Security is almost always cited as the primary inhibitor to wider cloud adoption by businesses.
For example, more than three-quarters (77 percent) of 390 IT pros surveyed think the use of cloud computing makes it harder to protect privacy, and 50 percent worry about a data breach or loss, according to the 2011 IBM Global Business Resilience and Risk Study. (s ibm)
Well, those IT pros need to get over it, said Joe Coyle, CTO of Capgemini, the system integrator and IT consultant.
“Everyone is screaming for an accepted security model for the cloud, and I think it’s already here. People just need to take a deep breath,” Coyle said in an interview this week.
On the technology side, his only concern is at the hypervisor level, and even there, it’s not so much about security as it is about auditing. “You need good reporting and auditing tools so that providers can prove that virtual machine A doesn’t encroach on virtual machine B,” he said.
Virtualization is great at carving up a physical environment into multiple pieces, but moving that technology into a shared environment opened a whole can of worms where people worry about overlapping partitions and other things. Those tools are now becoming available, he said.
Whether companies run their technology in-house, in the cloud or a combination, they need to make sure they (or their proxy) run a hardened, properly patched operating system; that idle CPUs are shut down; that files are encrypted; and that firewalls and DMZs are up to date and working.
Bulletproofing SLAs for the cloud
People think SLAs are a bigger deal in the cloud, but the principles are the same, Coyle said. Just as with security, a company needs to break down the layers of its stack from the operating system and hypervisor to the file systems, the network, the applications. Then it needs to lay out who has responsibility for each tier and component within that tier clearly. Layering the cloud atop existing IT doesn’t change any of that and reinforces the need for very detailed SLAs.
“The famous example is ‘I can’t be down for more than two hours,'” Coyle explained. “Well, what do you mean by ‘down?’ If you can’t get to your data, is that because your building [itself] is down or is it the connection to an outside data center?”
IT pros for the buying company need to spell that out in advance and in as much detail as possible so the SLAs are enforceable, Coyle said.