TMCnet LOGIN
Webinars
Hosted Call Center Featured Article
How to Migrate to the Cloud: Five Things You Must Know to Do it Right
February 25, 2010
Lost in all of the hype surrounding cloud computing is one critical question: how do you get there from here? Sure, you’d like to realize cloud computing’s benefits – operational efficiency, reduced costs, application flexibility – however, you’re probably worried about the problems and costs associated with the transition.
Unless you’re a three-person company, migrating to the cloud can be a painful, labor-intensive process that opens you to many new risks. Fortunately, it doesn’t have to. A little foresight and planning go a long way. If you follow these five steps, your migration efforts will run into fewer roadblocks and achieve ROI much sooner.
1. Start small
As with so many other trends, people end up buying into the hype, rushing into full-scale projects too soon and forgetting to bring common sense along for the ride. Slow down, define your goals, identify potential obstacles and determine what being cloud-enabled will do for your organization in the long run.
As with any new technology, it is important to test the waters before leaping in head first. A full-blown migration forces you to make decisions you probably aren’t ready to make yet.
If you’re like most organizations, you simply don’t have the experience and necessary knowledge to make fully informed decisions about how to handle identities, enforce application access, guard against data leaks, update software licenses, safeguard investments in legacy hardware and software and so much more.
However, you are ready to identify a few easy to move applications that will deliver immediate benefits from being cloud enabled. Collaboration software, applications serving remote workers (SFA, CRM) and email and messaging all make sense and have been battle tested and optimized. Start with those and use them as test cases for further adoption.
2. Trust cloud vendors to protect data
Despite all of the stories circulating about security being a cloud weakness, security should actually be a cloud enabler – once people parse out the new risks and opportunities. As far as data protection goes, the cloud providers are better at this than you are. The same goes for disaster recovery and data backups.
Why would cloud providers’ heavily protected data centers be less secure than your internal network? Unless you’re in the financial sector or military (and even that’s debatable), your defenses are most likely inferior to those packaged with cloud services from major vendors like Salesforce.com, Google (News - Alert) and Amazon.
Yes, there are still wrinkles to be ironed out along the way as new devices, use cases and delivery models emerge. Yes, being big also makes you a big target (as the recent Google penetrations proved). However, one thing my years working at a big company – IBM (News - Alert) in my case – taught me is that when the big boys focus on solving the problem, eventually they do.
Large cloud providers have the resources to tackle data protection in depth. They can try various approaches. They can afford best-in-class solutions. They can see what works, and what doesn’t. They have the scale to be able to learn from failures, shift directions if necessary and fine-tune solutions again and again.
If they do fail to deliver on their promises, and you get swept up in a targeted attack, for instance, the large providers have the resources to make you whole again.
3. However, get security right because you may not have another chance
Cloud providers should do a good job of protecting data, but that doesn’t mean that all of them will. As new providers pop up almost daily, it’s important to do your research. Do they have good security processes in place? Do they have both perimeter-based and behavior-based security tools you can leverage?
Will they protect you against data leakage and IP theft? Do they have solid business continuity and disaster recovery plans in place?
Have they been hit with recent attacks, and, if so, how did they recover from them?
I mentioned the Google attack before. Although there is no publicly available evidence as to who was responsible, the fact that user accounts of Chinese dissidents were breached is a pretty obvious calling card.
How did Google respond? They did many things, but two stand out: first, they immediately brought in the NSA to help them address the problem of foreign security services penetrating their defenses; second, they publicly discussed the attacks.
Organizations willing to discuss their breaches are ones eager to learn from them and improve their defenses day in and day out. I don’t know about you, but that’s exactly the kind of organization I want to trust with my sensitive data.
If you are thorough with your research, you’ll be able to find the cloud provider whose security profile best matches your needs.
4. Be your own Identity Provider
There is one thing cloud providers cannot handle for you: the integrity of your users. By definition, enterprise identities must be defined (and preferably handled) by the enterprise. You have to tell your cloud provider whom to let in and what privileges each person should receive. You also have to define the mechanisms by which authentication, access and roles will be enforced.
