In August 2009 I wrote of my concerns regarding the drive to place core business functions in to the cloud. I wrote that the cloud, whilst on the surface attractive due to potential management savings, presents the potential user with many traps that could end up tying the organisation to a solution it can not live with long term and may not be able to escape at all, whilst opening the business up to new threats posed by the creation of a common environment.

The original article, IT Experts With Their Heads In The Clouds, can be found here http://robson.ph/blog/index.php/bensblog/it-experts-with-their-heads-in-the-cloud

Having laid out the case against cloud computing solutions the reality is that the industry is still moving in this direction. That whilst I am still adamant that any organisation would be foolhardy to rush in to such a solution it must be realised that many business are investigating this option. Consequently it would be helpful if prospective users of cloud solutions were given some specific guidance on some of the questions they should be asking their prospective Software as a Service (SaaS) provider before signing on.

Consequently I present questions you should ask your prospective cloud service provider and that you should ensure you have robust answers to prior to commencing the use of their services:

What type of interface is presented to the user>

Initially it is important to understand from a functional perspective how users are to access your services and data provided via the cloud services provider's infrastructure. Are they granted some method of thick-client to server access, is it a thin-client to server access, is it a web based portal or is it some other type of user interface.

Each method has pro's and con's. A thick-client solution would work most similarly to how a standard IT environment work, and as such would be most familiar to the end user but leaves most of the management issues still within the hands of the organisation. A thin-client to server solution moves some of the management headaches to the service provider but still requires that the user utilise a pre-defined think-client system to access the cloud environment. A web portal allows the organisation to move all issues in to the cloud and largely not care what the end user is using as they only need a compatible web browser, however this solution removes all control from the organisation and places total dependency on the systems of the service provider to maintain a quality outcome.

How is communication between the user and the cloud service provider to be secured?

When you place all of your organisation's golden eggs (accounting packages, CRM solutions, intellectual property) in to the cloud you are removing them from your physical environment. This means that any use of these core business systems requires that you traverse the public Internet, and inherently insecure environment, thereby transmitting your organisational confidential information across an inherently insecure medium.

Consequently it is important to ask your prospective cloud service provider how communications are to be secured between your users and their in the cloud systems?

From what user systems can the cloud be accessed?

With such a variety of user systems now available (PC Workstations, Notebooks, Thin-Client Consoles, PDAs, mobile telephones, etc...) it is important to discover from the service provider what methods of access to cloud based services are to be provided to the user. Are the provided methods compatible with the organisation's existing infrastructure or will new user systems and/or software need to be deployed?

How are user systems evaluated for security issues?

When your organisation maintains its own service infrastructure it does so being in full control of the environment in which they are run and accessed. However when the organisation places its data and associated processes in to the cloud the temptation exists to treat the user workstation as a thin client, thereby reducing the administrative overhead for the business. However this relaxation of workstation management introduces significant risks to the compromise of those workstations thereby turning those workstations in to relays for attacks against your in-the-cloud solutions.

When discussing the provision of cloud based services and having the service provider explain the communication techniques it is important to ask them how they verify that the workstation connecting to their environment has not been compromised. This is especially the case if their solution allows access from mobile devices which may, or may not, have anti-virus\anti-spyware solutions running in various states of maintenance. Will the cloud providers systems verify that the users workstation can not introduce compromises in to the cloud based services?

How are users authenticated?

With important organisational assets to be held in the cloud it is important to know that users accessing the cloud based services are meant to be able to access those services and are who they say they are. Consequently it is very important to ask the cloud service provider how access is controlled to the environment.

In asking the service provider how access is controlled you should be asking about what types of authentication is used? Is it just a username & password combination via a simple web interface, something that is very likely to become the victim of a brute force password crack attempt at some stage, or is the authentication method more sophisticated, restricting access to fixed locations, at fixed times, with physical tokens or other methods of identifying the user?

What level of guaranteed connectivity can be achieved?

Given that the core of the cloud based solution is to put core organisational information assets in to the Internet cloud it is a given that Internet connectivity is critical to your organisation's performance. An Internet outage will mean that your organisation is completely cut off from its own information assets, thereby shutting down significant aspects of your organisations activities.

