Business continuity and public cloud computing
By Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV.
If you asked a group of IT practitioners or business people what cloud computing is they would probably answer in a manner consistent with blind men trying to describe an elephant with only the sense of touch. Each would have an answer consistent with their own specific perceptions.
In fact public cloud computing is a relatively new term that has been around for only a few years and refers to the use of information technology services, infrastructure, and resources that are provided on a subscription basis. Public cloud computing is a Web or Internet accessed business solution where most or the entire computing infrastructure (computers, network, storage, and etc.) are contained remotely from the actual business site and is managed by a third party.
Many companies rely upon public cloud computing in part or in whole for their business operations critical and other wise. So as we look at business continuity and public cloud computing we are looking at a relatively new set of risks that need to be addressed to properly protect a business against unforeseen events.
Before I address the areas of business continuity and disaster recovery planning concern let me discuss the various popular forms of public cloud computing available to the business.
There are three basic types:
Software as a service (SaaS) is defined as a service based on the concept of renting software from the service provider rather than buying individually for your business. The software is hosted on network servers which are made functionally available over the web or intranet. This service provides software on demand and is currently the most popular type of public cloud computing because of its flexibility, ability to be scaled, and because maintenance is provided by the service provider as part of the cost of the service. There are many CRM, ERM, and unique applications that are all provided as SaaS services. With web-based services all that employees need to do is register and login to the cloud provided instance. The service provider hosts both the application and the data so the business user is capable of utilizing the service from anywhere potentially across the globe. With SaaS the service provider is responsible for all issues dealing with capacity, upgrades, security and service availability.
Platform as a service (PaaS) is defined as a service that offers a platform for developers. The business users develop their own code and the service provider uploads that code and allows access to it on the web. The PaaS provider provides services to develop, test, deploy, host and maintain applications on their development environment. The service providers also provide various levels of support for the creation of applications. Thus PaaS offers a quicker and cheaper model for application development and delivery. The PaaS provider will manage upgrades, patches and system maintenance.
Infrastructure as a service (IaaS) is defined as a service where the service provider delivers the computing infrastructure as a fully outsourced service. The user can purchase various components of the infrastructure according to their requirements when they need it. IaaS operates on a ‘Pay as you go’ model ensuring that the users pay for only what they have contracted for – such as network, computing platforms, rack space, and environmental (HVAC and power). Virtualization has enabled IaaS vendors to offer high volumes of servers to customers. IaaS users purchase access to enterprise grade IT Infrastructure and resources and personnel to keep the infrastructure running. No application or monitoring of data bases or data is provided by the hosting vendor above the OS level unless contracted at an additional cost.
The basic flaw in the ‘... as a service’ offerings
In the cloud computing definitions that are evolving, the services in the cloud are being provided by third-party providers and accessed by businesses via the Internet. The resources are accessed as a service on a subscription basis. The users of the services being offered most often have very little knowledge of the technology being used, the security being deployed, the availability of the service being offered, or the operating best practices (monitoring, patching, maintenance, and etc.) utilized by the service provider. The business subscribers also have little or no control over the infrastructure that supports the technology or service they are using.
How to take control
Under the standard of ‘due care’ and charged with the ultimate responsibility for meeting business information technology objectives or mission requirements, senior management must ensure that the services they contract, which include these ‘... as a service’ solutions are appropriate to meet all of the necessary business requirements including the areas legal, technical, financial, and operational.
This business continuity due diligence comes only through a thorough vetting of the ... as a service provider in several areas. I have listed some of the more important ones below:
Legal and regulatory
• Will the service provider meet any of your data breach notification requirements (remember even though you are hosting you are responsible for the data under your protection i.e. PHI, PII, and etc.)?
• Are the facilities housing the service provider adequately secured (video surveillance, access control, and etc.)?
• Do they have a current SAS 70 Type II audit findings report?
I have developed a hosting questionnaire which each ... as a service vendor is required to answer to the satisfaction of my client and I would recommend that you do the same. Sometimes it takes a few iterations to complete the form to the satisfaction of the client, but when completed it does provide documentation of due diligence and a clearer picture of what can be expected from the service provider. If the vendor will not complete the questionnaire then it would be best to move on to another vendor – regardless of cost. If you can’t come to terms before a contract or statement of work is signed it will be ten times more difficult after signature to come to an agreement.
Now this article has only scratched the surface and provided information on the basic questions that should be asked and answered to protect businesses utilizing ... as a service providers. However, the intent of this article was to inform the reader that there are many types of ... as a service offerings and ways to reduce and/or eliminate problems that I have experienced over the last few years. The issue the article wants to impress upon the reader is one of due diligence. We as corporate or governmental IT security or business continuity experts need to make sure that our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information. To allow them to decide between implementing adequate controls and safeguards now to protect against risks; or to potentially pay later in reparations and damaged reputation.
•Date: 20th Jan 2011 • Region: USWorld •Type: Article •Topic: IT continuity