Into the cloud we go.....

Every which way you turn, the IT industry is telling you that cloud computing is the way forward. That in the future, all your data will be stored somewhere in the cloud. Somewhere out in the ether. Where? Do you care? It will be out there, and someone will look after it for you.....won't they?

I maybe wrong, but isn't low cloud also known as fog? And I think we are still stuck in fog, and there is some way to go before that fog lifts.

Software as a service is an interesting idea, and shows how clever the computer industry is. It is constantly re-inventing itself. And there is always a David attacking a Goliath. As we migrated away from IBM and DEC mainframes, a small upstart software company started to get under your skin. Microsoft went to market very well to "own" the O/S. And brilliantly moved in applications and networking, so that Office is now the de facto standard and is the main networking standard. The internet has provided the revolution to bring on the new Davids to attack the Microsoft Goliath. And the fact Google is seen by many to be the biggest challenge to the current Goliath may suggest it is Goliath v Goliath. But Google have worked their way into our life by dominating in a sector - Internet search and now want to branch out to own our applications, and our data.

But what are the thoughts about SaaS as a serious business tool. It certainly has worked in some areas. But what are the security and information assurance issues? The Data Protection Act clearly states that organisations have a duty of care to the people who have given their data to them. And if you now go and host this in the cloud, where is it held? Where are the national and international boundaries and how do you address the variances in national compliance and regulations governing the data? You cannot just export data willy nilly. And how safe is that data going to be? Who has access to it? And can that be proved? And what if the host organisation gets breached? It is your data they are losing. They are building massive big targets in the sky. And they are not immune to data loss - there are already examples of breaches....I cannot mention Salesforce.com, as it would be unfair. Yes, they are building "secure" infrastructures. But no system is 100 percent secure, even if it is buried 100ft in concrete, with no connections to it.

Recent incidents have clearly demonstrated that organisations continue to struggle with the management of their existing third party supplier relationships, and fail to ensure security conditions are included within contracts that allow third parties access to their data. Why are so many serious and publicly damaging security breaches still caused by low tech attacks and procedural failures?

Even where service providers are governed by contractual security compliance obligations, there is still an acute lack of regular due diligence and compliance auditing to verify these are maintained. Out of sight, out of mind? Passing the responsibility for protection of your data within the cloud may ease availability and operational challenges but will not protect your hard earned branding and reputation in the event of its compromise. If the host organisation is breached you will still be held accountable by association and your lack of governance minutely examined. Are you equipped with the knowledge to assess those risks? Are you authorised to accept them on behalf of your organisation? Are you prepared to protect your investment by appropriate audit and oversight of your hosting partner? As the IT industry goes full circle, creating mainframe equivalents and vast "cloud" data repositories, should those that select and manage these outsourced service solutions also return to basics before entrusting your crown jewels to others? Should we remind ourselves that "Trust alone is not a security control - it is a lack of one?".

The conundrum is that SAAS really works best for small organisations. But a small organisation is probably a smaller target than a big corporate. However by putting lots of smaller organisations' data together we create one big target and smaller organisations are less likely to recover from a serious breach.

Is SaaS going to take off - well it may do. We are being led down that path by the vendors. But then again we also have business now centralising servers to get savings through data centres and virtualisation enabling people access to systems through a corporate network with web enabled technology allowing an organisation to keep its data assets somewhere safe at the core of a network, where it can be backed up safely and access can be controlled within the organisation. Almost as if it was stored on a mainframe.......