Migrating an application to the cloud comes with many advantages: on demand availability, subscription based charging model, fast scalability of both storage and CPU capacity, network management handled by the cloud provider, reduced capital requirement, customer satisfaction and new social drivers (Facebook, Google, etc.) for sales, and better customer value.
Cloud is increasingly being adopted for software deployment by ISVs across the industry in an attempt to access far cheaper infrastructure as a pay-as-you-use service. Thus there is no requirement for capital expenditure to own and maintain their infrastructure.
Gartner’s recent predictions are further indication of this movement to the cloud. It is expected that by 2016, the impact of cloud will create a clear separation between the emergent cloud based ERP systems and the old highly customised legacy ERP systems. It is further expected that by 2018, at least 30 percent of service-centric companies will move the majority of their ERP applications to the cloud.
Although, the many positive features of cloud deployment are making it a platform of choice to many, cloud security aspect is, for many, a hindrance to cloud adoption. Cloud providers go to great lengths to make their services as secure as possible, but cloud deployers have to still consider some more techniques for securing their application.
Some of the most common security concerns for ISVs are:
1. Data Breaches
Whether the data breaches occur from external or internal person(s), its consequences can be catastrophic for the enterprises credibility, and the more sensitive the data the more the damage to its reputation. Encrypting the data is perhaps the best solution, but the downside is increased CPU usage and hence also cost. The encryption should be applied to all data that can in anyway inform the intruder of the content or value of any other related data. Since the cloud deployment means you are location blind, legal obligations must be considered before placing personal data in the cloud. Standard secure practices must be put in place when back door access is provided to the database. Although, SSL certificate via a trusted provider should provide adequate protection for data transmission on the wire as it has always done, the recent “Heartbleed” issue tells us otherwise. Always purchase adequate backup and recovery services.
2. Vendor reputation
It is always a good principle to purchase services from a long standing reputable and financially stable cloud service provider. The move to cloud is a major step for the enterprise and to take that step with an inexperienced or financially unstable cloud service provider is never an option. It is always advisable to go with the best in class cloud service provider.
3. Shared services
If you opt for shared services from your cloud provider then you will also be sharing your IP with other web applications. There is nothing inherently wrong in this as the cloud provider is going to manage the service levels for your purchase. The problem arises when the activities of the application that you are sharing the IP leads to a blocking of the IP, then your application will also be blocked. Consider not sharing your IP, and the consequent increased costs.
Enterprises that use private clouds will mitigate many of the security risks when compared to a public cloud. Although, a private cloud is not necessarily a solution for enterprises of all sizes, as the cost can be excessive for most ISVs. If the choice is to use “Platform as a Service”, then the downside is vendor lock-in. The enterprise will be restricted to using only the database, for example, for which the vendor provides an API. The vendor’s security strategy for data, systems must be clearly understood by the enterprise prior to any decision.
Once you know what to expect and how much of a risk you can afford to take, you will be able to better craft a cloud security strategy and properly utilize all the benefits of the cloud technology. But, the bottom line is always “buyer beware”, it is up to you to ensure your data and application is safe not the responsibility of the cloud provider.
We recently conducted a survey on Cloud/SaaS adoption by ISVs. We have compiled the results from this survey into an informative report that will give you insights to further help guide your decision on switching to the Cloud.