmingham, Alabama, USA.
“The nice thing about operational expenses is that you can turn them off when you don't need them and pay for only what you need,” he says. “You can't do that with a data center full of servers.”
His team can also spin up servers in a matter of minutes as opposed to weeks, letting it focus on value-driven projects rather than hardware maintenance.
For Resources for Human Development (RHD), a human services not-for-profit organization in Philadelphia, Pennsylvania, USA, the ROI of cloud projects is based on increased reliability, better performance and disaster recovery. If an in-house system went down, for example, all of RHD's offices across the country would be impacted. By using a cloud vendor with a robust disaster-recovery strategy, the company reduces its risks, CTO Endre Jarraux Walls explains.
“These are huge issues for us, and they make the business case for this project,” he says, noting that the new system has achieved 99.999 percent uptime since its launch.
“As a credit referencing bureau, our systems are mission-critical, and we can't afford to have downtime of even 20 minutes,” he says.
He's considering using the company's Internet service provider, but he won't make a decision until he thoroughly vets its security system, including proof of third-party audits.
“Security is always front-of-mind for us, whether data is on site or hosted,” Mr. Freeman says. Along with evaluating the security of the physical location, he's investigating additional data-encryption tools and assessing the skill set of the vendor's on-site IT team, looking for:
- In-depth technical skills
- Project management skills and capability
- Customer relationship skills and a mature service delivery process
When Mr. Crudgington launches a cloud migration project, he meets with several vendors. “One of the first questions I ask is, ‘If a leak happens, what are you going to do?’” he says. Any vendor's disaster-recovery plan should define precisely how back-up systems will operate and how clients can access data.
Along with talking to vendors' existing customers and reviewing third-party analyses, Mr. Crudgington's vetting process also looks at whether data will be colocated on servers with other clients.
—Marc Crudgington, Advantage Sales and Marketing, Houston, Texas, USA
ILLUSTRATION © CJ BURTON/CORBIS
One of the most important aspects of dealing with security on cloud projects is educating the business functions and the executive team about the risks, the benefits and the rules of the road.
—Bernie Wedge, Ernst & Young Americas, Atlanta, Georgia, USA
“Getting all of this data is a key part of the duediligence process, because once you make the transition to the cloud, you are at your vendor's mercy,” he warns.
THE NEXT STEP
Smart organizations take their cloud risk-management strategies beyond the confines of the IT vendor relationship, crafting a cross-functional team that can make the necessary cultural shifts.
“It's a change management issue,” Mr. Wedge says. “One of the most important aspects of dealing with security on cloud projects is educating the business functions and the executive team about the risks, the benefits and the rules of the road.”
Project leaders should hold meetings to present the business case and reinforce stakeholder support, says Dan Lohrmann, chief security officer for the state of Michigan, Lansing, Michigan, USA. He comes in armed with statistics that define the ROI in terms of energy and cost savings, and greater flexibility in service delivery. “When you have good numbers, it's not a tough sell,” he says.
Holding educational sessions and establishing defined processes for cloud projects helps prevent departments from “going rogue,” moving pieces of their own operations to a cloud vendor and bypassing the corporate IT function, Mr. Wedge adds. “Departments that outsource data without going through corporate IT often don't consider the backend issues and risks, like back-up recovery and data privacy,” he explains.
Only once all those issues are addressed—from the quality of the lock on the vendor's door to the executive team's understanding of security protocol—will organizations know their data is secure in the cloud. PM
PM NETWORK MARCH 2012 WWW.PMI.ORG
MARCH 2012 PM NETWORK