Earlier this month, OASIS hosted a forum to discuss standards and interoperability issues for cloud computing. As a technical community dedicated to creating and promoting open standards, OASIS tackles many of the tough challenges that government institutions, private enterprises, software vendors, academics and system integrators face when creating applications and platforms to run our digital economy. Business is global, systems must interoperate, and content flows from person to person both inside and outside the firewall. Sharing and re-use of information is made possible only by letting diverse systems work together. This is the beauty of standards.
Speakers throughout the event -- representing governments in the US, Europe and Canada, as well as regulated industries, such as banks and pharmaceuticals -- highlighted several consistent themes. One presenter, Sounil Yu, shared his perspectives gleaned from the world of financial services, nicely encapsulating five key points made by several of the speakers.
Five Things to Know Before Playing Securely in the Cloud
1. Know Your Cloud Provider
Understand the track record of the cloud service provider(s) you are considering to create, store or share your corporate content. Questions might be -- what is their breach history? How transparent and timely is their communication in case of problems? How open are they with operational practices such as patch schedules, pen-tests, emergency response plans, or employee training? Is security addressed as part of the service level agreement? Are they multi-tenant? Know what is allowed and assess if the other tenants may be a security concern or target of attack.
2. Know Your Data
Information is an accelerant in the digital economy. Data as the “new oil” is a phrase that has been gaining currency for several years. Organizations must understand what information they create and hold. What level of sensitivity is your information? How many categories of confidentiality or secrecy exist? Are the rules for each category of information clearly understood by your employees and contractors? Are they trained on appropriate handling, sharing and disposal policies?
Is metadata being used to consistently categorize or “tag” information? Consistent use of metadata tagging means more opportunity to automate and have technologies push and pull content across business processes. Information that is of good, reliable quality control and consistently structured will be found, read and re-used more frequently.
Also understand who owns the data -- there is still much FUD (fear, uncertainty and doubt) about the terms and conditions of some cloud services -- particularly for consumer apps. Ensure you retain appropriate rights to your corporate content regardless of storage location.
3. Know Your Applications
Understand how applications depend on each other and on infrastructure technologies. Different types of applications will have different threat profiles, depending on the content and data they process. From a technical perspective, ensure an application cannot become an entry way into other corporate systems or lead to a denial of service attack. How does information flow through firewalls, where are database calls? Know how the cloud service provider manages the security of its infrastructure. This is an area where standards and certifications can be useful guides.
4. Know Your Users
Understand how authentication and identification of users will be handled. What is the cloud provider using to authenticate users, access permissions or admin rights? Can any internal user IDs be extended to the cloud applications? Standards such as OAuth can provide insight into how authentication is performed. Are there other standards-based or proprietary techniques in use?
5. Know the Laws
Lack of alignment with legal and regulatory requirements can be both risky and costly for organizations. Fines, court judgments and reputational damage are all potential consequences of not paying attention to laws and regulations in the jurisdiction(s) in which an enterprise operates.
For public sector and private companies that hold protected personal, health or commercial data, the cross-border data must be assessed and understood. Many governments outline certain types of protected information that must stay within a jurisdiction. Know what is safe to move across virtual borders and what is not.
Know the differences between privacy and data protection laws in the countries in which your business operates. And stay current! Just days ago the Canadian Supreme Court ruled that employees should expect a certain level of privacy in the workplace -- the impact of this on standard logging, monitoring and filtering technologies are just beginning to be assessed.
Bonus: One Extra Consideration If You Care About the Planet
6. Know Your Cloud’s Carbon Footprint
This sixth consideration comes courtesy of analyst Tom Raferty of Redmonk. At the Monktoberfest developer conference in early October, Raferty presented a compelling call to action to cloud developers and platform providers to help data centers and end-user clients get better insight into their energy use and emissions.
Many vendors and service providers tout “green” in their marketing messages by demonstrating how companies can reduce energy costs by outsourcing their data centers. Many of the newest data center designs are indeed making great strides towards less overall energy consumption. But Raferty highlights an often overlooked essential measurement: that of the ultimate carbon emissions put out by data centers.
Data centers on power grids that use mostly fossil fuels as an energy source have a far greater carbon output than less energy efficient data centers on power grids using renewable sources. A tremendously important distinction and something to ask prospective providers if your cloud strategy has the word “green” in its business plan.
Open Standards Can Help Reduce Confusion about Cloud Services
A good standard, according to keynote panelist Laurent Liscia, CEO of OASIS, should: be supported by vendors and end-user organizations alike, be made transparently, be openly available, have a good governance process, and be responsive to market drivers. Cloud computing, despite its decades-old roots in utility computing services, is still relatively new for most organizations. Many IT managers, records managers and compliance officers have uncertainty about using cloud services. Public sector and regulated industries have specific obligations to protect and secure sensitive information.
Adoption of cloud services for content creation or storage can be done only when assurances about security and data protection can be offered by a cloud platform provider. Standards can help decision-makers by illuminating a path to the cloud. Standards can bring clarity to tough topics such as authentication, identification, interoperability, data portability, privacy, security, and terminology used in service level agreements…perhaps even track the carbon footprint of their content.
Editor's Note: Cheryl has written on the topic of cloud and enterprise content before. Read Information Management on Demand: the Cloud Gives Rise to the Enterprise CMS Marketplace.
Image courtesy of ALMAGAMI (Shuttterstock)