This is Part II in a three-part series about Public versus Private Cloud Services.
When considering a move to the Public Cloud, the first question is this:
Are those deployments, infrastructure, or virtual machines secure? Because of security concerns sensitive customer data, company confidential data, or data in a federal environment would never be destined for a Public Cloud infrastructure.
However, if the data is already encrypted and resides on a storage platform in a customer environment, then that encrypted data can be shifted to the public Cloud to keep an offsite archive. Using offsite server applications to access that data, can be thought of as a virtual data center.
The second thing to consider: How is the data secured?
- Do they encrypt the data in-flight, not just at storage but also in-flight with perhaps an AES 256-bit encryption algorithm, for example?
- Do they use SSL Encryption for transporting data over the network?
- Do they have an extremely bullet proof password authentication to get into the accounts or inside of the network or into the servers to take a look at the data?
- Do the servers reside in a very secure physical data center facility that has at least a SAS 70 Type II or SAS 70 Type III compliant infrastructure?
- Does it have a biometrics security access system — perhaps fingerprint, face recognition, DNA, Palm print, hand geometry, or iris recognition?
Even if its a Public Cloud scenario, all of the applications and data need to be in a secure facility.
Does it integrate with backup and archiving software when data needs to be protected? Does it have the capability of supporting the same level of application or the same release levels of the operating systems and applications that currently reside in your own facility?
The fourth thing to consider: do they have the ability to manage that data with a web-based management interface? And then, the fifth area, are they using the right software to deploy this infrastructure? Virtualization of machines, operating systems that your team knows like Linux, Windows, AIX, UNIX, and in some cases, mainframe z/OS.
When updates are done on hardware and software or when migrating data between servers or sites are those tasks done on a managed basis? Or is that supported as ongoing enhancements to functionality and systems at no additional cost? Are those changes which are change-management-related monitored? Are they managed within the contract requirements of delivering 99.99% or 99.999 % uptime capabilities as per the service level agreements? And is there the ability to have a test environment to test those changes such as operating system upgrades and infrastructure improvements? Is that managed by the provider or is that expected to be managed by the customer? These are all very important topics.
In summary, Security and Management of the Cloud Providers environment must be well defined and documented extensively in a service level agreement. The expectations of deliverables, commitments to the availability of systems, and completely secure infrastructure are not negotiable items in the contract, but a standard ope