Pragmatism and sound governance will ensure cost savings do not come at the expense of breaches

Markham Parenzee

South Africa’s adoption of cloud computing models, whether public, private, or hybrid, lags world standards. Out of the BRICSS (Brazil, Russia, India, China, South Korea, and South Africa) countries, says Zinnov Management Consultants, South Africa has the lowest cloud adoption rate.

The difference between the highest growth (China) versus the lowest (South Africa) is 33%, according to Zinnov.

“Based on this research it’s apparent that there are strong factors inhibiting the growth and adoption of  cloud-based computing models in the South African market,” says Samresh Ramjith, GM: technology  and operation – security solutions line of business, at Dimension Data. “These factors would appear to be strong enough to override the commercial and financial benefits of cloud computing, which would indicate that South African organisations view cloud computing as a high-risk strategy.”

The loss of control over infrastructure, services, and data, once cloud models are adopted, are the key  risks causing local business to take a guarded approached to cloud, says Ramjith.

Brought to you by

Paul Ruinaard,  major accounts manager for F5 Networks, says the fear is justified. “The Citigroup confirmed that in May $2.7 million was stolen in a hack attack from clients’ accounts. CIOs are questioning how, when large organisations fail to safeguard their data, smaller companies with less  resources are supposed to ensure minimal risk.

“Quite simply,” he says, “organisations no longer have the option of avoiding cloud. Pressure to reduce  costs while maintaining availability make cloud an inevitability. We are in the process of coming to  accept the cloud computing model, but right now, we have to approach it cautiously and assume some  level of risk.”

“Cloud returns us to the old outsourcing adage of weighing up price versus risk,” says Markham  Parenzee, business development executive, IBM Global Technologies Services at IBM SA. Adoption  and trust are interlinked, says Dave Funnell, sales manager of RSA, the Security Division of EMC Southern Africa. “There is a perceived loss of control, and a loss of visibility.

Service providers must gain trust by demonstrating they have both.

“While businesses often believe that putting applications and data on virtual machines, then migrating  this to a private cloud shouldn’t affect security, it does,” he says. “The virtual world is not the same as the  physical one.”

“The change in paradigm, however, means corporations need to start understanding how to safeguard  themselves in terms of policy,” says Ruinaard. “Planning and preparation is critical,” agrees Parenzee.  “A roadmap needs to be drawn-up. Governance issues need to be looked at, and a model defined. Organisations need to determine what their success factors are, and what the limitations are. “While the  development of the cloud model is new, the ‘journey’ towards cloud has been happening for years. To build an effective cloud model, organisations need to check the boxes that have been in play for some  time: consolidation, virtualisation, standardisation, and automation.

The delivery and consumption model has changed with cloud. Organisations must now understand the new risks, and consider them against the benefits – how governance issues are handled in the new model; data management and the associated risks; application architecture and the implications of  ensuring applications are Web-enabled and secure.” Regarding data management, “it comes down to  due diligence, and organisations having a very clear understanding of how information impacts the business and resides in it,” says Dimension Data’s Ramjith.

“A decision must then be made on the relevance of that information, and the appropriate place for it to  reside. Some information will never be able to leave the private cloud, while in some circumstances,  putting data directly onto the public cloud will reveal minimal risk.”

“Additionally,” says Funnell, “organisations must have control over the movement of information.

“Governance must include jurisdiction and regulatory compliance in the geographical location,” agrees  Parenzee. “Regulatory and internal policies must be considered if your service provider is hosting data on an offshore location.”

Demand accountability

The key considerations when planning a cloud strategy  are, together with IT governance policies, risk, compliance, and data loss prevention.

“Organisations must have visibility into the virtual stack. They must ensure that all regulation and  compliance policies agreed upon with the service provider are being adhered to. Where possible,  companies should ask for the same technology they had in the physical world – monitoring tools, for example. Obviously, there will be differences, but the migration to cloud must have the right controls in  place,” says EMC’s Funnell.

“Organisations must carefully investigate and gain assurances from cloud providers in terms of their  model, and the checks and balances in place. They should be asking to see security standards which  are auditable, as well as a record of security competencies, before they trust providers to manage their cloud environment,” says Parenzee.

“Today,” says Funnell, “there are solutions available for the private cloud that can validate security and  compliance of the private cloud provider – and there will be a natural progression to the public cloud  provider. Frameworks have been developed which allow organisations to measure if appropriate  solutions are present.