Cloud computing provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of information technology (IT) service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However, many organizations are sleepwalking into the cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource the organization's responsibilities. There are issues that may be forgotten or ignored when adopting cloud computing strategies. In a recent survey by global nonprofit IT association ISACA, 30 percent of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterprise's security in the next 12 months.
Most people are aware of the concept of the seven deadly vices that are said to explain human weaknesses. These are wrath, greed, sloth, pride, lust, envy and gluttony, and are sometimes referred to as the seven deadly sins. Of these vices one above all can lead to problems with cloud computing—sloth. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud.
Sloth affects cloud computing activities because it can lead to inattention to details such as:
- Not knowing you are using the cloud: This sounds irrational, but it happens more frequently than would be expected. It is easy to buy a cloud service using a credit card—and an your organization may be using the cloud without the appropriate people knowing about it. When you buy the cloud service that way, it is likely that you have agreed to the terms and conditions set by the provider and these may not be appropriate for your needs. You should ensure that there is a proper process for obtaining a cloud service and that it is followed. For definitions of various cloud types, view a free guide from ISACA at www.isaca.org/cloud.
- Not assuring legal and regulatory compliance: Many organizations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the cloud that you will not lose this compliance.
- Not knowing which data are in the cloud: One of the key legal requirements for many organizations is compliance with data privacy laws. These mandate where personally identifiable data can be held and how it must be processed. If you don't know what data you are moving to the cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data such as spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the cloud to manage risks and ensure compliance.
- Not managing identity and access to the cloud: Controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application are moved to the cloud. The best way to achieve this is through the use of identity federation based on standards such as Security Assertion Markup Language (SAML) and Active Directory Federation Services (ADFS).
- Not managing business continuity and the cloud: Organizations adopting the cloud need to determine the business needs for continuity of any services and/or data being moved to the cloud. To support this they should have policies, processes and procedures in place to ensure that theses business requirements are met. These involve not only the cloud service provider, but also the customer as well as intermediate infrastructure such as telecommunications and power suppliers.
- Becoming locked-in to one provider: It is often claimed that the cloud provides flexibility but how easy is it to change a cloud service provider? A number of factors can make changing providers difficult, for example, there may be contractual costs incurred on termination of the service contract. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow. When data are returned they may not be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, platform as a service [PaaS] in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider.
- Not managing your cloud provider: You need to manage your cloud provider just like any other outsourced IT service provider. This means defining and agreeing to metrics via service level agreements and then making sure that these are achieved. A customer may wish to perform an audit of the provider but it may not be practical for the provider to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. However it is important to understand what these service organization controls (SOC) reports cover. Taking a good governance approach, such as COBIT www.isaca.org/cobit, is the key to safely embracing the cloud and the benefits that it provides.
About The Author
Mike Small is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole. Until 2009, Mike worked for CA where he developed CA's identity and access management product strategy. He is a frequent speaker at IT security events around EMEA. He will be speaking at the ISACA EuroCACs/ ISRM conference, on 10-12 September 2012, in Munich. On the subject of identity and access solutions, access governance, ensuring business continuity in the cloud and avoiding lock-in in the cloud.