Fortinet Cautions CIOs in Malaysia to Avoid Five Common Mistakes When Embracing Cloud Computing

MALAYSIA, 29 February 2012 ― Fortinet, a world leader in high-performance network security, foresees cloud computing gaining much higher acceptance among enterprises in Malaysia this year as more CIOs realise that the technology can dramatically improve agility and productivity while cutting infrastructure cost. As more companies large and small move significant parts of their operations to the cloud in the next 12 to 24 months, Fortinet cautions CIOs here on the top 5 common mistakes to avoid:

1. Not opting for the right cloud model

Companies moving to the cloud can choose from public clouds, private clouds, community clouds or hybrid clouds.

• Public cloud: This is owned by a cloud provider and made available to the general public on a multi-tenant, pay-as-you-use basis.
• Private cloud: This is owned and deployed by an organization for internal use as a single tenant.
• Community cloud: This is cooperatively shared by a set of tenants, often from the same industry.
• Hybrid cloud: This spans the cloud deployment models listed above, enabling applications and data to move easily from one cloud to the other.

Each type of cloud deployment offers its advantages. The factors to consider before adoption are the business criticality of the applications the firm wants to move to the cloud, regulatory issues, necessary service levels, usage patterns for the workloads and how integrated the application must be with other enterprise functions.

2. Not integrating cloud security into corporate security policy

The enterprise's cloud security and corporate security policies must be integrated. Instead of creating a new security policy for the cloud, CIOs should extend their existing security policies to accommodate this additional platform. To modify policies for cloud, the following factors must be considered: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

When properly done, adoption of cloud computing can be an opportunity to improve security policies and overall security posture.


3. Counting on the security of the cloud-based service provider

CIOs are cautioned not to assume that data is automatically secure just because you subscribe to a service provider. A comprehensive review of the provider's security technology and processes must be done, along with checks on how they secure their customers’ data and their infrastructure. Specifically, the following should be observed:

• Application and data transportability: Does the provider allow exporting of existing applications, data and processes into the cloud? Can those be imported back just as easily?

• Data centre physical security: How does the service provider protect its physical data centres? Are they using SAS 70 Type II data centres, and how well trained and skilled are their data centre operators?

• Access and operations security: How does the provider control access to physical machines? Who is able to access these machines, and how are the machines managed?

• Virtual data centre security: Cloud architecture is key to efficiency. Find out how the individual pieces like the compute nodes, network nodes and storage nodes are architected, and how they are integrated and secured.

• Application and data security: To implement each enterprise’s policies, the cloud solution must enable one to define groups, roles with granular role-based access control, proper password policies and data encryption (in transit and at rest).

4. Assuming that securing data is no longer one’s responsibility

Outsourcing an enterprise’s applications or systems does not abdicate the CIO’s responsibility for data breach. Some SMBs in Malaysia have this misconception but ultimately, each and every enterprise is accountable to their customers and other stakeholders.

5. Not knowing which local laws apply

Data that is secure in one country may not be secure in another. In many cases though, users of cloud services are not aware where their information is held. Currently in the process of harmonising the data laws of its member states, the European Union favours very strict protection of privacy, while in Malaysia, laws such as the Personal Data Protection Act do not contain sufficient privacy and data protection provisions which give government and other agencies virtually unlimited powers to access information belonging to companies.

Fortinet advises CIOs to find out where their data is held by the cloud provider. If possible, store data in more than one location. It is also advisable to choose a jurisdiction where one still have access to one’s data should the contract with the cloud provider be unexpectedly terminated. The service provider should also be flexible on where each customer’s data should be held.

In conclusion, the adoption of cloud technology must come with risk mitigations steps, and enterprises in Malaysia are well served to plan for and act from the outset, so that returns on their cloud investments can be maximised.