Much of the reason cloud computing got a bad rap in terms of security is because developers forgot about the importance of identity when cloud-enabling applications. This is not a fundamental flaw with the cloud model; rather, it is the same old story of developers not thinking through the security implications of a new computing model.
To protect sensitive data in the cloud, you absolutely must be sure that each person is who he or she claims to be. You must also be sure that you enforce rights and roles once you let people through the front door.
How do you do that?
Let’s start with how not to do it. Some early movers jumped the gun and talked the problem by either synching identities to or forklifting their entire infrastructure over to the cloud. Both are risky options. Synching creates another identity store you must protect and patch, while moving everything removes identities from your immediate control.
A much better option is to handle access to your cloud applications the same way you do with your existing applications: through your directory services, such as Active Directory or LDAP. Some cloud providers, notably Salesforce.com (News - Alert) and Google, allow you to use an identity provider.
That identity provider should be you. You’ve invested heavily in collapsing and optimizing directory services, such as Active Directory or LDAP. Abandoning that investment would be foolish.
Leverage that investment by adding tools that bridge your in-house identity stores to the cloud. Now, you have the best of both worlds. Identities remain in house and under your control, while sensitive data is protected by a slew of world-class security mechanisms at the cloud provider’s site.
5. Plan for latency and outages
Besides security, the cloud’s two other big trouble spots are latency and outages. In truth, my points about data protection equally apply here. The cloud providers are aware of these problems and are busily solving them.
Nonetheless, when you pick applications to move to the cloud, you can’t overlook the problems that arise when you rely on delivery over the public Internet. If you’re a large enterprise, you may already have WAN optimization or route steering tools in your arsenal. As with directory services, it would be unwise to abandon those investments. Keep latency-sensitive applications in house and adopt a hybrid cloud model.
You also need to have detailed disaster recovery and backup plans that include what to do if your cloud provider is down. Again, cloud providers are probably better positioned to deal with outages than you are, but most of the major cloud providers have suffered through a significant outage at one time or another. Be prepared just in case.
Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges in-house applications to the cloud through strong, flexible identity enforcement. www.multifa.com.
Unless you’re a three-person company, migrating to the cloud can be a painful, labor-intensive process that opens you to many new risks. Fortunately, it doesn’t have to. A little foresight and planning go a long way. If you follow these five steps, your migration efforts will run into fewer roadblocks and achieve ROI much sooner.
1. Start small
As with so many other trends, people end up buying into the hype, rushing into full-scale projects too soon and forgetting to bring common sense along for the ride. Slow down, define your goals, identify potential obstacles and determine what being cloud-enabled will do for your organization in the long run.
As with any new technology, it is important to test the waters before leaping in head first. A full-blown migration forces you to make decisions you probably aren’t ready to make yet.
If you’re like most organizations, you simply don’t have the experience and necessary knowledge to make fully informed decisions about how to handle identities, enforce application access, guard against data leaks, update software licenses, safeguard investments in legacy hardware and software and so much more.
However, you are ready to identify a few easy to move applications that will deliver immediate benefits from being cloud enabled. Collaboration software, applications serving remote workers (SFA, CRM) and email and messaging all make sense and have been battle tested and optimized. Start with those and use them as test cases for further adoption.
2. Trust cloud vendors to protect data
Despite all of the stories circulating about security being a cloud weakness, security should actually be a cloud enabler – once people parse out the new risks and opportunities. As far as data protection goes, the cloud providers are better at this than you are. The same goes for disaster recovery and data backups.
Why would cloud providers’ heavily protected data centers be less secure than your internal network? Unless you’re in the financial sector or military (and even that’s debatable), your defenses are most likely inferior to those packaged with cloud services from major vendors like Salesforce.com, Google (News - Alert) and Amazon.
Yes, there are still wrinkles to be ironed out along the way as new devices, use cases and delivery models emerge. Yes, being big also makes you a big target (as the recent Google penetrations proved). However, one thing my years working at a big company – IBM (News - Alert) in my case – taught me is that when the big boys focus on solving the problem, eventually they do.
