How would you advise organisations to bridge the "foundational gaps" in these areas?
a) Enterprise & I.T. architectures-We would encourage organisations to try out less mission critical applications on cloud to be able to assess the modifications that may be needed to existing processes and architectures (e.g. enterprise architecture blueprints) to cater to cloud models. Also there may be some performance considerations that need to be accounted for as applications potentially move from traditional platforms to virtualised platforms in the cloud.
b) Skills-We would recommend that organisations have a structured training plan to infuse cloud management and architectural skills into the organisation. Having good skills in being able to size for cloud environments become increasing important as opposed to the engineering around cloud.
c) IT governance-IT strategy and IT governance plans and frameworks may need to be modified to cater to cloud. Also procurement processes may also need to be tweaked. Organisations can either try to do this themselves or hire 3rd party organisations to help them to craft and institute these.
d) Security-Apart from selecting their CSP carefully, enterprises must ask the following questions.
i) About Network Security.
* Do you provide dedicated physical or virtual LANs to your clients?
* How does your data centre architecture contribute to client security?
* Are clients able to define their own authorisation and access control lists?
* How can clients ensure that their networks are secure?
ii) About Secure User Access.
* How do you provide secure access (SSL-based VPNs) to your clients?
* How do you provide account-based security?
* Do you support role-based access controls?
* Do you support the addition and removal of ACL firewall rules directly in addition to host-level security?
* How do you monitor and report on usage and activities for audit purposes?
iii) About Compliance.
* What compliance certifications does your company hold, and how often do you undertake a compliance audit?
* Do you permit clients to audit your security controls?
* How do you address requests for location-specific storage to abide by data sovereignty requirements?
* Can a client's data be prevented from being moved to a non-compliant location?
iv) About VM Security.
* What protocols do you use to secure applications running on a virtual machine?
* How do you secure virtual machines in your cloud?
* How do you isolate one or a logical group of virtual machines from one other?
* Do clients have visibility into their virtual machines and servers running in their cloud and, if so, what monitoring tools do you provide?
v) About Data Security.
* What mechanisms are in place to prevent the co-mingling of data with other cloud users?
* What data security technologies are supported (tokenisation, encryption, masking, etc.)?
* Describe your encryption services.
Sign up for CIO Asia eNewsletters.