Businesses Need to Read Their Service Level Agreements
He said in-house legal counsel, not the service provider, needs to determine what regulations a company has to comply with when moving to the cloud. Increasingly, in-house legal counsel hires an outside law firm that specializes in electronic records security and privacy compliance. Also, the fundamental security issue that businesses have to understand when contemplating a move to the cloud is that in a public cloud, the customer has no control over security of the computing environment, despite any assurances from the provider that they have firewalls, intrusion prevention systems or anti-malware protections in place.But customers can secure their data, said Dan Reis, director of US product marketing at Trend Micro, who also spoke at the conference.If you store data in the cloud you dont have control over exactly where it is, who else may be on that storage device or the medium on which that data is traveling. Thats a lot of exposure to your data, said Reis. Because the public key infrastructure (PKI) method of encrypting and decrypting data is so complex, Trend Micro offers a service called SecureCloud, which does the encryption as a service so that when a companys data is in the cloud and theres a breach or other problem, the data is protected, he said. While adoption of cloud computing is growing, Reis said many companies are still on a learning curve as to what cloud computing is and how safe it is to use it. A lot of them hear the term cloud, but there are a lot of different definitions of it ¦ so theres a lot of confusion from that standpoint. The CSAs Howie says a thorough reading of the cloud providers service level agreement (SLA) is needed to specify how the service is being delivered, including whether the service provider in turn, contracts with yet another service provider. The SLA that you get from your cloud provider can only be as good as the SLA from their cloud provider, Howie said. And despite assurance from cloud providers that they offer security and reliability, incidents still happen. Amazon Web Services (AWS) customers were impacted by an outage at an Amazon data center in northern Virginia in April 2011. AWS advises customers to spread their workloads across multiple Amazon data centers for backup, but those worst affected by the Virginia outrage were the customers who failed to take that advice. Another failure occurred in Microsofts Azure cloud servicethe cloud version of Windows Serverin February. Microsoft said the service outage impacted Windows Azure Compute and dependent services: Access Control Service (ACS), Windows Azure Service Bus, SQL Azure Portal, and Data Sync Services. It did not impact Windows Azure Storage or SQL Azure. Microsoft traced the outage to a software bug, specifically a timing miscalculation related to the Feb. 29 Leap Year day, which only comes around on the calendar once every four years. Editor's Note: This story was updated to correct the number of companies that are members of Cloud Security Alliance.