Large cloud providers have the resources to tackle data protection in depth. They can try various approaches. They can afford best-in-class solutions. They can see what works, and what doesn’t. They have the scale to be able to learn from failures, shift directions if necessary and fine-tune solutions again and again.
If they do fail to deliver on their promises, and you get swept up in a targeted attack, for instance, the large providers have the resources to make you whole again.
3. However, get security right because you may not have another chance
Cloud providers should do a good job of protecting data, but that doesn’t mean that all of them will. As new providers pop up almost daily, it’s important to do your research. Do they have good security processes in place? Do they have both perimeter-based and behavior-based security tools you can leverage?
Will they protect you against data leakage and IP theft? Do they have solid business continuity and disaster recovery plans in place?
Have they been hit with recent attacks, and, if so, how did they recover from them?
I mentioned the Google attack before. Although there is no publicly available evidence as to who was responsible, the fact that user accounts of Chinese dissidents were breached is a pretty obvious calling card.
How did Google respond? They did many things, but two stand out: first, they immediately brought in the NSA to help them address the problem of foreign security services penetrating their defenses; second, they publicly discussed the attacks.
Organizations willing to discuss their breaches are ones eager to learn from them and improve their defenses day in and day out. I don’t know about you, but that’s exactly the kind of organization I want to trust with my sensitive data.
If you are thorough with your research, you’ll be able to find the cloud provider whose security profile best matches your needs.
4. Be your own Identity Provider
There is one thing cloud providers cannot handle for you: the integrity of your users. By definition, enterprise identities must be defined (and preferably handled) by the enterprise. You have to tell your cloud provider whom to let in and what privileges each person should receive. You also have to define the mechanisms by which authentication, access and roles will be enforced.
Much of the reason cloud computing got a bad rap in terms of security is because developers forgot about the importance of identity when cloud-enabling applications. This is not a fundamental flaw with the cloud model; rather, it is the same old story of developers not thinking through the security implications of a new computing model.
To protect sensitive data in the cloud, you absolutely must be sure that each person is who he or she claims to be. You must also be sure that you enforce rights and roles once you let people through the front door.
How do you do that?
Let’s start with how not to do it. Some early movers jumped the gun and talked the problem by either synching identities to or forklifting their entire infrastructure over to the cloud. Both are risky options. Synching creates another identity store you must protect and patch, while moving everything removes identities from your immediate control.
A much better option is to handle access to your cloud applications the same way you do with your existing applications: through your directory services, such as Active Directory or LDAP. Some cloud providers, notably Salesforce.com (News - Alert) and Google, allow you to use an identity provider.
That identity provider should be you. You’ve invested heavily in collapsing and optimizing directory services, such as Active Directory or LDAP. Abandoning that investment would be foolish.
Leverage that investment by adding tools that bridge your in-house identity stores to the cloud. Now, you have the best of both worlds. Identities remain in house and under your control, while sensitive data is protected by a slew of world-class security mechanisms at the cloud provider’s site.
5. Plan for latency and outages
Besides security, the cloud’s two other big trouble spots are latency and outages. In truth, my points about data protection equally apply here. The cloud providers are aware of these problems and are busily solving them.
Nonetheless, when you pick applications to move to the cloud, you can’t overlook the problems that arise when you rely on delivery over the public Internet. If you’re a large enterprise, you may already have WAN optimization or route steering tools in your arsenal. As with directory services, it would be unwise to abandon those investments. Keep latency-sensitive applications in house and adopt a hybrid cloud model.
You also need to have detailed disaster recovery and backup plans that include what to do if your cloud provider is down. Again, cloud providers are probably better positioned to deal with outages than you are, but most of the major cloud providers have suffered through a significant outage at one time or another. Be prepared just in case.
Craig Lund is CEO of MultiFactor Corporation, a provider of two-factor SSO authentication and identity enforcement solutions. MultiFactor’s flagship product, SecureAuth, bridges in-house applications to the cloud through strong, flexible identity enforcement. www.multifa.com.
TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.
Edited by Patrick Barnard
More on Outbound Call Centers »
