Cloud security 101: Are Cloud providers reliable?

The value of an airtight SLA with your Cloud provider

Companies relying on Cloud services from Amazon were in April left hanging when the Cloud provider’s EC2 went down. For Gartner research director, Rob McMillan, this outage highlighted the need for airtight service level agreements (SLAs) to ensure their provider’s — and therefore their data’s — reliability.

This article is part of a Computerworld Australia series looking at the issues surrounding Cloud security and reliability.

Whereas SLAs with data centre providers are relatively mature, SLAs with Cloud providers are still going through an evolutionary process, McMillan says, so those sourcing Cloud services need to ensure theirs is tailored to enterprise-level standards.

“Service levels… should be about outcomes, not necessarily about technology and they will have to be tailored for end user customers but in other areas there will be cookie cutter parts to them,” he says.

Further reading

Frost & Sullivan ICT practice research director, Arun Chandrasekaran, agrees that people are learning lessons about Cloud security assurances the hard way and warns Amazon’s EC2 outage will not be the last.

He also cautions against enterprise customers rushing to sign an SLA with providers. “My opinion, and that of enterprise customers I have spoken to, is that SLAs are not yet enterprise grade,” he says.

“They are good for small and medium businesses, but I can’t put my mission critical SAP or Oracle application on a public Cloud because the downtime that is allowed is simply not acceptable.

"In a public Cloud you do not get dedicated infrastructure but multi-tenanted infrastructure, so you are sharing that with other people.

"As well as dictating terms for uptime, SLAs play an important role when it comes to getting company data back in a timely fashion should a Cloud provider go out of business."

“The Cloud provider might go into administration or receivership,” says Sophos Asia Pacific head of technology, Paul Ducklin.

“Imagine if they are unsuccessful, when a company goes into receivership and the creditors line up to see who is going to get how many cents in the dollar.”

As Ducklin explains it, the Australian Taxation Office (ATO) gets the first bite of the cherry; the biggest creditors get the next bite, and so on.

The “poor old person” at the end might get one cent in the dollar if they’re lucky, and the same issues are waiting to happen with Cloud orientated services when the poor old IT manager tries to get his or her data back. Mergers and acquisitions also affect access to data — as well as data sovereignty.

This is because if your Cloud provider gets acquired then it may end up in a whole new jurisdiction with a new owner, under a new legal regime that neither they nor you are familiar with.

“You need to be able to do so as well because you might decide that their security isn’t up to the standard that you have now decided is appropriate for your data ,” Ducklin says.

“You also need to think about how you withdraw permission for other people to look after your services and your data. It’s a little more subtle issue than a straight outsourcing agreement.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computing

More about Amazon Web ServicesAustralian Taxation OfficeC2Frost & Sullivan (Aust)GartnerOracleSAP AustraliaSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place