NewsOutsourcingData management

Boden said her organization is in the preliminary stages of moving into AWS—she started with some simple, homegrown applications, such as a list maintained for HR, which her team moved to AWS successfully. Larger sections of IT operations will move later with the financials likely to be last, since they are the most sensitive to security and compliance needs. Planning began last year, and the whole process might take another year and a half.

Boden said she had to go to AWS like any other customer to sign up and use the cloud, without special treatment. That put her in the familiar position of evaluating a third-party vendor.

"It's really no different than any risk assessment that you'd do on any high-profile application review," she said. "We engage them just like any other enterprise customer."

Million-dollar cloud security question

One primary concern was security. Boden said she was only able to give really serious consideration to moving critical parts of the organization into AWS after the launch of Amazon's Virtual Private Cloud (VPC) service last fall. VPC allows users to deploy instances in Amazon's Elastic Compute Cloud (EC2) that are cut off from the public Internet. Amazon has advertised VPC, and a recently completed SAS 70 Type II security audit, as touchstones for enterprises.

The IT staff had to adjust their attitude slightly to get a real handle on cloud security, she said. Since moving to a cloud provider means giving up a good deal of direct control over infrastructure, Boden noted, security has to be understood at the application level, not just the operations level.

"We had to change our focus from asking 'How is AWS safe?' to 'How are our applications going to be secure in the cloud?'" she said.

Applications subject to external audits, like Sarbanes-Oxley (SOX) regulated financial applications, pose another challenge, but she has been negotiating and explaining to auditors how and why they can consider AWS compliant, and she thinks she's over the hump. She said that having her SOX-compliant application fully virtualized and certified made the negotiating easier; the move into AWS VPC, when it came time, would be pretty smooth.

"I don't think it's a barrier at this point," she said.