Thursday, August 27, 2009

Cloud Considerations: Security

If you're interested in cloud computing, then keep an eye out for upcoming "Cloud Considerations" posts. I want to make it easy for you to highlight these if you wish.

This is kind of the first installment, but I have to say that it's founded in my past postings on cloud computing. For those, go to

- - - - -

I've talked to a lot of clients about cloud computing and moving their services off to the cloud.

The first question for almost every one of them is security. This is odd from some of them who regularly click on every shiny object they find. But we're all human and our minds are capable of holding two completely opposite beliefs at the same time.

No matter what their personal habits are, they want their company data to be secured. Questions include . . .

- Where will our data actually BE?

- Who will have access to our data?

- How is our data kept separate from other companies' data?

- Is our data backed up? Is this separate from others' data?
- - If not, how can they ever purge our data if we drop the service?

- If the company housing our data is sued, can the courts force them to hand over our data for any reason?

- If the company housing our data goes out of business, what happens to our data?

- As the government regulates my industry more and more, how will we know that we're complying with government guidelines?

- If there is a security breach, is the service company required to tell us that our data has been compromised?

(I REALLY welcome your additional security questions in the comments area.)

You get the picture. And if you can answer all those questions right now then I have to call you a BSer. Very few industries have figured out all these things. And the government will regulate all industries more and more going forward. But in the meantime, we need to come up with some answers (we as an industry).

We are just beginning to see buzz about security and hosted services (e.g., Trend-followers can bet on a huge increase in this.

In the great someday, every product will have a security notice that explains all this.

In the short term, you need to come up with reasonable answers for your clients.

Before that, you need to come up with the actual products and services you're going to sell. Details Details.


Join Me In Chicago September 23rd
Seminar - Introduction to Zero Downtime Migrations


  1. Funny that these are there questions, I could think of a lot better questions?

    If they're down how will they keep you informed about what's going on and when things will be up?

    If we need data restored how long does it take? How much does a restore cost?

    How do we trully know if they're testing backup/restore procedures against our equipment and not just a "general test" against random equipment?

    If they go out of business, sell to another vendor who jacks our fees up over night how will you migrate our Exchange, SQL and SharePoint data?

  2. Anonymous1:34 PM

    I think for businesses in the small to medium enterprise - the due diligence on closure etc is truly valid, I just got bitten by that;

    As far as security goes - I would be willing to bet that 'Cloud' providers are doing better at that than the average SME!

    In other words - as an SME business - Can you do better????

    The last point I have is for those of us outside of the US - you mention regulation - Now;

    If myself as a Canadian company doing business (hypothetical) with a Cuban Company with my data hosted in California ......

    Whose jurisdiction is that in?


    Two trade law experts told me it could be all of the above!

    Best Regards

  3. I think you just gave me a checklist to use as an asset for our partner base's collateral in selling cloud services ;)

    Most of these we already answer in the AUP/TOS contract paperwork that every provider signs and passes down to the client.

    Now with all due respect, I can tell you that most of the question list is sort of laughable and not something taken into consideration by most people that are outsourcing... because if they were true concerns everyone would have an in house IT department and entire books of processes and regulations - very few do and they aren't in SMB - but let's for the sake of the argument assume I'm just dealing with people that self-select themselves into my business model:: The biggest question anyone should have is feature limitations - by giving up control you restrict your feature set. Can you live with that? Can you live without direct server access, Administrator privileges, migration control, upgrade control, etc.

    That in the nutshell is the #1 question we field: Once I turn this all to you, how much control do I get (answer: in a shared environment, none. But we'll gladly upgrade you to a dedicated solution that gives you full control and none of the headaches but it's going to cost you, ie: msp in the cloud)



Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!