Policy questions and issues the company might face
In my company there are legal and regulatory issues that I will taken care of. When moving the company’s applications and data to the Cloud, they will be located anywhere in the planet by the providers. In this case the management of data will be determined by the set of laws applied to the physical location of data centers and clusters. I will use a conservative approach to host the companies sensitive data. Due to the availability of zones6 promoted by Amazon EC2 in US will be an advantage to the company because it will identify a set of resources that have a specific geographic location.
The security will be established within a Service Level Agreement (SLA). This SLA will establish the price of services and specific activities such as resource metering, billing, and pricing have to be implemented in order to charge users. I will adopted solutions fall into the “pay-as-you go” model, where users are charged according to the use they make of the service. I will also develop sophisticated and flexible pricing policies and put in place in order to devise an efficient pricing model for the Cloud computing scenario.
Cloud-based services
As the CIO of the company I will specialize my business towards providing a specific services that will address the needs of a market sector. It will be possible to characterize the different solutions into three main classes which include:
Platform as a Service (PaaS)
Infrastructure / Hardware as a Service (IaaS/HaaS)
Software as a Service (SaaS)
Security
The company will ensure that private data is not accessible to other users who are not authorized to see it because it is more important. It will use virtualization technology which offers one approach for improving security, a more fine-grained approach which will be be useful for many applications.
The security questions:
The company will use security questions to understand how secure its data is.
What will be the approach to service security? Will it offer an overview of your general security approach?
What security procedures will be put in place at the datacenter? How many technicians have access to my data and how well are those technicians vetted before they are given access?
What will be the security measures you use to authenticate users?
What level of encryption will it offer to protect my data?
How secure will your application and do you work with any independent security vendors to vet the overall security of your product?
Are you SAS 70 Type II audited ? What will be your plans for SSAE-16?
Will you be compliant with the regulations applicable to my business?
Reliability
As more users come to depend on the services offered by a cloud, reliability becomes increasingly important, especially for long-running or mission-critical applications. A cloud should be able to continue to run in the presence of hardware and software faults. Google has developed an approach that works well using commodity hardware and their own software. Other applications might require more stringent reliability that would be better served by a combination of more robust hardware and/or software-based fault-tolerance techniques
Business requirement questions:
The first and foremost aspect to consider when talking to a vendor will be whether the vendor’s product fits my business needs and existing workflows. Every business is unique and my SaaS vendor will be able to meet the specific business needs of my organization. The following questions will help buyers get started and can be followed up with questions regarding specific needs.
Will my SaaS application(s) meet the functional requirements of
my business?
Will my application fit the ever-changing needs of my business as time
goes by?
Will my application require that I significantly alter my existing business workflow?
It is very important that the SaaS application being evaluated will fit existing workflows without significant disruption. There will always be some amount of disruption when transitioning from one application to another, however I will not want the disruption to force a complete revamp of my existing business processes. Many of the leading SaaS applications are in fact more customizable than their on-premises counterparts – they just accomplish this through flexibility and configuration options rather than via custom programming or source-code changes
Policy reasons
The company will implement and enforce policy differentiator when looking at security requirements in cloud-based e-mail. Policy in the company will include both corporate-defined policies and those related to external mandates. Policy is important in technical controls like whether or not two-factor authentication will be required for login and if the communication channel between the e-mail client and the mail server is encrypted, but can also relate to whether or not a certain user will be allowed to send e-mails off-hours or if some user e-mails are scanned for key words and other data leak prevention triggers.
It will be very important to ask the provider not only if they will enforce policy controls, but also the level of granularity within those controls. One way to ease the policy burden will be to use existing corporate policy repositories for usage enforcement in the cloud. Ask if the provider will leverage the existing policies either via direct communication with corporate policy servers or by exporting policy schema to the provider.
Encryption
The company Privacy protection mandates and laws call for encryption of sensitive data, including when it is transmitted via e-mail. will the cloud-provider able to deliver encryption services for e-mail in transit to the server, when stored and archived in the data center, and when being transmitted to third-parties?
As the CIO I will negotiate, contract, and work with suppliers to grown significantly and will increase further move to different companies to get information. This is the case with cloud computing. Most transitions to a cloud computing solution entail a change from a technically managed solution ("I build it, I maintain it") to a contractually managed solution ("Someone else is doing this for me; how do I ensure they're doing what they're supposed to?"). This change necessitates increased IT contract negotiation skills to establish the terms of the relationship ("What do I get?") and vendor management skills to maintain the relationship ("How do I ensure that I get it?"). The company will implement and enforce policy differentiator when looking at security requirements in cloud-based e-mail. Policy in the company will include both corporate-defined policies and those related to external mandates. Policy is important in technical controls like whether or not two-factor authentication will be required for login and if the communication channel between the e-mail client and the mail server is encrypted, but can also relate to whether or not a certain user will be allowed to send e-mails off-hours or if some user e-mails are scanned for key words and other data leak prevention triggers.
References
ComPUtING, C. (2011). Cloud computing privacy concerns on our doorstep.Communications of the ACM, 54(1).
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing—The business perspective. Decision Support Systems,51(1), 176-189.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues.Future Generation computer systems, 28(3), 583-592.
