Thursday, 22 September 2011 13:53
Pragmatism and sound governance will ensure cost savings do not come at the expense of breaches
Markham Parenzee
South Africa’s adoption of cloud computing models, whether public, private, or hybrid, lags world standards. Out of the BRICSS (Brazil, Russia, India, China, South Korea, and South Africa) countries, says Zinnov Management Consultants, South Africa has the lowest cloud adoption rate.
The difference between the highest growth (China) versus the lowest (South Africa) is 33%, according to Zinnov.
“Based on this research it’s apparent that there are strong factors inhibiting the growth and adoption of cloud-based computing models in the South African market,” says
Samresh Ramjith, GM: technology and operation –
security solutions line of business, at
Dimension Data. “These factors would appear to be strong enough to override the commercial and financial benefits of cloud computing, which would indicate that South African organisations view cloud computing as a high-risk strategy.”
The loss of control over infrastructure, services, and data, once cloud models are adopted, are the key risks causing local business to take a guarded approached to cloud, says Ramjith.
|
Brought to you by |
|
|
|
Paul Ruinaard, major accounts manager for F5 Networks, says the fear is justified. “The Citigroup confirmed that in May $2.7 million was stolen in a hack attack from clients’ accounts. CIOs are questioning how, when large organisations fail to safeguard their data, smaller companies with less resources are supposed to ensure minimal risk.
“Quite simply,” he says, “organisations no longer have the option of avoiding cloud. Pressure to reduce costs while maintaining availability make cloud an inevitability. We are in the process of coming to accept the cloud computing model, but right now, we have to approach it cautiously and assume some level of risk.”
“Cloud returns us to the old outsourcing adage of weighing up price versus risk,” says Markham Parenzee, business development executive,
IBM Global Technologies Services at
IBM SA. Adoption and trust are interlinked, says
Dave Funnell, sales manager of RSA, the Security Division of EMC Southern Africa. “There is a perceived loss of control, and a loss of visibility.
Service providers must gain trust by demonstrating they have both.
“While businesses often believe that putting applications and data on virtual machines, then migrating this to a private cloud shouldn’t affect
security, it does,” he says. “The virtual world is not the same as the physical one.”
“The change in paradigm, however, means corporations need to start understanding how to safeguard themselves in terms of policy,” says Ruinaard. “Planning and preparation is critical,” agrees Parenzee. “A roadmap needs to be drawn-up. Governance issues need to be looked at, and a model defined. Organisations need to determine what their success factors are, and what the limitations are. “While the development of the cloud model is new, the ‘journey’ towards cloud has been happening for years. To build an effective cloud model, organisations need to check the boxes that have been in play for some time: consolidation, virtualisation, standardisation, and automation.
The delivery and consumption model has changed with cloud. Organisations must now understand the new risks, and consider them against the benefits – how governance issues are handled in the new model; data management and the associated risks; application architecture and the implications of ensuring applications are Web-enabled and secure.” Regarding data management, “it comes down to due diligence, and organisations having a very clear understanding of how information impacts the business and resides in it,” says
Dimension Data’s Ramjith.
“A decision must then be made on the relevance of that information, and the appropriate place for it to reside. Some information will never be able to leave the private cloud, while in some circumstances, putting data directly onto the public cloud will reveal minimal risk.”
“Additionally,” says Funnell, “organisations must have control over the movement of information.
“Governance must include jurisdiction and regulatory compliance in the geographical location,” agrees Parenzee. “Regulatory and internal policies must be considered if your service provider is hosting data on an offshore location.”
Demand accountability
The key considerations when planning a cloud strategy are, together with IT governance policies, risk, compliance, and data loss prevention.
“Organisations must have visibility into the virtual stack. They must ensure that all regulation and compliance policies agreed upon with the service provider are being adhered to. Where possible, companies should ask for the same technology they had in the physical world – monitoring tools, for example. Obviously, there will be differences, but the migration to cloud must have the right controls in place,” says EMC’s Funnell.
“Organisations must carefully investigate and gain assurances from cloud providers in terms of their model, and the checks and balances in place. They should be asking to see
security standards which are auditable, as well as a record of
security competencies, before they trust providers to manage their cloud environment,” says Parenzee.
“Today,” says Funnell, “there are solutions available for the private cloud that can validate
security and compliance of the private cloud provider – and there will be a natural progression to the public cloud provider. Frameworks have been developed which allow organisations to measure if appropriate solutions are present.