A new shift in computing is upon us - cloud computing. As our use of computing resources evolves from mainframes to PCs and networks, we are now facing a major shift in the way we work. This could have dramatic effects on the way we use computers, both for work and play. But the security issues need to be discussed, risks assessed and judgements made knowing the risks and issues. For some, cloud computing makes a lot of business sense, for others, it may create confusion.

What is cloud computing? For many it's the natural evolution of the Internet. The Internet has provided a major shift in the way we work. Less than 20 years ago, there was a comment by Ray Noorda, the CEO of Novell - "If you don't have an e-mail address on your business card, you will be considered a nobody" and most people did not believe it. Twenty years later and it seems pretty much everyone has an e-mail address, if not one at work, then a Hotmail, Gmail, or Yahoo! account. And these e-mail accounts are the first example of cloud computing.

Cloud computing gets its name from network diagrams where the Internet is always shown as a cloud, as the route taken through the Internet can not normally be defined and is unknown. The route is irrelevant. The concept of cloud computing is that the central computer system or systems are hosted in the Internet and their actual location is irrelevant to the application and its successful deployment. The architecture is relatively simple - a data store and server are hosted on the Internet, and the client can access the server from anywhere. Normally the client will have a Web-based front end to make access even easier. The first major examples are the e-mail services from Hotmail and the like mentioned above.

The concepts of cloud computing have evolved to the one being promoted today where there will be no need to purchase software; it will be rented either on an annual basis or on a pay-per-use model. Now the model has added the concept of free use of software in return for receiving ads.

The major benefit of cloud computing for a user is financial. There's no need to invest in hardware infrastructure, or software. However there are a number of issues that need to be considered.

The old definition of security is as valid today as it ever was - CIA. Confidentiality, Integrity, and Availability. And these three areas need to be addressed by any potential user of cloud computing. The major issue is confidentiality. If you're giving your data to a third party, you have no control over it. Who have you given it to? What is the access to the data? Who sees it? Can it be taken and used by someone else? Who administers this? What assurance do you have that your data is confidential? Are you happy with a contractual warranty? If so, what is your recourse if the contract is breached?

Are you convinced as to the integrity of your data? Can it be tampered with? If it was tampered with, would you know - most people wouldn't. Are you satisfied with the segregation of data? What is the chance of "leakage" and how is this protected and tested?

And finally availability. If your data is not available to you, for whatever reason, then it's no good to you. Cloud computing may actually provide much stronger backup and provision for disaster recovery than a private enterprise. Most solutions will provide at least one backup resource, maybe more. Any subscriber should check what provisions are made. However, access is required to the Internet to access your data. If for any reason an ISP failed, all access fails with it. Redundancy in Internet access is imperative. There are a number of products that offer offices both small and large the ability to bind multiple ISPs to provide a virtual single access to the Internet. The other issue with availability that has to be considered is the transfer of data. There are two major areas of concern. First, one service offered in the cloud is remote backup. If you need to get your data back from a remote data store, how long will it take to download everything in the event of an emergency? And when was this last tested. Almost certainly this will be a major issue, as the size of most people's Internet connection is relatively small compared to their LAN. The second issue is moving service providers. If you want to use a service like Salesforce.com for outsourced CRM, you may be limited to the data being stored in a proprietary format. If you are unhappy with the service and wanted to move to an alternative, how would you get your data back? And would it be useable?

In recent years, as well as CIA, three other areas have become of major concern to business - Compliance, Policy, and Risk. Compliance is now a major business issue. The data being stored in the cloud must be considered carefully. What type of data is it? Is it confidential? Are there regulations to control how and where it's stored? In the UK we have the Data Protection Act, which is very strict on data storage. If the data is being stored in the cloud, do you know where it's being stored? Are you breaking legal requirements? Your policies on data storage must address these legal issues, and any cloud computing must be considered very carefully.

Finally risk. We have spoken about concerns with the data and Confidentiality, Integrity and Availability - but what if your service provider goes bust? How would you get your data back? What if the ownership changes and policies change?

One risk often not considered is that putting your data with a major provider creates a bigger target for hackers. If the service provider is hacked, or suffers some virus or security breach, how will your data be affected? Service providers have suffered already from hackers. While they will argue they can invest more in security than many people, they are without doubt a bigger prize. Some say there's much to be said for security by obscurity.

All these issues apply when outsourcing computing. Currently a lot of enterprises outsource their computing to save money. The outsourcer provides a private cloud to give the relevant service. All the questions we have raised apply equally; however, the answers may be easier to get from an outsourcer and contracts can be drawn up to ensure compliance with your policies.