Practice Guide for Cloud Computing: security standards are not cloud-independent

Joshgreenbaum, chief analyst at Enterprise application consultancy, stressed that most companies did not pay enough attention to the risks of cloud computing. "If the data center managers were to focus on the main facilities in the room and see a standby power supply outside the server, they thought there was no problem," Greenbaum said. He thinks cloud computing should be no different.

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; In some cases, it is too risky to rely too much on cloud computing. Enterprises must consider how to manage possible risks when deciding to put some servers and applications on the cloud.

Davidcearley, vice president and analyst at Gartner Consulting, says the limitations of using cloud computing are sensitive issues that companies must take seriously, and that companies must measure the risks that cloud computing will take to take place and time. For example, companies gain economic exchange cost savings by abandoning control over certain data. For the C-level executives in the IT department, they have to make decisions about whether the transaction is worthwhile. Cearley says that each transaction is ultimately available as a cloud service, but not every transaction can be retrieved from the cloud for any individual enterprise.

"In a pool of shared resources outside the enterprise, users have no control over where the resources are run." If you think the location and source of data is important to you, that's one reason you don't use cloud computing, "Cearley stressed.

Security standards have nothing to do with clouds

Greenbaum says there are a number of industry standards in the IT industry. For example, service standards such as the SAS company's interactive Relationship management (sasinteractionmanagement) are widely used for IT security and compliance and enterprise interaction management. As time goes on, however, exchange-style relationship management will also be shifted to the cloud.

At the same time, before the security models and standards for the cloud computing architecture were introduced, most of the risks and losses that could be faced fell directly on the shoulders of the IT enterprise, rather than the cloud service provider. "Salesforce.coms and Netsuites are unable to provide a risk management mechanism guaranteed by the standardization system," Greenbaum added.

Best Practice Guide for cloud Computing

Kristinlovejoy, director of IBM's security and risk management department, believes that consumers who enjoy cloud services will ultimately be responsible for maintaining the confidentiality, integrity, and availability of data.

Lovejoy cites the health Insurance Facilitation and Liability Act (HEALTHINSURANCEPORTABILITYANDACCOUNTABILITYACT,HIPAA) as an example, explaining that the health Insurance Facilitation and Liability Act does not have a special provision for data security. Instead, chapters 164.308 and 164.314 of the bill simply require companies to ensure security from any third party dealing with data. Lovejoy stressed.

As for the practice of limiting the timing of cloud allocation, Lovejoy suggested that companies should follow Geoffrey Moore's "Relative Core" theory (Moore is the founder and business strategist of TCG consulting firm).

Lovejoy explained that core business practices advocated competition differentiation. The relative conventions pass on the idea of internal behavior, such as human resources service and salary system. Core practices and relative conventions can be divided into mission-critical application software and non-critical task applications. "Enterprises can still survive if non-critical task applications go offline."

Lovejoy also stressed that Moore's theory is "if enterprise practice is a relative and non-critical task, it can be placed on the cloud, if it is a relatively critical task, can be activated with the cloud." If it's a core business rather than a key task, you can consider putting it under the protection of a firewall, and if it's a core business and a key task, you have to put it under the protection of the firewall.

(Responsible editor: The good of the Legacy)