companies can use virtual private networks, which create an
encrypted tunnel through the
Internet, says Ralph Presciutti, a
technology expert at consulting
firm Tatum in Atlanta.
Presciutti recommends ask-
ing for a cloud vendor’s security
review, a SAS 70 or the tougher
SAS 70 Type II audit.
But not every application
needs the highest grade of security. ClubDrive Systems, an Atlanta
company that hosts applications
for corporates, will put systems
in a SAS 70 environment if clients
request it. “If they don’t need it,
they prefer not to pay for it,” says
John Alston, ClubDrive’s CEO.
In fact, clouds can offer a security advantage over traditional
software, since cloud providers
specialize in making their application as secure as possible, spread-ing the costs of that effort among
many customers. On their own,
companies might not be able to
afford the same level of security.
Just keeping software patched
and up to date can be a daunting
task for businesses. “Typically, IT
shops struggle with that because
they’re underfunded and don’t
always have the resources,” says
Adam Rice, chief security officer
at Tata Communications, an In-
ternet service provider that offers
cloud-based security services.
“Cloud-based computing is some-
thing that, over time, will actually
change the paradigm of things.”
But Rice warns that customers
need to do due diligence. At Tata
Communications, he says, clients
regularly come in to do their
own security audits, and some
insist that the right to do surprise
inspections be included in their
contracts.
Cloud providers’ service agreements can be very complex, says
Mark Gilmore, president of San
Jose, Calif., technology consulting
firm Wired Integrations, and many
are biased in favor of the provider.
“One larger provider that I
know of does not allow clients to
back up their own data from the
cloud,” Gilmore says, “virtually
locking them into a permanent
contract. CFOs need to pay at-
tention to the details and the fine
print or regret it down the road.”
One group recently hit hard by
a provision in a cloud vendor’s
contract was WikiLeaks, whose
hosting provider, Amazon, cut it
employees, letting them set up
online groups, meetings, e-mail
systems, blogs, document reposi-
tories and project management
sites quickly and cheaply.
One larger provider I know of does not allow clients to back
up their own data from the cloud, virtually locking them into a
permanent contract. —WIRED INTEGRATIONS’ GILMORE
off, says Robert Scott, a lawyer
specializing in technology issues
at Texas-based Scott & Scott.
“When WikiLeaks was in the
news, Amazon turned off their
services, citing that they had the
right to terminate,” Scott says.
“When you’re dealing with cloud
contracts, the termination provi-
sions in the contract could make
the difference between being up
and being completely unable to
operate.”
Companies should also take
a look at intellectual property
rights, he adds, and who owns
what if the contract is severed or
the cloud provider goes out of
business. Finally, companies can
talk to their vendors about net-
work security and data privacy,
and ask the vendor to take out
an insurance policy in case of a
breach or data loss, Scott says.
Cloud computing empowers
And there’s the provisioning
issue: If an employee sets up, say,
an online document repository,
fills it with sensitive corporate
documents and invites colleagues
to share it, when those colleagues
leave the company, they might
retain access, since user account
management isn’t centralized with
HR. Similarly, fired employees still
might continue to access work-
related social networks, project
management sites, meeting rooms
and blogs.
