(Adapted from “Roadmap to the Public Cloud”, by Beth Schultz, Network World) What kinds of companies tend to favor Public Cloud services?

  • Smaller-to-midsize companies and verticals.
  • Have not already made major investments in applications or infrastructure.
  • Could be late adopters of new technologies, paper-based, and/or slow to move.
  • May not have the financial resources to reinvest in larger platforms.
  • Data security requirements are not as stringent as banking, retail, healthcare, etc.

Three basic reasons to consider Public Cloud services:

  1. Economic – pay-as you-go pricing weighed vs. upfront capital outlays and on- premises commitments.
  2. Speed to solution – starting to implement to a Public Cloud solution can be as fast as making a credit card payment to subscribe.
  3. Access to specialized or pooled resources – choosing a Public Cloud provider with the expertise you need (e.g., an Oracle database architect) makes that expertise available immediately and without an investment in personnel.

Choosing your Public Cloud provider

(From “Assessing the Security Risks of Cloud Computing” www.gartner.com/DisplayDocument?id=685308, Gartner, June 3, 2008)

  1. Access privileges – Can the service provider demonstrate that they enforce adequate hiring, oversight and access controls to enforce administrative delegation?
  2. Regulatory compliance – Since an enterprise is still accountable for its own data in a Public Cloud, is the provider ready and willing to undergo audits?
  3. Data provenance – Where are the provider’s datacenters located, and can they commit to specific privacy requirements?
  4. Data segregation – If the Cloud provider is offering a shared environment, can the provider guarantee complete data segregation for secure multi-tenancy?
  • Possible legal ramifications: "With cloud computing, data from multiple customers is typically commingled on the same servers. That means that legal action taken against another customer that is completely unrelated to your business could have a ripple effect." www.computerworld.com/s/article/9225340/In_the_cloud_your_data_can_get_caught_up_in_legal_actions_
  1. Data recovery – In the event of a disaster, can the hosting provider perform a complete restoration?
  2. Monitoring and reporting – Can the provider can support investigations that might depend on monitoring and logging of activity?
  3. Business continuity – What data portability contingencies does the provider have to avoid lock-in or potential loss if the business fails?

SSL concepts

  • Encryption – the Cloud provider should use a combination of SSL and servers that support, at minimum, 128-bit session encryption (or, preferably, the stronger 256-bit encryption).
  • Authentication – server ownership must be authenticated with an independent, commercially-issued, third-party SSL certificate.
  • Certificate validity – the SSL certificate issued to a device is valid for a defined length of time. Every time an SSL session handshake is initiated, the SSL certificate is checked against a current database of revoked certificates.