Information Age: News, analysis & insight for IT & business leaders

On-demand CRM provider Salesforce.com and cloud computing supplier Amazon Web Services offer a choice of locations, but others have been less forthcoming. In March, prestigious US university Yale delayed a planned switchover to Google’s cloud-based email and applications suite after faculty expressed legal concerns regarding the search engine giant’s policy of replicating its hosted data across multiple global sites – a strategy designed to maintain service levels in the event of loss or disruption.

According to Fasthosts’ Burton, legally sensitive data is perhaps better suited to private, on-premise infrastructure. Simon Abrahams, head of EMEA product marketing for Rackspace, believes that the desire to manage legally sensitive data in a controlled environment while still making use of the cloud is the key driver for so-called hybrid cloud environments, where traditional hosting and cloud services are knitted together into a continuous environment.

But Burton also reports that in some cases the physical location of IT assets is irrelevant, and customers’ concerns over language and time zone issues can often be trivial.

Reaching agreement

In cloud, as in any services engagement, the customer’s ability to achieve the assurances it requires from the supplier rests on its power to negotiate an appropriate service level agreement (SLA). Specific considerations to bear in mind for cloud SLAs include acceptable downtime, data protection procedures and the process for transferring data to and from another cloud provider, in the event of a supplier switch.

According to (ISC)2’s Colley, the buying power of larger organisations grants them the upper hand in negotiating SLAs with cloud suppliers: “Large businesses have a lot of clients, and a lot of leverage, so they can insist on things being in the contract like audit requirements and special safeguards, whereas small businesses generally cannot.”

But this does not necessarily tie the hands of the smaller cloud customer. The Cloud Industry Forum has already developed its own certification system for determining the quality of vendors based on transparency, capability and accountability.

The idea is that this leads to a list of quality-approved vendors – something that will become of more importance as less renowned providers continue to enter the market – in order to help smaller customers make the decision to sign an SLA with a cloud vendor. “It’s about trying to get as much transparency about what’s being delivered into the market,” says Burton, “so people will be able to make an educated, rational decision.”

Also, security body the Jericho Forum predicts third-party organisations will offer their own audits of cloud vendors within the next few years. It expects this to increase trust between provider and customer.

Increasing trust

Adrian Seccombe, Jericho member and former chief information security officer of Eli Lilly, believes that this development will be particularly beneficial to small to medium-sized enterprises, which typically cannot commit time and resources to effectively auditing prospective cloud providers. “If [small enterprises] buy an audit from a third party, it increases the trust and confidence of these smaller businesses who would never be able to modify the standard terms and conditions,” explains Seccombe.

It is early days for cloud computing, and new concerns may well arise as current difficulties are ironed out. It is clear, however, that organisations cannot abdicate responsibility for information security by engaging cloud computing services.

Quite the opposite, in fact: the most secure cloud-adopters will be the ones who do their best to impose the same assurances on their cloud providers as they would on their own infrastructure.

“The issues of security are fundamentally the same” for cloud as for on-premise infrastructure, says Garry Sidaway, director of security strategy at IT consultant Integralis. “But as an organisation, you’ve got to start extending these principles [into the cloud].”