First, consider which workloads are best suited for the cloud. Not all workloads are equal in terms of security or severity (if the data were compromised or leaked). While development or test workloads are great choices for public clouds, sensitive workloads are still a better candidate for on-premise or private clouds. Be selective. Big data is a candidate for cloud workloads, but you must use a provider that treats your data with the same level of security that you would use in your own data center.
Think about how you will protect the data in the cloud. Will you use firewalls in the workload, or does the provider offer a hardware- or network-based alternative? Can you ensure that all your data is kept confidential in the network, or must you plan to encrypt the traffic? Will you have access to intrusion detection systems or other tools that may provide an early warning of hacking attempts or security breaches?
Beware Cloud Fails
A common misconception about cloud computing is that workloads in the cloud are always available and have limitless backups. This couldn’t be further from the truth. If availability and always-on functionality is a requirement, you must carefully review your cloud provider’s service-level agreement (SLA) to see if they are a good fit. Many cloud providers can provide extra redundancy, but not for free. Again, determine what is appropriate and develop a plan for data protection that includes disaster recovery planning. Even cloud providers can fail.
With Palms Open
Develop a policy that dictates who can deploy cloud workloads, including the approval process to be used when they are deployed. One of the many goals of cloud computing is self-service, and it is easier to control the flow of water with an open palm than a closed fist. If possible, enable the business users to deploy workloads as long as they conform to the IT policies.
Tools to Succeed
The trouble with self-service portals is that they require work to develop and maintain. Fortunately, there are many companies that have built tools that make this process easy. In fact, there are companies that have created portal software that interoperates with several leading cloud providers. One in particular is VMware’s vCloud Automation Center (vCAC). This software package becomes the self-service portal that your business units can use to deploy new workloads in the local data center, as well as in public clouds, such as Amazon EC2 and VMware’s own vCloud Hybrid Service (vCHS). The tool controls the lifecycle of the workload from the approval process to automating the deployment and reviewing the costs and performance.
VMware isn’t the only player in this market though. Other tools such as CloudBolt and VMTurbo can provide this level of orchestration and collaboration with even more cloud providers such as Terremark and Windows Azure. Evaluate the tools against your strategy to find the best fit and the software package that is the most extensible so that it will adapt to your business as your policies change.
Compliance is the Key
Finally, while a strategy is important and tools are great, all of this work will be quickly rendered useless without some form of policy control and auditing for compliance. Like the Internet access of the 1990s, auditing for cloud workload compliance is largely based on the honor system. It’s difficult to detect if a department in your organization has deployed workloads in the cloud. To detect them, you’d have to review firewall logs and credit cards and perform sweeps of your own network to look for traces of FTP or VPN connections. Consider implementing this policy in your standard human resources policy package, right next to the acceptable usage policy for IT resources.
This is an excerpt from the Global Knowledge white paper, IaaS Public Clouds and the Perceived Security Threat.