By Sramana Mitra and guest authors Shaloo Shalini and Bhavana Sharma
SM: I believe that charge-back is interesting because it is helpful to the business; do you believe in that as well?
DH: I think that charge-back is helpful. Anything that can put cost data back to business to help us understand what it costs to do business is good. It is not just to keep IT budgets low. With charge back, business leaders understand the true cost of doing business – that’s what is really important.
SM: Let me bring in security into the discussion – what are the prime focus areas for you with respect to cloud security? In general, do you believe that the threats remain the same irrespective of whether it is a captive data center or infrastructure in the cloud? Is end-to-end security a must for you as you move forward into the cloud?
DH: Well, my take on it is that security issues are still the same. Most people have their e-mail available on the internet whether it is outsourced or insourced. We do poke security holes in the firewall to allow people into our network. Say for our enterprise resource planning (ERP) – somebody may require virtual private network (VPN) to get into SAP, or they may not. In the case of our ERP, I can access it from the Internet. But the good news is that our ERP provider survives whether it can securely provide the access to the Internet. So, it is in their best business interest to be really good at it. And I think that is true for anybody who wants to be in the cloud. They have to understand what their security needs are and to be an expert on security. Otherwise they will simply be out of business. If you are going with a brand-new vendor, you may have that issue, but if someone has survived is in this business of the cloud for one, two, or three years and they can provide solutions based on cloud models, then they probably have already learned how to provide security. That’s what my main issue is – I don’t have the resources to provide that kind of capability of security experts internally, so I have gone to vendors to provide that and address security requirements.
SM: You have vendors to provide the security that you need.
SM: But from the point of view of threats, those are cause of worry because touch points have increased now. We are adding new access points. If you look at the past three months, there is an iPad phenomenon going on, so the number of ways by which people are accessing your systems has gone up and that poses real security challenges, right?
DH: Oh, yes. Which is why it is even more important that the end point and the systems access security is good because you have to assume as a good cloud provider that the other end point is totally unsecured and could be malicious. If you make this assumption and build your security on board, you will be in pretty good shape. But you are right, with a myriad of new technology available for access, we have had to lock down our network. We don’t allow foreign devices on our network because we don’t have the capability to provide that kind of system-level security internally. So we just say if you technically have a media access control (MAC) address that we don’t register, you cannot have access to our network. So if somebody brings an iPad or some device or new PC and plugs it into our network, it will not work. That is how we try to do it internally. You can’t do that in the cloud model because you expect them to come from anywhere. We have dealt with that in a simple way internally because there shouldn’t be anything on the network we don’t know about, but on the Internet everything on the network you don’t know about.
SM: That’s right, and on that thread would you consider bringing in cloud security providers that could help you to manage that kind of situation, that kind of configuration in a cloud mode?
DH: At this point I think we have just enough to try and integrate in this new cloud environment. Such a security solution is pretty low on our list. We have dealt with our security requirement via this draconian model and it works for us. I am not going to allow somebody to bring in their Apple Mac to work on in the office network just because they like it better than our office PC, for example. That is because we don’t have the resources as far as IT spending is concerned to allow anything like that to happen. If the company came and told me, OK, we want to do that or there will be IT budget, then we will probably look into addressing that requirement in more attractive ways rather than this draconian method.
SM: How much control would you need to have over the location of the data?
DH: What we have found is it used to be a huge issue as far as legal requirements for within countries particularly. Our ERP system data is hosted in the United States. We have access from Europe, and Plex has passed the federal audit in Germany where their data was not located within the EU, so they have passed their legal requirement. I think the key issue here is, again, you can you built a network – coming back to technical issues of data access – if in terms of engineering for, say, large CAD files, if you can architecture the network to eliminate those latency issues, then you basically can have your data anywhere, which is my goal.
SM: Would you be comfortable if cloud vendors showed up and said that your data was going to be in China?
DH: Well, it depends on the company and if they can show me what kind of security they have.
SM: So you would consider it?
DH: Yes, I would consider it.