For the last year or so, it seems marketing people have moved away from terms such as “... as a Service”, and replaced the words with Cloud.
We are seeing hosted applications, hosted infrastructure, hosted servers, hosted platforms, managed services, VPNs, MPLS networks, distributed networks, hosted virtual servers, remote VDI solutions, all termed with the phrase Cloud.
I understand the drivers that are used to move services out of your own server room, by lowering infrastructure costs, moving capital expenditure to operational expenditure, upgrading or downsizing by modifying your service plan, removing running costs (such as air conditioning, trained server administrators, etc.), having your systems monitored and changing applications on the fly.
I have a few issues with Cloud offerings, which include:
- How do users connect to the solution?
- Are they using a username and password?
There are many issues around authentication, such as weak or insecure passwords, using common words, using easy to guess words (such as favourite bands, football teams, children’s names, car, etc.) and that’s before the fact the password can be told to someone else.
People often talk about multi-factor authentication, but to surmise it, the factors are “something you know” such as passwords and PINs, “something you’re given” such as a one time passwords from a token, or “Something you are” where biometric devices are used to read fingerprints or iris scanners.
A combination of two of these will be known as two factor authentication, where passwords are coupled with a token generated one time password, offering much improved security.
- How is your data protected?
- Who has access to your data?
With the Information Commissioner’s Office issuing fines of up to £500,000 for the loss of personal data, it is more critical than ever data is encrypted.
I would expect the data to be encrypted with to a minimum level of 256-bit AES, although another consideration who has access to your data. It may be encrypted, but if the key is held by the service provider, then they will have the ability to decrypt your data.
Backup and Archive
- Is the data backed up?
- Is the data archived?
Your data should be backed up regularly, giving a point in time that the data can be restored to. The issue with back up is that it will back up current data, but the ability to roll back and restore can be more destructive and time consuming than working round the missing/lost/corrupted data.
If your data was archived, then it would offer the ability to manage and archive all versions of the data. Archiving is driven by compliancy and traceability, rather than disaster recovery.
Access to the service
- Where can you access the data from?
It would be great to be able to access your service from anywhere in the world, wouldn’t it? A concern is that although this great for remote users, should everyone be able to have access? Data security may dictate that the service or data should not be access from non-trusted IP addresses, or by specific users or during specific times. If this level of control is required, ensure your provider is able to deliver this.
- Are there multiple servers hosting your service?
- Are there multiple datacentres hosting your service?
One of the draws with a Cloud offering include having your applications and services available from anywhere, so there perfect disaster recovery solution.
The issue will be when the provider has a server failure. Will they be able to move your service to a new server in a timely fashion? Whether the services are being run on virtual or physical servers, ensuring your service up time is vital.
Another concern will be if the provider only has one datacentre or one WAN connection, so if there service is delivered well I would expect multiple datacentres, with multiple links running an active/active configuration, along with an active/active or active/passive server configuration.
My concern with Cloud solutions is the number of providers who are “jumping on the bandwagon” offering cloud services as quickly as possible. The issue is that some providers offer very favourable pricing, but the infrastructure may not be in place until there is some uptake. This can only be a bad thing for the early adopter, especially if it is not making money and they stop the service or become bankrupt.
My advice is to proceed with caution, check the provider thoroughly and try not to be price driven.