Before adapting Cloud Computing services, something to think about it:

Before adapting Cloud Computing services, something to think about it:


It is obvious that moving into cloud computing services is not avoidable in IT practice and adjustable in finance figures. Nevertheless, information security remains a chief concern before any official action is willing to be taken. As a cloud service subscriber, there are a few things it might want to think about it:

(1) The corporate Information Security Policy: Is there any needs to amend the corporate Information Security Policy? Some of my earlier engagement involved composing the corporate Info Sec policy. To ensure the integrity of such documentation, I spent time in understanding the company itself and identify the risks showing in the risk profile. In moving to Cloud computing service, since our data is going to be located in other domain which the subscriber may, or may not, have direct access control. Nevertheless, the policy amendment has its necessity to fully address latest situation, followed by appropriate security practices.

(2) Security controls: When we talk about information security, we focus on the following three categories: confidentiality, integrity, and availability. With the latest virtualization technology, we are able to minimize the utilization of server/networking /storage devices. However each security control device i.e. wireless security, e-mail spam, anti-virus, is committed on its originally configured functions. Is the current technology in those security controls able to “virtualize” them together? If not, would the service provider still provide such security controls, but continue to charge us the rack fees which a subscriber thinks it would save?

(3) Availability: By adapting cloud computing service, the subscriber is taking advantage of additional connectivity, which might be faster in speed and obtain better customer satisfaction. However, are you aware the physical data center location of your service provider? Are you comfortable about their decision in locating their data centers? In the past two years, we have been experiencing certain negative impact from mother-nature in Asia, as well as the uncertain political condition in Middle east. These real instances shall address the importance of such concerns.

(4) Regulation compliance: Many high tech manufacturing companies here in Taiwan are providing ODM/OEM services. We are extremely proud of our achievements in this type of business operations. In order to build closer business relationship with other big brand companies is USA/Europe, many ODM/OEM companies are required to pass certification and/or external auditing, before some business contracts could be signed. Information security is one of the items, heavy emphasized during past few years, basing upon my prior experience. In moving to cloud computing, would the service provider also be comfortable or qualified, to meet such requirements, not causing any problems in this type of auditing?