First published in 2013-04-13 in Computer Sweden.
The year was 2009. The warning lights were blinking. The clouds were approaching. Unsure, immature, hyped, and with a seductive price tag. A customer commissioned me to make a check list of services that could be placed in the cloud. The answer was simple: any services, as long as they are not connected to the rest of one’s infrastructure and don’t contain sensitive information. I hope you never need to retrieve the information. Curtain-fall.
The year is 2013. The price tag is still seductive, but the situation is different. The market is maturing. The larger suppliers are listening to their customers. Although contracts are standardised, they are premised on the customer being a professional purchaser. Now one has to make the right choice, not abstain from buying. The pitfalls are many, but the rewards are lower prices, flexibility, and in some cases higher security.
Personal information has been a major obstacle for cloud giants. Therefore a construction called Safe Harbor has now been implemented, meaning that American companies pledge to abide by European legislation. This pertains not only to one’s personal information – all one’s information is accessible only in countries with reasonable legislation. However, Patriot Act and FISAA trump Safe Harbor, which is mportant for Swedish public authorities to keep in mind.
Integration with the rest of one’s infrastructure has been another problem. Nowadays, however, one might connect cloud services to the existing Active Directory and the transition is invisible to users through a single Sign On. Naturally, this has to be done in a secure way. Both outsorcing and cloud suppliers are often ISO 27001 certified. Keep in mind that the certificate does not always pertain to outsorced activities. As pertains to cloud suppliers, the services as such are certified.
Don’t misunderstand me. I am not advocating placing everything in the cloud. There are lots of things to keep in mind. Cloud Security Alliance will help you with risk information, control lists, and so forth. We should, however, ask ourselves why whole IT enterprises are to be outsorced if, in some cases, it is both more secure and cheaper to make use of clearly demarcated cloud services.