The shift from on-premise to cloud computing continues to gain pace. But with customers’ number one concern now identified as security, how can an ISV or reseller ensure its hosting partner has the right processes and technologies in place to safeguard critical customer data? How does the shift from on-premise to the cloud affect issues such as PCI DSS compliance? And should organisations begin to impose greater security controls with end customers to improve authentication procedures?

With customers demanding ever more stringent compliance led contracts, IT organisations can minimise the risk of moving to the cloud whilst also attaining all the benefits of economies of scale, reduced headcount and new revenue stream.

Inexorable Shift

The move away from on-premise systems to cloud computing appears inexorable, with research organisations predicting a wholesale transition to the new model over the next decade. Growing numbers of IT providers, from Independent Software Vendors (ISVs) to consultancies and pure hardware providers are looking to make the transition to cloud-based service delivery.

But while customer organisations are keen to improve operational efficiency, reduce headcount and improve the bottom line by moving from on-premise systems towards a hosted model, this is a major paradigm shift and requires careful consideration. What are the security implications of moving corporate data off site? What are the risks associated with the multi-tenanted cloud model?

A rash of cloud-security led debates is whipping up anxiety across end user organisations, apparently making security the number one consideration for every potential customer looking at cloud based solutions.

But let’s put this in to perspective: Level 3 or Level 4 data centres offer far greater levels of data security than on premise systems. At a physical level, buildings are well ventilated, fire proof and have 24×7 security staff. They are also secured with leading edge technology – from firewalls and anti-spam to anti-virus and real-time monitoring technology – that could never be justified by a single SME. And data centres will impose tight and consistent security policies; there will be no open firewalls to let senior management work remotely, for instance!

Private vs Public

Of course, much of the cloud-based discussion relates to public rather than private cloud activity. The recent security breach at Google Docs obviously raised concerns about the security of corporate documents held on a public cloud.

Furthermore, organisations adopting cloud computing do not always know where data is located. It could be held in countries such as the US or China where there is uncertainty around how information is policed and the information security legislation in these countries is likely to be very different to UK legislation.

But private clouds offer organisations far more choice and control. If organisations are concerned about how the information could be accessed or misused, the best option is to partner with a hosting provider that only uses UK data centres – for both primary hosting and secondary back up sites.

While this is a straightforward evaluation, many resellers and ISVs do not have the internal security expertise required to truly evaluate a hosted provider’s security and privacy practices. At a basic level, ISO 27001 data security accreditation should be a given. But organisations also need to consider data protection, vulnerability management, physical and personnel security, availability, application security, incident response and privacy. And what is the ongoing commitment to improving security? For example, does the provider routinely employ an independent third party to undertake penetration tests?

And with threats coming from internal as well as external sources, what is a provider’s policy for ensuring data centre engineers cannot compromise systems? While most will routinely film all data centre activity, there is a growing demand for engineers to work in pairs, with joint activity sign off to further reduce the chance of internal breach.

If resellers and ISVs are not comfortable with their internal security expertise it is wise to turn to a third party, independent consultancy to evaluate the quality of any hosting provider’s security set up. This is a critical transition – and with increasing penalties for data breach, not one any organisation can afford to get wrong.

Security Added Value

Third party expertise could also be a good opportunity to create a new revenue stream, since the move to the cloud is undoubtedly focusing the attention of many SMEs on security. As a result, the delivery of security expertise and assessment is becoming a key component of the cloud-based model.

For example, organisations need to understand that the responsibility for compliance remains with the company itself and not with the cloud computing services provider. A hosting provider will not be PCI DSS compliant, for instance. Indeed since under most contracts the provider operates at infrastructure not transaction level and hence has no access to the data, there is no reason for compliance. It may, however, be required for the reseller or partner to gain accreditation if the company has access to credit card information.

There is also growing concern that many customer organisations are failing to impose tight password controls over employees who are using both public cloud services – such as salesforce.com – and private clouds for key corporate systems. Far too many individuals are, understandably, opting to use the same password for every system, which raises the risk of unauthorised access to the private cloud.

In addition to improving end user education about password usage, resellers can offer customers token-based access devices to further enhance the security of corporate cloud-based systems.

Risk Assessment

Security is obviously a concern for organisations embracing this fundamentally different way of acquiring IT services and solutions and resellers need to understand the security implications of cloud computing.

Organisations need to be far more savvy about key issues such as authentication and access especially when using public cloud services; and they need to really consider the compliance implications of any change to IT infrastructure. But for the majority of SMEs a UK based data centre will not only offer excellent economy of scale but, critically, it will offer significantly better levels of security than any on premise solution.