Five Golden Rules for a Secure Cloud Migration

Phil Lieberman (Profile)
Wednesday, August 17th 2011

Survey after survey has revealed that security is the top concern voiced by prospective customers about cloud computing and its outsourced, on-demand business model. Worries over data privacy may prove to be service providers’ greatest roadblock to new business. In addition, the risks of a data breach seem certain to grow as a service provider’s infrastructure expands and its IT staff becomes more numerous and decentralized.

This evolution is worth watching since private MSP organizations could potentially provide much better security, agility and oversight for their service offerings compared to what is offered by the largest providers such as Google and Microsoft.

So while an outsourced cloud infrastructure can be a good fit for many companies, it holds huge potential for costly disasters. And, if the outsourcer fails you could be left without the resources to repair the damage. There is little margin for error in choosing an outsourcer, as Lieberman Software found in our recent industry surveys at the annual RSA and InfoSecurity conferences held earlier this year. Our survey revealed that 77 percent of IT professionals said that their outsourcers had made up work simply to earn extra money.

Here are my five golden rules to ensure your outsourcing lifeboat doesn’t sink mid-stream:

1. Make a Transition Plan and Stick to It

Any kind of IT outsourcing will disrupt your entire organization in ways you may not expect. Your plan should include a change management module, a detailed and well-argued case to your staff outlining how you intend to make a smooth transition and a well-documented process to let your customers know that you have the outsourcing process well under control.

2. Get Your Outsourcing Plan in Writing

You need to see the outsourcers’ plan in writing, particularly their crisis management plan.

In the written report make sure you add capital asset budgets for the acquisition of software to improve operational efficiency and provide better coverage of security. Make sure that there are disincentives for contractors to avoid using or impairing the usage of software tools to improve things even if they reduce billable hours. Also make sure you allow for the embrace of better tools for labour saving. Do not allow the fox to guard the henhouse.

3. Demand Transparency with Respect to Security

You will have to place special emphasis on choosing an outsourcer that has a proven track record of delivering quality security services to a similar range of industry sectors over a long period of time.

They will need the ability to accurately correlate, analyze and interpret large volumes of network security inputs in real time and be able to separate legitimate threats from a welter of false starts. An outsourcer should have multiple security operations centres that run 24x7x365. Having two or more data centers allows for redundancy and may ensure constant compliance with security standards. Your outsourcer should have security experts in place to monitor and analyze data from customers on a global basis. This level of intelligence will help your outsourcer issue real-time alerts and recommend fast reactions to unforeseen events.

Anticipate security breaches. You will have to plan for emerging threats and the need to purchase both software and hardware to respond to threats as well to improve compliance and security.  Don't allow the outsourcer to select their own tools as they will pick those that maximize their revenue, not your security. You cannot predict the future: provide slack to change your contractor's mission as business and the security landscape change.