Mike Small: Is cloud computing worth the hassle?

To understand the risks involved, it is important to understand that the cloud is not a single model. It covers a wide spectrum of services and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the internet. The risks of the cloud depend upon both the service model and the delivery model adopted. When moving to the cloud it is important that the business requirements for the move are understood and that the service is selected meets these needs. Taking a good governance approach is the key to safely embracing the benefits that it provides. You must identify the business requirements for the solution. This seems obvious, but many organisations are using the cloud without knowing it.

It is wise to determine the service needs based on the business requirements. Some applications will be more business critical than others. And bodies must also develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the cloud is too high. Finally, organisations must understand what the accreditations and audit reports offered by the provider mean and actually cover.

The risks associated with cloud computing depend on both the service model and the delivery model adopted. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the external environment. Particular issues that need attention include ensuring compliance and avoiding lock-in. To manage risk, an organisation moving to the cloud should make a risk assessment using one of the several methodologies available. An independent risk assessment of cloud computing was undertaken by the European Network Information and Security Agency. It identified 35 risks which are classified according to their probability and their impact. When the risks important to your organisation have been identified, these lead to the questions you need to ask the provider.

I propose the following questions. How is legal and regulatory compliance assured? Where will my data be geographically located? How securely is my data handled? How is service availability assured? How is identity and access managed? How is my data protected against privileged user abuse? What levels of isolation are supported? How are the systems protected against internet threats? How are activities monitored and logged? What certification does your service have?

The service provider may respond to these questions with reports from auditors and certifications. It is important to understand what these reports cover. Note that these reports are based on the statement of the service that the organisation claims to provide - they are not an assessment against best practice. A service organisation may also provide an auditor's report based on established criteria - which cover security, availability, processing integrity, privacy, and confidentiality. A typical auditor's report on a cloud service will simply refer to which of the five areas are covered by the report and it is up to the customer to evaluate whether the principle and criteria are appropriate for their needs.

Cloud Computing can reduce costs by providing alternative models for the procurement and delivery of IT services. Although, organisations need to consider the risks involved in a move to the cloud. The information security risks associated depend upon both the service model and the delivery model adopted. The common security concerns of a cloud computing approach are maintaining the confidentiality, integrity and availability of data. The best approach to managing risk is one of good IT governance, covering both cloud and internal IT services.

Originally published at PublicServiceEurope.com

Created: 18.11.11, modified: 14.02.12