contact about cloud summit register login

Cloud and a risky business

Posted by Stuart Lauchlan on Wed, 09/11/2011 - 12:01
cost-risk-analysis.jpeg

Cloud Computing has created a new, more savvy breed of business user, but this in turn brings fresh security implications that many organisations are not yet addressing.

That’s one of the top line conclusions of a new report from Ernst & Young (E&Y) – Into the Cloud, Out of the Fog – which warns that while Cloud is empowering organisations to throw off the shackles of having to contend with the burden of in-house infrastructure management, it is also throwing up new concerns. The report notes:   

As Cloud Computing is evolving, so are the buyers of cloud services. Savvy business professionals have recognized the speed and efficiencies that embracing cloud technology can bring. Cloud computing has given birth to a new breed of business user: a sophisticated consumer who can choose which services to consume and combine them as easily as ordering from a menu.
 

But the consultancy goes on to argue that many organizations are unclear of the implications of the Cloud. This is resulting in a focus on spending additional resources on security. Out of 16 information security areas, respondents named Cloud Computing as their top funding priority for the coming 12 months and second among all other categories in the areas most likely to receive more — rather than less — funding than the previous year.

The move towards the Cloud is coming at least in part at the expense of traditional outsourcing with E&Y finding that 61% of respondents are currently using, evaluating or planning to use Cloud Computing-based services within the next 12 months, up 16% year on year. Like outsourcing before it, moving to Cloud Computing can create a new set of dependencies on third party organisations at the expense of internal knowledge and skills. E&Y warns:   

As organisations become increasingly locked in to their Cloud provider, they also face compliance risks, contracting and legal risks, and integration risks. Moving to the cloud is not just another change programme; it is nothing less than a complete transition of business processes, including the risks associated with it.
 

What all this means is that organizations still struggle with the integration of external Cloud Computing into their business. E&Y notes that in 2011, 48% of respondents listed the implementation of Cloud Computing as a difficult or very difficult challenge, and just over half have not implemented any controls to mitigate the risks associated with Cloud Computing. This can mean dangers ahead, advises E&Y:   

In exchange for highly configurable, rapidly deployed, externally managed applications, organizations are making trade-offs — whether they realize it or not. Governing bodies, such as audit and compliance, view these trade-offs as being dangerous due to the lack of expertise or experience by some of the individuals making such risky decisions.
 

What typically happens is that organisations end up taking decisions over which areas to prioritise with the most frequently taken measure being stronger oversight on the contract management process with Cloud providers. But E&Y notes that even this is only done by 20% of respondents, indicating a high and possibly misguided level of trust. Things may yet get worse, cautions the consultancy:   

 In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the Cloud prematurely without appropriately considering the associated risk, or avoiding it altogether. The survey results indicate that although many organizations have moved to the Cloud, many have done so reluctantly, evidenced by 80% of respondents who are challenged to deliver information security initiatives for new technologies such as Cloud Computing and virtualization.
 

In the end it all comes down to trust it seems, rather than formal validation, verification and certification, but there is recognition that this needs to change. Almost 90% of respondents favour external certification, with nearly half (45%) wanting agreed-upon standards. In addition, E&Y notes that many organisations have begun the governance process, through use of service attestation registries and consistent audit frameworks.

But in the end the consultancy concludes there is a need for the Cloud market to grow up:   

The Cloud industry needs to evolve. Currently, the appeal of extensibility, customisation and low cost is driving decisions to use Cloud services. However, real risks exist, and the use of Cloud-based services should be weighed in the context of the benefits they deliver.
 

Now on techcloud 9

Commenting on the cloud

Next | Previous

Twitter feed

Tag cloud

more tags