Security, standards and T&Cs: the biggest question marks over cloud
User uncertainties remain over cloud computing
Data security, suspicion over service providers' terms and conditions, and a lack of standards are among users' biggest concerns over cloud computing.
That is the anecdotal evidence from speakers and attendees at the World Cloud Computing Forum in London this week.
Security remains one of the biggest barriers to adoption, according to many attendees and presenters, because while they remain responsible for customer and other valuable data, they cannot always be sure that cloud providers are securing that data to the high standards that they would expect.
"We hold a lot of data, such as authors' and writers' information," said Jora Gill, head of IT at academic publisher Elsevier, "and we will never put such private information on the cloud - yet."
Part of the problem, suggested Paul Boyns, head of IT strategy and policy at the BBC, is "nesting". "A platform-as-a-service (PaaS) offering... may actually be relying on infrastructure-as-a-service (IaaS) being provided by another vendor," he said.
"When you go up the stack further, a software-as-a-service (SaaS) offering may actually be doing the same thing. So you then have a service-level agreement with a SaaS provider, which has an underpinning operational-level agreement with a PaaS provider and another one with an IaaS provider," he added.
"So how confident can you be that your provider of the SaaS product, which may be a small vendor, understands the implication of those layered service level agreements?" he asked.
Furthermore, the sector is still in its infancy. While the plethora of providers ensure choice, many of them won't make it through to maturity. How would a company deal with the bankruptcy of a key cloud services provider?
[Turn to next page]
Security, standards and T&Cs: the biggest question marks over cloud
User uncertainties remain over cloud computing
Glyn Hughes, technology director at global security company G4S, said that a subsidiary of his firm had already had to deal with the demise of a cloud provider, an event in which the company's central IT function had to swing into action to help in the migration of data from the defunct firm's platform.
Paul Boyns, head of IT strategy at the BBC, warned that "vendors are moving faster than the standards bodies" and that users therefore needed to think about potential data migration from a provider before even signing with them.
What would help, added Hughes, is more work on industry standards. Not just to improve interoperability between services, but to better enable data to be moved from platform-to-platform - or even back in-house, if necessary.
"I see a lack of standards. When I can compare providers on CompareTheMarket.com, then I will know that the standards in the cloud will be good enough," said Hughes.
In the absence of such standards, potential providers need to be closely and carefully audited before signing up with them. That means visiting their premises, finding out how they host and look after data, and even conducting security tests on their infrastructure to make sure they reach the required security standards.
G4S, for example, says Hughes, conducts regular penetration testing on its own environment and would expect to be able to conduct similar tests on cloud providers too. However, Hughes admitted, that may not be feasible with major providers such as SAP, Oracle and Google.
On security, though, Hughes suggested that potential users of cloud services ought to take the same pragmatic risk-based approach that they would take to data secured in-house.
"We all make compromises around the security of data. I wouldn't go with the idea that you shouldn't put data in the cloud, but you do need to take the appropriate precautions," he said.
That includes security testing potential cloud partners - including intrusive penetration testing and conducting the same kinds of tests on the cloud provider that a company would conduct on packaged software that it is considering buying.