Hybrid Cloud Computing Security: Real Life Tales
For all the talk about public clouds versus private clouds, many organizations will likely end up with a mixed IT environment that includes both types of cloud as well as non-cloud systems and applications--at least for a next several years.
Security remains a concern for many CIOs, but if the business case supports it, companies are going to move all but the most sensitive and high-risk data to the cloud. Those executives that have started weaving together cloud and non-cloud environments say they've taken steps to ensure that security is an early consideration, have included security provisions in service-level agreements (SLAs) and contracts, and have worked to maintain compliance and secure integration.
[Also read 5 cloud security trends for 2011]
Industry experts say that despite the well-publicized worries about security, the mixed IT environment will likely appeal to many organizations, particularly global enterprises.
"The hybrid cloud model makes a lot of sense in large organizations," says Janel Garvin, CEO of Evans Data, a market research firm in Santa Cruz, Calif. "As security concerns lessen, many might move more of their computing resources out to the cloud. But some may keep a hybrid model for years to come."
Outward-facing applications, such as collaboration, communications, customer-service and supply-chain tools, are excellent candidates for the cloud, Garvin says, while information such as financial and customer data is more likely to reside on-premise. "Most companies also feel that backup for storage and apps should still be kept internally, even if the data and apps reside in a cloud," she adds.
As recently as a few years ago, ventures into the cloud were mostly experimental, back-burner projects, not something to which companies would trust critical data, says Chris Silva, senior vice president of research and service delivery at IANS Research, an information security research firm. Today, "we're seeing a lot more things taking on a cloud flavor," Silva says.
A growing number of businesses are seeing value in services that provide increased processing power for busy times, such as holiday shopping seasons or financial reporting periods, Silva says. "This has moved from fringe activities to the mainstream."
Into the Cloud: The Business Case Rules
To be sure, some companies are still reluctant to use the cloud for customer and other sensitive data because they have security and regulatory compliance concerns. Nevertheless, businesses are forging ahead with cloud initiatives, and, as with other significant IT investments, decisions about whether to use the cloud and which services to adopt often come down to whether there's a strong business case.
"The economics and business needs are going to determine what stays on-premise versus lives in the cloud," says Doug Menefee, CIO at Schumacher Group, which provides emergency-room-management services to U.S. hospitals.
Schumacher began moving applications to the cloud in 2006, and Menefee estimates that 90 percent of the company's processes are in cloud-based services today.
Some are hosted services and others are software as a service (SaaS), Menefee says. "We have a hybrid approach where most of these solutions are integrated with each other via Web services or are integrated with on-premise solutions," he says.
To ensure cloud security, Schumacher worked with each of its vendors to review their security and audit procedures and ensure they were in compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. "We include our business associates agreement as part of our standard contractual language with any vendor who potentially has access to patient data," he says.
A major driver for the company, which is based in Lafayette, La., to go to the cloud was the realization that its data centers were susceptible to damage by major hurricanes like Katrina and Rita, Menefee says. He says the cloud providers have multiple data centers across the country. "Review of data center footprint and geographic locations are part of our due-diligence process," Menefee says.
Other motivators include the ability to easily scale capacity up or down and the need to deliver applications to users faster.
Typically, when Schumacher is deciding whether an application should go in the cloud, "cloud wins because we can get it up and running faster than on-premise," Menefee says. "Additionally, the SLAs and quarterly updates from vendors keep us ahead of the curve on innovation, features and functions."
The Morris School District in Morristown, N.J., also applies business cases to its cloud decisions. The district is using a cloud service from AppRiver to manage its e-mail security, including spam and virus filtering. It's in the process of implementing another cloud service for its main student information system, which is used for tasks such as grading, taking attendance, scheduling, managing health records and coordinating buses.
The school district has opted to keep some portions of its IT infrastructure and applications, such as the budget, personnel and payroll systems, out of the cloud, says Tim McDade, the school district's director of technology. Part of what's holding him back is lack of staff, McDade says.
"We are in the process of launching our new cloud-based student-management system, and to do additional [critical] systems at the same time is too much to undertake at once," he says. "There is the training of many users involved, and the student information system is a major system, in reality the most important system we run."
What factors did the district consider when deciding what to put in the cloud and when? "Money, time available to technically implement [the services], and time needed for training of end users," McDade says.
Using a cloud service for e-mail security saves labor costs. "The time and money to run, maintain and back up those systems in-house cost a fortune compared to hosted solutions," McDade says. In the past, when major virus outbreaks came in through e-mail, "we would more or less have to drop everything we were doing to track it down on our internal servers," he says.
The process of finding and getting rid of e-mail problems internally took hours and was disruptive to operations, McDade says. With the cloud-based application, the vendor handles all the necessary filtering. He estimates that the district is saving at least $20,000 a year by using the cloud service.
The Rawlings Group, a provider of medical and pharmacy claims-recovery services, also has a mixed IT environment. While non-cloud systems handle highly sensitive data, the company uses several clouds, including an internal one in which some 600 systems form a grid that supports database access and data-mining applications.
The internal cloud houses healthcare-client data, says Kevin Landgrave, senior vice president of IT at Rawlings. The grid, which Rawlings launched about a year ago, has helped the company handle its growing data processing demands, he says.
"This is primarily a client comfort and approval issue for us," Landgrave says. "Our agreements with our clients are very specific about how and where we store their data, and the processes used to access the data. We'll need further guidance from the government--around what 'minimum necessary' means in terms of transmitting data for HIPAA business associates under HITECH, and how it might affect the transmission of electronic health records--before we're willing to ask clients for approval to store their data outside of our facility." When a HIPAA-covered entity discloses protected health information to a cloud provider, Landgrave says, it risks exposure to federal data security breach notification requirements under the HITECH Act. (CSOonline's Security laws, regulations and guidelines directory provides summaries and links to full text of these and other requirements.)
Next page: Security and compliance