A new report from Forrester Research Inc. is urging companies to be guarded when examining cloud-based services. Early adopters have run into a number of road blocks, including not knowing where their data resides, what happens to the data when a decision is made to change services and how the service provider guards customer privacy.
Companies considering using a cloud-based service need to gain a clear understanding of the security, privacy and legal consequences before contracting with a service provider, according to a report issued by Forrester called, "How secure is your cloud?" The report urges organizations to develop a checklist of data security and compliance priorities and compare organizational needs to the cloud service provider's policies and procedures.
"The rule of thumb is that when you outsource the requirements developed internally, the vendor has to be at least as secure as you are," said Chenxi Wang, a principal analyst at Forrester who authored the report.
Companies must also understand how compliance issues are affected, how the service provider handles data security and whether company intellectual property could be put at risk. In many cases, contracts should carefully outline disaster preparedness procedures, proper data handling and the role the provider will play in the event of a breach.
"Pay special attention to operational details that are often obscured by cloud services, such as location of data, events logged, replication method and infrastructure redundancy," Wang said.
Many firms are turning to cloud-based services such as Salesforce.com and project collaboration websites to cut costs and improve efficiencies, according to Wang. Forrester's recent survey of enterprise and small and midsize businesses found that 47% of software decision makers were either using or piloting Software as a Service or considering adopting SaaS in 2009.
Cloud computing can often complicate data security and privacy, according to Wang. The organization loses visibility and control since the company data would reside on another network. Some firms have employees using cloud-based services without the consent of IT security, Wang said.
"In many cases it's very easy to set up a service without going through IT or another centralized authority's involvement," Wang said. "In many cases the client piece can be on somebody's desktop, but the content is living outside the organization."
In a recent interview, Eastman Kodak Co. CISO Bruce Jones said his firm is considering using cloud-based service providers for certain processes, but he added that his company is being cautious out of fear of putting company data at risk.
"I'm getting asked all the time, 'can we move this into the cloud?'" Jones said. "I'm very reluctant at this point. I'm not seeing huge benefits."
Jones said there could be value in cloud computing with Kodak's high computational processes in its research and development division. The organization sometimes needs high capacity on-demand computing power to conduct large calculations, he said.
"The cloud may provide some benefit there, but I want to make sure we're doing it in a way that we're not putting our IP data in jeopardy or putting any personal information or other confidential data at jeopardy," Jones said.
A thorough assessment of the cloud service provider should include auditing it to gain some visibility into its internal operations, Wang said. A cloud provider may not allow internal audits, but they should offer "some form of external audits of their infrastructure and network." The goal is to understand how the service uses event logs and who actually has access to the data on the backend.
Compliance issues can also get in the way of cloud service adoption, according to Wang. The data handling and business continuity practices of the service provider should also be considered to address compliance issues. Also, firms should keep in mind their industry specific compliance initiatives.
Wang advises clients to carefully scrutinize the service level and contract agreements. While most are fairly standard, some firms may want to negotiate specific terms in the agreements to make it unique to the organization's business processes and data handling procedures. In many cases, unless you are a large organization, cloud service providers will devote little time to negotiating unique SLA or contract terms, Wang said.
"If you are a small client they may not pay attention, but if you're huge, they will bend over backwards for you," she said. "It's just the way it works."
The contract should cover what happens if the SLA is not met, how data is handled when the service contract ends, the type of data returned to the company and that the cloud service provider erases all data from its network within a given time period, Wang said.
"We're seeing some companies getting burned by vendor lock-in," she said. "It's often not easy to change services. If you're switching, good luck getting them to do things for you; if it's not required by contract to extend end-of-service support to you, then they won't do anything."