The question on cloud security and whether it's possible to enjoy greater data centre flexibility and efficiency without compromising on security comes down to whether you're a John Travolta or a Dennis Bergkamp.
That's according to SaasSAssurance CEO Mark Dunne, who was speaking during a session at Computing's Data Centre Summit today.
Dunne used the analogy of flying to describe the main approaches to the adoption of cloud. Some, like actor and qualified pilot John Travolta, have a very enthusiastic approach to air travel and they'll embrace it no matter what.
Others, like former Arsenal and Holland striker Dennis Bergkamp, fear air travel, avoiding it at all costs - even if in the case of the Bergkamp it meant he couldn't play in European fixtures. Dunne likened air travel to dealing with the cloud as both involve some form of risk assessment.
"Some people may have got a flight this morning. What you did when getting that flight was take a mini risk assessment with your life," said Dunne.
"You checked out the reputation of an airline, looked at country of origin, regulations in the country, airline manufacturer, traffic control, the pilots and the flight management system."
With images of a battered plane and a rundown airstrip on the screen behind him, Dunne asked the audience if they'd fly with ‘Bandito Airlines', something he suggested most people would think twice about. The same sort of risk assessment can be applied to the cloud, explained Dunne.
"What we can do with this info is apply it to cloud technology. If I was to offer you a flight from Bandito Airlines, you'd probably think twice about it," he said
"Then we get to people like John Travolta who love to fly, some people use the cloud any chance they get," Dunne continued.
Like when choosing an airline, Dunne continued, choosing a cloud provider depends on what you need from it.
"You have to decide if it's going to be hybrid, private or public cloud, and obviously if it's very sensitive info you'd decide to go private," he told the audience, suggesting that security needs to be considered as part of the whole package, not something bolted on.
"What I'd encourage people to do is include security in overall strategy of quality. I do a bit of DIY and when I'm putting tiles in the bathroom I measure twice and cut once, maybe do the same with a cloud provider," said Dunne.
"First of all conduct a risk assessment, compile a list of assets you plan to put into the cloud. Arrange them in business importance, conduct a risk assessment," he explained. "Have a look at actual service models and see how your data matches to that, include the data centre."
Dunne suggested that in addition to more obvious considerations such as trust and the brand, other aspects which need to be considered when examining a cloud-based data centre provider include access control, shared areas, shared resources, location, physical and environment security, compliance, outages and how the provider reacts when an outage occurs.
Transparency is also key, argued Dunne, adding that transparency on the part of a provider suggests to customers that they're doing all they can about information security.