Risk Management in Cloud Computing
In a troubled economy, cloud computing seems like a great cost saving alternative and it is. Whether in good times or bad, any pragmatic cost saving measure is a 'good' measure.
Google, Microsoft, IBM and all other known and unknown cloud providers offer today's CIO an array of major cost saving alternatives to the traditional data center and IT department. The temptation to put things on/in the cloud and sit back can be extremely compelling. But like everything that appears too good to be true, cloud computing comes with a set of risks that CIOs and CTOs would do well to recognize before making the plunge.
Before we get into the specifics of how best to manage risk when planning to move assets to the cloud, let's look at a few numbers to help us understand what the Joneses are doing. Is cloud computing already mainstream?
ISACA's 2010 survey on cloud computing adoption presents some interesting findings. Forty five percent of IT professionals think the risks far outweigh the benefits and only 10 percent of those surveyed said they'd consider moving mission critical applications to the cloud. In a nutshell, ISACA's statistics and other industry published numbers around cloud adoption indicate that cloud computing is a mainstream choice but definitely not the primary choice.
While some organizations have successfully moved part or all of their information assets into some form of cloud computing infrastructure, the large majority still haven't done much with this choice. So we ask, is it premature for organizations to have a cloud computing strategy? Au contraire! The CIO who has not yet begun to think of a cloud strategy may soon be left behind. In most organizations, there are definitely some areas that could be safely and profitably moved to the cloud. The extent to which an organization should move it's information assets to the cloud and take advantage of the tremendous benefits by doing so is determined by the application of a risk assessment framework to all candidate information assets. For this, it's essential to understand the risks and then have a mitigation strategy each.
Who accesses your sensitive data: The physical, logical and personnel controls that were put in place when the data was in-house in your data center are no longer valid when you move your organization's information on the cloud. The cloud provider maintains its own hiring practices, rotation of individuals, and access control procedures. It's important to ask and understand the data management and hiring practices of the cloud provider you choose. Large providers like IBM will walk their clients through the process, how sensitive data moves around the cloud and who gets to see what.
Regulatory compliance: Just because your data is now residing on a provider's cloud; you are not off the hook, you are still accountable to your customers for any security and integrity issues that may affect your data. The ability of the cloud provider to mitigate your risk is typically done through a process of regular external audits, PEN tests, compliance with PCI standards, ensuring SAS 70 Type II standards to name a few. You are responsible to weigh the risks to your organization's information and ensure that the cloud provider has standards and procedures in place to mitigate them.
Geographical spread of your data: You may be surprised to know that your data may not be residing in the same city, state or for that matter country as your organization. While the provider may be contractually obliged to you to ensure the privacy of your data, they may be even more obliged to abide by the laws of the state, and or country in which your data resides. So your organization's rights may get marginalized. Ask the question and weigh the risk.
Data loss and recovery: Data on the cloud is almost always encrypted; this is to ensure security of the data. However, this comes with a price - corrupted encrypted data is always harder to recover than unencrypted data. It's important to know how your provider plans to recover your data in a disaster scenario and more importantly how long it will take. The provider must be able to demonstrate bench-marked scenarios for data recovery in a disaster scenario.
What happens when your provider gets acquired: A seamless merger/acquisition on the part of your cloud provider is not always business as usual for you, the client. The provider should have clearly acknowledged and addressed this as one of the possible scenarios in their contract with you. Is there an exit strategy for you as the client - and what are the technical issues you could face to get your data moved someplace else? In short, what is your exit strategy?
Availability of data: The cloud provider relies on a combination of network, equipment, application, and storage components to provide the cloud service. If one of these components goes down, you won't be able to access your information. Therefore, it is important to understand how much you can do without a certain kind of information before you make a decision to put it on the cloud. If you are an online retailer, and your customer order entry system cannot be accessed because your application resides on the cloud that just went down, that would definitely be unacceptable. It's important to weigh your tolerance level for unavailability of your information against the vendors guaranteed uptime.
Cloud computing is relatively new in its current form, given that, it is best applied to specific low to medium risk business areas. Don't hesitate to ask questions, and if necessary, engage an independent consulting company to guide you through the process. Picking a cloud provider requires far more due diligence than routine IT procurement. At this stage there is no clear cut template for success. The rewards can be tremendous if the risks are well managed.
Read more about cloud computing in CIO's Cloud Computing Drilldown.