Cloud computing risks explored
Protiviti Inc., has warned organizations to have a clear understanding of the risks associated with the implementation of cloud computing, as the number of UK organizations adopting cloud-based solutions steadily rises.
Over the last two years, Protiviti has seen a significant increase in demand from organizations requesting advice, including clear guidelines on selecting a cloud provider and on best practice implementation.
Recent outages from two major cloud providers and security breaches of outsourced providers of services such as payment processing and email marketing illustrate the reality of risks associated with using cloud providers. Such risks could lead to a potential loss of data, availability of systems and reputational damage. Whilst these risks can be managed, enterprises need to play an active role in ensuring that risk exposure is reduced and appropriate mitigating activities are undertaken to anticipate scenarios where vulnerabilities may occur. The choice of provider and decisions regarding the cloud strategy to adopt (private cloud, hybrid model, public could) will have a significant impact on the exposures that enterprises will have to face in the future.
Due to the quantity and quality of critical data being transferred and held by cloud providers, Protiviti is advising organizations to be careful to ensure appropriate governance and risk management is applied. In the cloud, businesses lose control of their hardware and software, as they depend on a third party company, sometimes in another region or continent, to maintain the infrastructure that their business runs on. Organizations moving into the cloud are potentially liable to encounter such risks as having data and business processes stolen by a competitor if it’s not managed correctly.
Protiviti highlights several risks faced by organizations in the cloud computing process:
* Reliability. The business will be heavily dependent on an external independent supplier to ensure the service is available at critical times. Furthermore, the business will have much less control over the timing and/or duration of planned outages for maintenance.
* Security. Corporate information is being trusted to a third party and will no longer be maintained on a company’s server under its own control. The business will be increasingly dependent on third parties to keep sensitive data secure. Consideration will also need to be given to the impact on confidentiality clauses and Non Disclosure Agreements already signed with customers and suppliers.
* Immaturity of cloud suppliers. Being a new way of delivering IT services there is no long established track record of success either from new companies specialising in cloud services or from established technology companies now providing cloud services.
* Legal jurisdiction implications. Given the flexibility which forms the basis of the business model for cloud suppliers, it is possible that data could be held on servers anywhere in the world at any time.
* Business continuity issues. Whilst cloud services generally are resilient and reliable, in order to provide assurance on business continuity, any disaster planning must take into account the implications of services currently operating in the cloud that may be disrupted.
* Potential for growth in ‘shadow IT’. Given the range of services offered by cloud suppliers and the relative ease with which such services can be provided and set up, there is potential for individual business departments to satisfy at least part of their own IT needs through directly contracting with an external cloud supplier.
* Impact on IT department morale. The impact of traditional outsourcing on the current internal providers needs to be managed in a sensitive and informed way; the potential move to the cloud also needs the same sensitivity.
•Date: 25th May 2011 • Region: UK/World •Type: Article • Topic: Cloud computing