To combat this issue cloud service providers will detail, usually in their brochures, a guaranteed uptime, for example 99% network availability. This however does not deal with the whole picture and is also a slightly misleading way to represent the guaranteed availability.

99% uptime equates to a permitted outage of 14.4 minutes per day. However this is only the permitted outage at their end of the Internet connection, there is still your end of the Internet connection and more. If we then speak to you then speak to your own organisation's ISP and -if- you can convince them to give you an SLA, then a 99% uptime from your ISP will allow them up to 14.4 minutes of outage per day, this now means that at either end of your connectivity you could have as much as 28.8 minutes of outage with no recourse.... however this says nothing about guaranteed communication between your ISP and the cloud service provider's ISP(s).

So in considering the cloud service providers solution your organisation should seriously consider what the likelihood of an outage is during business hours and what impact such an outage may have on your activities.

How is data and associated processes of your organisation isolated from other organisation's data and associated processes?

If you place your organisations information processes and associated data in to a cloud service provider's environment you are placing them on to shared infrastructure that could have any number of other users operating on it. This raises two significant questions: How is your data secured from other users; and how are you guaranteed the resources required to deliver your requirements to the performance level you require?

When you are discussing the prospect of migrating your internal business functions to the cloud service providers infrastructure you should ask them very specifically how they secure your data and processes from other users and how do they validate that those security methodologies are in fact working? You should also ask by what method are they ensuring that one user of their environment can not take over so much resources that other users' performance start to degrade and how to they validate that?

How is data and associated process of your organisation isolated from the service providers own administrators?

Whilst the service provider may have a very good answer for the securing of your data and processes from other users there remains the question of protecting your information assets from the service provider's systems administrators.

Most systems administrators have access to administrative (root) access privileges and under normal circumstances, for example within your own internal IT environment, those administrators would have full, uncontrolled access to all IT based assets of the business (not a good thing, but at least they're your employees). This could very well be true for the service provider's administrators, so it is important for your organisation to decide how much it likes the idea of the service providers staff having full visibility and control over your data and if that is not acceptable to ask how the service provider prevents this.

How is the organisations data protected against subpoena against another customer of the service provider?

One of the often overlooked aspects of cloud based services is what happens when another user of the cloud environment has their records seized by the courts?

Ordinarily when an organisation has their records seized by the courts a legal team seizes the physical IT assets of the business and has a forensic analyst go through their storage system looking for information of interest to the court case. However what is unknown at this stage is how a court will treat a shared storage environment, such as that in a cloud service provider?

As a result when discussing putting systems in to the cloud it is important to ask the service provider how they would protect your data from being seized by a court action being taken against one of their other customers, to prevent your organisation confidential data being collected up and published just as collateral damage in someone else's fight?

What access does your organisation have to data upon the termination of the service contract?

At some point in time, should you decide to use the cloud service provider, your organisation will need to terminate the contract. The issue is, however, that all of your company's data for the last few years is now housed in the service providers environment and they may be none-to-pleased about losing you as a customer. So what happens now?

It is important to ask your prospective cloud based service provider, on day one, how you gain access to your data for your own use upon termination of the contract? How will they provide access to that data so you can continue your business uninterrupted?

Also, when your contract ends what will they do with the data they previously hosted for you? Do they destroy the data and if so how do they destroy it? What about data held in their backups, how is this handled after your cease to have a contractual relationship with them?

What access does your organisation have to the data whilst in contract?

The reality of business relationships is that they don't always go smoothly. Issues occur, disputes happen so what happens in the event of a contract or accounting dispute, will access to the organisation's data and associated processes be denied?

As a potential combat to such a situation what level of access does your organisation have to the data itself for your own backups so that in the event of such a dispute your business doesn't get shut down until it is resolved?

What is the financial position of the cloud service provider?

Lastly, but very importantly, is to ask the service provider to convince you about their financial robustness. The last thing you want is to become dependent on their services being available whenever and wherever you need them only to come in one morning and find them in liquidation, their services shut down and your data locked away and inaccessible.

If you can achieve a good answer to all of these questions (and possibly more) then you may be dealing with a service provider who can meet your needs. If, however, they baulk at any of these issues you should probably walk away.