A key concern for many medium to large businesses looking at third-party private cloud provision is data security. This has predictably led to private cloud vendors making bold claims about the security benefits of their service and private clouds in general. But when looking back at blogs, articles, and research papers from the last five years (and even longer ago than that) it quickly becomes clear that as fast as novel cloud security solutions are being identified, new vulnerabilities are coming into focus requiring the development of ever more refined protocols and new software processes. With BYOD and the IoT introducing yet more complexity to the picture, it is beginning to look as if guaranteed private cloud security, just like global peace, will never be more than an ideal.
While it is imperative that security research continues to be a priority rather than an afterthought — after all, one data breach can seriously damage if not destroy a vendor's reputation — is it now time for private cloud vendors to adopt a more realistic and pragmatic approach when talking to prospective customers about the advantages of virtualization?
Between A Rock And A Hard Place
One of the problems faced by private cloud IT support professionals is that of balancing their tech expertise with the need to communicate coherent information — and often promote commercial solutions — to an increasingly skeptical and skittish business customer. Front line staff in particular face a frustrating task of finding the balance point between explaining increasingly obscure tech processes (e.g., the protocols involved in secure vTPM migration) and using platitudes to soothe customer concerns (e.g., our private cloud meets all of the requirements of the trusted computer group).
With many business owners still unclear about exactly what cloud computing entails, it's no surprise that they feel they are either being intentionally baffled by jargon or deflected by insincere repetition of terms like 'trust' and 'security.'
In a competitive commercial environment, honesty can be a risky tactic to take but many business leaders will prefer to know the full, unembellished picture so they can make an informed choice about which cloud solution will best benefit their operation. Once they are clear that total invincibility is not an option, the conversation can move on to the inherent advantages of a private cloud (isolation, better security, scalability, speed to market, flexibility, cost savings, etc.) and those specific benefits offered by the vendor's company.
Gently Does It
When trying to win business, one of the mistakes private cloud providers often make is presenting IT migration as an 'all or nothing' service. For a start, not all IT infrastructures are compatible with the private cloud environment while some companies are understandably worried about losing control of their most sensitive data. For these customers, it may be best to offer more of a piecemeal solution based on the real or perceived sensitivity of the data involved.
For example, the business could move their email function and some of their operational processes to a privately managed cloud while keeping customer PII and accounting software firmly in-house. Once they have become accustomed to enhanced IT provision including (hopefully) exemplary customer support, they are likely to be more amenable to any suggestion of migrating their more sensitive data.
The SLA As Security
Where a watertight service cannot be guaranteed, the service level agreement (SLA) comes into its own, taking up the slack that exists between customer expectation and the ability of the vendor to deliver. An SLA should clearly lay out what the customer can expect in terms of data protection protocols; service availability and performance monitoring and measurement (using metrics such as MTTR wherever possible) together with the remedy (e.g., financial penalties, immediate right to terminate) they would be eligible for should the agreement be breached. The more weighted towards the end user the SLA can be, the more confidence they are likely to feel (although the vendor must be careful not to make promises beyond their ability to fulfil).
Freed from the burden of representing a private cloud as a virtual bank vault for sensitive data, IT professionals will be free to espouse the many other benefits that their business customers can enjoy by making the switch and to make compromises such as offering premium SLAs and partial service provision.