For the last
year or so, it seems marketing people have moved away from terms such as “...
as a Service”, and replaced the words with Cloud.
We are
seeing hosted applications, hosted infrastructure, hosted servers, hosted
platforms, managed services, VPNs, MPLS networks, distributed networks, hosted
virtual servers, remote VDI solutions, all termed with the phrase Cloud.
I understand
the drivers that are used to move services out of your own server room, by
lowering infrastructure costs, moving capital expenditure to operational
expenditure, upgrading or downsizing by modifying your service plan, removing
running costs (such as air conditioning, trained server administrators, etc.),
having your systems monitored and changing applications on the fly.
I have a few
issues with Cloud offerings, which include:
Authentication
- How do users connect to the solution?
- Are they using a username and password?
There are
many issues around authentication, such as weak or insecure passwords, using
common words, using easy to guess words (such as favourite bands, football
teams, children’s names, car, etc.) and that’s before the fact the password can
be told to someone else.
People often
talk about multi-factor authentication, but to surmise it, the factors are “something
you know” such as passwords and PINs, “something you’re given” such as a one
time passwords from a token, or “Something you are” where biometric devices are
used to read fingerprints or iris scanners.
A
combination of two of these will be known as two factor authentication, where passwords
are coupled with a token generated one time password, offering much improved
security.
Encryption
- How is your data protected?
- Who has access to your data?
With the
Information Commissioner’s Office issuing fines of up to £500,000 for the loss
of personal data, it is more critical than ever data is encrypted.
I would
expect the data to be encrypted with to a minimum level of 256-bit AES, although
another consideration who has access to your data. It may be encrypted, but if the key is held
by the service provider, then they will have the ability to decrypt your data.
Backup
and Archive
- Is the data backed up?
- Is the data archived?
Your data
should be backed up regularly, giving a point in time that the data can be
restored to. The issue with back up is
that it will back up current data, but the ability to roll back and restore can
be more destructive and time consuming than working round the
missing/lost/corrupted data.
If your data
was archived, then it would offer the ability to manage and archive all versions
of the data. Archiving is driven by
compliancy and traceability, rather than disaster recovery.
Access to
the service
- Where can you access the data from?
It would be
great to be able to access your service from anywhere in the world, wouldn’t
it? A concern is that although this
great for remote users, should everyone be able to have access? Data security may dictate that the service or
data should not be access from non-trusted IP addresses, or by specific users
or during specific times. If this level
of control is required, ensure your provider is able to deliver this.
Disaster
Recovery
- Are there multiple servers hosting your service?
- Are there multiple datacentres hosting your service?
One of the
draws with a Cloud offering include having your applications and services available
from anywhere, so there perfect disaster recovery solution.
The issue
will be when the provider has a server failure.
Will they be able to move your service to a new server in a timely
fashion? Whether the services are being
run on virtual or physical servers, ensuring your service up time is vital.
Another
concern will be if the provider only has one datacentre or one WAN connection,
so if there service is delivered well I would expect multiple datacentres, with
multiple links running an active/active configuration, along with an
active/active or active/passive server configuration.
Conclusion
My concern
with Cloud solutions is the number of providers who are “jumping on the bandwagon”
offering cloud services as quickly as possible.
The issue is that some providers offer very favourable pricing, but the
infrastructure may not be in place until there is some uptake. This can only be a bad thing for the early
adopter, especially if it is not making money and they stop the service or
become bankrupt.
My advice is
to proceed with caution, check the provider thoroughly and try not to be price
driven.
No comments:
Post a Comment