The move to the cloud, as we are all aware, is not without its issues. Indeed, two of the top concerns for IT professionals contemplating the move of mission critical information to the cloud revolves around the cloud’s ability to provide not just security but compliance and associated monitoring and tracking for such things as HIPPA and PCI (News - Alert), and network resiliency. The latter is a principle concern that has gained prominence as a result of Hurricane Sandy and other top of mind concerns regarding disaster recovery and business continuity.
Recently, I had the opportunity to discuss both of these important challenges with Oren Hamami, director of security strategy, SunGard Availability Services, who filled me in on best practices and recommendations in both areas.
image via shutterstock
Compliance matters
Hamami was blunt in his take on what you need to think about if you are using the cloud for compliance. “You need to know what type of provider you are using. You then need to address the data issue about where it is stored, who has access, etc. For example, for security reasons and making sure enterprises are abiding by government mandates, SunGard never moves your data out of jurisdictions without permission,” he stated. Plus, he added, “Visibility is important. This means knowing what service is being provided, where and by whom. It means making sure provider is being open and transparent about options and contractual obligations. Increasingly, it is also about even authenticating the citizenship of those who have access.”
Hamami has seven great tips regarding factors to consider when moving to the cloud and staying compliant:
As Hamami explained, at the end of the day the move to the cloud is about having a trusted relationship with your provider where responsibilities and accountabilities are well-defined and understood, and where it is very clear that compliance activities will meet the letter of the law. This is particularly true since the penalties for lack of compliance are steep, and the monetary damages can be multiplied because of the damage to your brand should your company be found to not being doing things lawfully.
Cloud Resiliency: There when you need it most
Hamami spoke on the subject of resiliency brought home one of the key benefits of the cloud by saying, “When disaster strikes, whether it be because of malicious cyber attacks like the growing use of Distributed Denial of Service (DDoS) ones that have been aimed increasingly at financial institutions, media companies and large retailers, or those caused by mother nature, you need to be able to have business continuity. This means little or no downtime, fast meantime to restoration, and a lack of possible corruption of your valuable digital assets.” He continued, “Because it is a hosted environment, the cloud needs to be used judiciously since increased accessibility means increased potential vulnerability, but not have to build a costly mirror site, and have multiple points of replication and fast response times for restoration can be invaluable.”
In fact, Hamami did not need to point out how much even an outage of an hour or two can cost. Think about the fact for instance that the recent outage at Google (News - Alert) took out 40 percent of the Internet traffic while the company sought to bring everything back to normal.
Hamami explained why the two big things IT professionals are seeking when looking at cloud resiliency center around natural disasters or DDoS. “The cloud gives you the equivalent of always on versions of your infrastructure, and that is of critical importance.” In fact, he noted that SunGard’s warm site service, where mission critical data is replicated in VM form at SunGard is one of their fastest growing services. Another hot service area is cloud vaulting/archiving. This is where data that does not need to be restored as quickly as hot site or warm site is stored.
The reasons why such services are popular for disaster recovery and business continuity are obvious. In terms of DDoS attacks, where the bad guys are typically trying to overrun your servers with requests and have become sophisticated enough to do so not just from a PC but leveraging the cloud themselves, this involves redirecting legitimate traffic to capabilities that have not been compromised. While no solution is perfect, this is not unlike a complex shell game where attackers need to continuously look for the area that is most vulnerable rather than giving them one successful bite of the apple.
Resiliency/business continuity is not merely about technology. It is about having a strategy in place and leveraging technology so that all of an enterprise’s assets, people as well as technology work well in a crisis. It is for this reason that the cloud needs to be given serious consideration in the development of a resiliency strategy even if an enterprise is not ready to move it main operational capabilities to the cloud.
Hamami summed it up well. “When it comes to both compliance and resiliency, customer should know what they need, and what they are getting. Our job is to assure our cloud is being built and run securely and that you as customer are getting exactly what you are getting and exactly what you want,” he said. In short, the cloud just might be the silver lining to answer to your compliance and business continuity challenges, but you need to know who you are dealing with and have open and transparent dealings.