How to implement a multi-tiered cloud strategy

Implementing a multi-tiered cloud strategy should help mitigate the security and performance risks that many organisations fear when considering a cloud solution. This HP whitepaper explains the reasons around this and outlines the moves organisations must make to deploy such a strategy.

When migrating to the cloud, companies must consider whether they are going to use a private cloud, a public cloud or a mixture of the two in the form of a hybrid cloud. All three pose their own types of risk, whether that's on the cyber security side or the financial risk side.

Choosing the cost and risk

Deploying a private cloud is more costly, in terms of having to buy and install your own servers and data storage resources, as well as having to manage and update them. But it does offer better control over data management and security.

Public cloud implementations usually see an organisation's data and applications hosted on shared servers and storage hardware located in the external infrastructure of a cloud service provider. While such deployments are usually cheaper, as they rely on a cloud provider's own hardware and other resources, they can be seen as riskier, since the customer does not have full control over data security.

Hybrid clouds combine public and private options with customised security policies and infrastructure, potentially offering a strong compromise, in terms of cost and security.

A multi-tiered approach

Companies already accept that faulty disks, PC and server failures, power surges, buggy software and application crashes are a fact of life. Even if a cloud provider offers a 100 per cent uptime guarantee for all the services used, these will still eventually fail at some point.

A multi-tiered approach to cloud computing seeks to create a single consolidated cloud that provides all levels of cloud services with tiered pricing. Some applications can be prioritised, while "lower-value" applications and services can be allocated with lower service and security levels. For those that require it, the unified nature of a multi-tiered cloud approach places the cloud fully under the control and management of in-house IT personnel.

For instance, a web service could be put on a low-cost and low-security tier, straightforward application processing could be put on the middle tier of cost and security, and transactional services through databases and other platforms may be given a high-cost, high-security tier. All these tiers can be integrated and controlled by the same personnel, if required.

Evaluating the tiers

As with all cloud deployments, a multi-tiered approach should first see an organisation evaluate its business to match the applications and services to the most appropriate cloud service level tiers. This involves analysing the extent at which the business can withstand data loss and downtime for each application and service. The areas that are most critical for generating revenue and protecting the reputation of the business must be allowed to override short- to medium-term cost savings from the cloud deployment.

Singapore's model can be used as an example of how organisations should consider the security requirements of their cloud implementations. Singapore's Infocomm Development Authority (IDA) recently launched a three-tier cloud security standard, which is designed to enable organisations to better evaluate the offerings from different cloud service providers (CSPs). It is known as the multi-tier cloud security standard for Singapore (MTCS SS), and is aimed at increasing transparency around the security service levels of cloud providers.

The CSPs that become certified under the standard have to adhere to the guidelines set out in the tiers, therefore guaranteeing certain security standards for their clients. The MTCS SS covers areas such as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident and problem management. Adherence to the MTCS SS standard in Singapore between customers and CSPs is voluntary, unless however a CSP intends to sell cloud services to government agencies when the MTCS SS becomes mandatory. These activities demonstrate the direction in which the cloud market should perhaps go, when it comes to addressing the security concerns of customers.

Here are Singapore IDA's three tiers of cloud security, with Tier 3 being the strongest:

Tier 1

Designed for non-business critical data and systems. Includes baseline security controls to address security risks and threats in potentially low impact information systems using cloud services, like website hosting and public information.

Tier 2

For business critical data and systems, with a set of more stringent security controls to protect business and personal information, including confidential business data, email and customer relationship management (CRM) systems.

Tier 3

For regulated organisations with specific requirements and more stringent security requirements. Industry-specific regulations and compliance can be applied in addition to these controls, covering threats to high impact information systems using cloud services for highly confidential business data, financial records and medical records, for instance.

Building in redundancy

Organisations need to be prepared for failures, including having redundancy built into cloud-based applications. However, this redundancy is often limited to running redundant copies of your applications in separate data centres of the same cloud provider. While this can be recommended, another strategy could the adoption of multiple cloud providers as part of a multi-tiered cloud strategy. By selecting data centres from different providers to host cloud servers, organisations can mitigate the business continuity risks from using a single infrastructure provider.

If the servers at one cloud provider fail for any reason, potentially causing downtime, the replicated data stored at another cloud provider can instead be accessed. Through virtualisation and virtual machines (VMs), copying VMs from one provider to another is easier than it has ever been. As well as addressing cloud service risks, choosing multiple cloud providers also mitigates against the risk of single providers having financial problems, increasing service prices, having various "data centre issues", or generally making changes you don't like.

While a multi-tiered approach to the cloud may not meet the requirements of every business, it is certainly a useful way for organisations in mixed markets (and with mixed needs) to plot their way through a potential cloud minefield.