Businesses Need to Read Their Service Level Agreements

By Robert J. Mullins  |  Posted 2012-06-14 Print this article Print

He said in-house legal counsel, not the service provider, needs to determine what regulations a company has to comply with when moving to the cloud. Increasingly, in-house legal counsel hires an outside law firm that specializes in electronic records security and privacy compliance.

Also, the fundamental security issue that businesses have to understand when contemplating a move to the cloud is that in a public cloud, the customer has no control over security of the computing environment, despite any assurances from the provider that they have firewalls, intrusion prevention systems or anti-malware protections in place.

But customers can secure their data, said Dan Reis, director of US product marketing at Trend Micro, who also spoke at the conference.

€œIf you store data in the cloud you don€™t have control over exactly where it is, who else may be on that storage device or the medium on which that data is traveling. That€™s a lot of exposure to your data,€ said Reis.

Because the public key infrastructure (PKI) method of encrypting and decrypting data is so complex, Trend Micro offers a service called SecureCloud, which does the encryption as a service so that when a company€™s data is in the cloud and there€™s a breach or other problem, the data is protected, he said.

While adoption of cloud computing is growing, Reis said many companies are still on a learning curve as to what cloud computing is and how safe it is to use it. €œA lot of them hear the term €˜cloud,€™ but there are a lot of different definitions of it €¦ so there€™s a lot of confusion from that standpoint.€

The CSA€™s Howie says a thorough reading of the cloud provider€™s service level agreement (SLA) is needed to specify how the service is being delivered, including whether the service provider in turn, contracts with yet another service provider.

€œThe SLA that you get from your cloud provider can only be as good as the SLA from their cloud provider,€ Howie said.

And despite assurance from cloud providers that they offer security and reliability, incidents still happen. Amazon Web Services (AWS) customers were impacted by an outage at an Amazon data center in northern Virginia in April 2011. AWS advises customers to spread their workloads across multiple Amazon data centers for backup, but those worst affected by the Virginia outrage were the customers who failed to take that advice.

Another failure occurred in Microsoft€™s Azure cloud service€“the cloud version of Windows Server€“in February. Microsoft said the service outage impacted Windows Azure Compute and dependent services: Access Control Service (ACS), Windows Azure Service Bus, SQL Azure Portal, and Data Sync Services. It did not impact Windows Azure Storage or SQL Azure. Microsoft traced the outage to a software bug, specifically a timing miscalculation related to the Feb. 29 Leap Year day, which only comes around on the calendar once every four years. 

Editor's Note: This story was updated to correct the number of companies that are members of Cloud Security Alliance.

Robert Mullins is a freelance writer for eWEEK who has covered the technology industry in Silicon Valley for more than a decade. He has written for several tech publications including Network Computing, Information Week, Network World and various TechTarget titles. Mullins also served as a correspondent in the San Francisco Bureau of IDG News Service and, before that, covered technology news for the Silicon Valley/San Jose Business Journal. Back in his home state of Wisconsin, Robert worked as the news director for NPR stations in Milwaukee and LaCrosse in the 1980s.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel