Late in the 1990es Internet revolutionized workplace by connecting millions of computers that dramatically improved productivity and service quality. Another wave of information technology revolution is evolving in the form of cloud computing. Software as a service (SaaS) in cloud computing is changing the traditional way we used services for business application, social media, data share, technical support and is expanding the scope every day.
While it is beneficial for Small Medium Business (SMB) clients to use shared resources, it is important to analyze the risk factors associated with Cloud Service Provider (CSP) before running the business service using cloud service.
SaaS is offering unprecedented cost effective solution to Small Medium Business (SMB) on accounting, human resource, customer relations management and IT support. Cloud computing is delivering software and services that would otherwise would be cost-prohibitive for small and medium size businesses.
There are four different types of cloud service models available to clients today.
Private Cloud: This model service is dedicated to one organization and infrastructure is located at client’s premise or off-site managed by client or third party provider. An example is corporate data center managed by internal IT team or third party provider.
Public Cloud: This model service is offered to all users by an organization and infrastructure is located at provider’s premise. Examples include Salesforce.com, Google apps and Dropbox.
Community Cloud: This model service is shared by a group of organization with similar business need restricted by compliance, security or similar common guidelines. Cloud service infrastructure is shared by organizations and infrastructure may be located onsite or offsite. Health care providers could setup a community cloud to share data between the providers.
Hybrid Cloud: This model is a combination of two or more clouds, private, public or community clouds. These clouds remain separate but it can be integrated through technology for rapid expansion when needed. Example includes integrated application that runs on private cloud that is connected to a public or community cloud service.
Most SMB’s are excited about the benefits of cloud service, so let us evaluate risks and how to mitigate those risk factors.
1. Data Security
When the data is outside client’s facility, security of the data depends on CSP security policy. In this model client and provider share security risk factors. CSP model consists of traditional and non-traditional security threats. This includes infrastructure access by third party, sharing of resources with other organizations, geographical location of data and potential restrictions by domestic laws, vulnerabilities from virtualization, security policies and produces to name the few.
Risk mitigation: This is the most important risk in CSP model. This risk is also a national risk factor as a security compromise at large cloud service provider could affect nation’s large companies’ business data and leak business secrets. You should do a comprehensive security risk analysis before choosing a CSP. Investigating provider’s track record on security is a key component in risk assessment. Data encryption of sensitive data and secure delivery are best practices. You may also want to evaluate what data is maintained on the cloud. Security policies, system configurations, encryption keys, audit files, password application and disaster recovery documentation are some of the sensitive data and risk must be addressed adequately.
2. Internet Failure
Before choosing a cloud service, client should analyze and have a plan-B when Internet service becomes unavailable. Internet failure can be in the form of ISP (Internet Service Provider) outage, failed link to the provider, modem or router failure, line congestion or human causes. Client should develop a plan on the maximum tolerance duration a business can run without having access to the Internet.
Risk mitigation: Your risk mitigation strategy is to consult with an expert support team to analyze the risk factors and come up with a cost effective plan B solution. A solution to this risk would include identifying a secondary ISP provider and connection fail over configuration. For SMB, a cost effective approach would be to hire an off-site technical support in identifying secondary ISP provider and dynamic routing connection when access to provider is unavailable.
3. Breach of Law and Service interruption
The risk related to law enforcement investigation and disruption of service stem from service provider not following the rules and regulation, standard operating procedures and lack of ethics. Breach of law could happen when a disgruntled employee intentionally makes effort to interrupt the business. Such action can have a profound impact on business if proper monitoring, validation and auditing procedures are not in place. Data leak such as personal identifiable information (PII) whether it is intentionally or unintentionally to an unauthorized source, unlawful content storage and dissemination or business information espionage can result in law enforcement agencies investigation and service interruption.
Risk mitigation: Human resource management of cloud service provider is outside your control. However you could ask CSP for human resource practices and incident statistics such as employee turnover and insider security incidents. The statistics such an under qualified resources, lower compensation, working condition and large employee/contractor turnover are high risk factor indicators. Based on these statistics you should make the decision on choosing your CSP.
4. Performance and availability
Application performance depends on several factors including server configuration, network, security settings, geographic location where CSP infrastructure and client is located. Application performance and availability is also depending on your ISP network. So client should investigate how CSP would provide a reliable performance and availability if the application is hosted in virtual environment and shared by other organizations. If your CSP has not done effective capacity planning, a single organization selecting large amount of data could potentially affect availability of application to other organizations.
Risk mitigation: A written Service Level Agreement (SLA) should be entered between client and CSP on performance and availability. Client should check with CSP whether they would give network topology diagram both at primary and disaster recovery locations. Client should also try to get SLA from ISP on Internet latency and bandwidth.
I recommend SMB clients to partner with information technical service provider to analyze risk factors and SLAs before choosing a CSP.