As CIO there are a few things you should know

When it comes to cloud computing, many company executives as well as many CIOs believe that the “cloud” is a good thing. For example, it can relieve the IT department of several constraints. Among these are computing and storage capacities, backup, some DR concerns, support and more.

However, all is not rosy in “cloud land”. There are several potential pitfalls that a CIO should address when considering using a “cloud” solution. What are the risks you should consider and how may that affect the bottom line?

First a clarification. I’m speaking of “cloud” as in a service provider, that is, the “cloud” is you using hardware and resources which are not under your control. That is, I’m speaking about a “public cloud” v. “private cloud” where you control resources.

Here are some points to consider, let’s talk about them in the CIA, Confidentiality, Integrity and Availability paradigm.

Confidentiality

Most public cloud offerings are actually running on computers in either shared virtual computers or “dedicated” virtual servers. This is necessary to achieve the economies of scale that is an essential part of the “cloud”. What this means is at some level, other folks are using the same resources. If those folks turn out to be bad players, your enterprise and customer data can be compromised. This is true whether you’re running on a shared virtual computer or a dedicated virtual computer. A virtual environment is a shared environment on a base level.

If your company uses dedicated hardware servers sitting in someone else’s datacenter, even if serviced by them, you significantly reduce (not eliminate) the exposure but then you’re not really using the “cloud” either. We’ll cover private and hybrid “clouds” in future posts.

SAN or NAS, Storage Area Network or Network Attached Storage, each can be shared with other folks. Whenever there is shared resources with folks you don’t know, you run the risk of your data being compromised.

Network traffic, especially when using the Internet, can be compromised at numerous levels. Even encryption is no guarrantee that your data is safe. There have been “man in the middle” type of attacks that spoof your encrypted connection thus opening all your data to compromise.

Integrity

What is data integrity? It is simply being able to trust the data that you see. You trust it hasn’t been altered either by accident or intent. It is accurate and consistent. There are no unintended (from the data owner’s viewpoint) changes to the data.

If anyone other than the official users can see the data, most often the data can be changed by them. This can be true for Virtual servers, storage arrays as well as for network compromised data. In short if confidentiality is compromised, most likely integrity will be too.

Availability

Virtual servers will normally be configured in a “high availability” configuration. In case of hardware failure this significantly increases your changes that your application and data will be available when needed.  However, if the servers or SAN/NAS are compromised, that same bad player can also take control of the server or your application and prevent you from accessing your data.

Access to your company’s application and data depend on network access. As many have seen in the past, networks slow down and even fail. What happens when the network fails? Quite simply, for all intents and purposes, the application has failed. Your company has no access to the functions and data. You must come to grips with the fact that there will be outages.

It may be argued that large data centers have multiple paths and redundant equipment; and this is true. But I ask you about your office. How many have multiple paths and redundant network equipment to ensure that you don’t lose network access? This type of failover is usually too expensive for small and medium enterprises. By not having redundant networks at each of your locations, you are still subject to a single point of network failure.

In future posts I’ll go deeper into the differences in virtualization models; the implications to Business Continuity and Disaster Recovery; private and hybrid cloud considerations; discuss ways of calculating the risk or expected loss; does the virtualization software matter and more.