Cloud computing is generating a flurry of interest as new services enter the market. Right now, cloud computing is fine for smaller companies seeking cheap computing capacity on a retail basis, but to find its place in large enterprise IT operations, it will have to meet tough requirements for governance, risk and compliance (GRC).
For customers, the question arises: Can anything so easy to use provide the reliability and security needed to run a business, protecting intellectual property and keeping customer data secure? Until that question is answered satisfactorily, businesses are unlikely -- with good reason -- to make a significant commitment to cloud services.
"The big issues are going to be privacy and security issues. The purchaser needs to get a comfort level with what's happening with data and where it will be. Everything flows from that," said Janine Bowen, a lawyer specializing in technology and intellectual property issues and a partner at McKenna Long & Aldridge LLP, an Atlanta law firm.
Jim Hietala, research director and principal of the Compliance Research Group, warned, "Just because you've outsourced the function, you haven't magically outsourced the risk. You still own the risk and liability. Risk management is the hurdle that cloud providers are going to have to cross to reach large enterprises."
What can go wrong: Murphy's Law in the cloud
The first worry of most customers is simple data security. Does a cloud provider implement sound security practices? Will confidential information be kept far from prying eyes? Reliability is also a major worry. Cloud services have suffered a number of well-publicized outages, proving that the concerns of customers are justified. Just where the data is located may be a concern -- will it remain in the U.S. or leave the country? Then there's vendor viability. Coghead Inc., a startup provider of cloud services for application developers, went out of business in early 2009. And when a vendor goes out of business, will the data and applications be portable to another provider?
Cloud providers are striving to address each of these concerns. Industry experts note that the security levels maintained by cloud providers are often higher than those of smaller companies that are often their customers. "Cloud security should be better than a company's own. In a cloud environment, economies of scale come into play. The cost is shared across dozens of clients. A 24/7 operations center can monitor how people access and protect data," said Niall Browne, chief information security officer at LiveOps Inc., a company that provides cloud-based contact center services.
To alleviate the concern about vendor viability as well as vendor lock-in, IBM and Cisco Systems Inc. announced in March the Open Cloud Manifesto, a pledge among cloud providers to maintain a set of open standards that would enable portability between services -- an important piece of insurance should a provider go out of business. The pledge quickly garnered several hundred adherents.
Where is the data?
Cloud computing, by its very nature, places data in limbo. "If you outsource to Acme in Bangalore, you know where the data might be either here or in Bangalore. But in the cloud the data could be anywhere in the world," said Peggy Eisenhauer, principal of Privacy & Information Management Services, an Atlanta-based consultancy.
Oftentimes, where the data is located does not matter. However, there are instances when it is very important. If a company handles data relating to citizens of European Union countries, the guidelines of the European Union Directive on Data Protection must be followed, regardless of the data's physical location.
"The data must be protected as if it were in Europe," said Michelle Dennedy, chief governance officer for cloud computing at Sun Microsystems Inc. There are other instances as well. For example, Dennedy said, in a private cloud that Sun created for the Canadian government, the data must remain within Canadian borders.
Tools for risk assessment
Even if many risks are addressed successfully, cloud computing -- like any IT operation -- will never be completely risk free. Experience has shown that outages will unexpectedly occur and vendors will come and go. So before you punch in a corporate credit card number, you should take stock of your company's tolerance for different kinds and levels of risk.
There are a number of standards and frameworks that address GRC as it relates to cloud services, although most came into existence before cloud computing burst onto the scene. No matter. The underlying principles haven't changed. "It's the same approach as for any outsourcing service. The governance and risk assessment process is the same," Eisenhauer said. Some assessment standards provide questionnaires for clients to send to service providers so they can make risk decisions. It often makes sense for both the cloud provider and cloud customer to rely on a third party to certify the cloud service as compliant with the standard.
The following are some of the most common guidelines:
- The Payment Card Industry Data Security Standard (PCI DSS) specifies data security requirements for conducting credit card transactions. For a cloud service to accept credit card payment, its network must comply with PCI DSS. In addition, for the cloud service to handle credit card processing on behalf of customers, it must also comply with the standard.
- BITS, a division of the Financial Services Roundtable, has a shared assessments program, an industry-sponsored approach to vendor risk management and compliance that covers outsourcing providers.
- ISO/IEC 27002 provides best practice recommendations on information security management.
- ISO 31000 is a guide to principles and implementation of risk management due to be published this year.
- The Federal Financial Institution Exam Council (FFIEC) offers a guide to risk assessment for users of outsourced IT services. The FFIEC is an interagency body of the U.S. government that prescribes standards for federal agencies.
- Statement on Auditing Standards No. 70 (SAS 70), compiled by the American Institute of Certified Public Accountants (AICPA), was originally created as a standard for data processing and other service providers. It encompasses two types of audit: Type I and Type II. Type I covers the service providers' controls at a given point in time; Type II includes Type I information as well as test results over six months.
- Like SAS 70, the Generally Accepted Privacy Principles were compiled by the AICPA.
Large vs. small
The approach of large companies to assessing cloud service risk is likely to differ greatly from that of small companies. Although companies of all sizes should study the frameworks listed above, a large company, which could be a juicy target
Sun's Dennedy is working as a go-between for her company and future customers of Sun Cloud, a cloud computing service announced in March and slated to be available later in the year. Her job is to make sure that governance, risk and compliance, including the protection of intellectual property and personal privacy, are dealt with effectively when customers utilize Sun Cloud, so the risks to both customers and Sun are minimized. "I'm like a kind of Switzerland," sitting between the customer and Sun's cloud services, she said.
Another way of helping smaller companies address their concerns about risk is for third parties to certify the reliability of cloud providers. Because the guidelines are in the public domain, customers should demand their cloud providers conform to them. "Get a copy of their certification report," Browne advised.
Conclusion: Know thyself
It's important for users of cloud services to understand themselves as companies and the purposes for which they will use such services. Only then can they match their needs to the right services and manage the level of corresponding risk.
"Putting up a server in 10 minutes to handle innocuous information is one thing; processing mission-critical data is another," Browne said. He suggested that companies start small with a single cloud-based server or storage array and build on a successful experience to gradually add more critical data. Bowen echoed that note of caution. "Be intentional and careful about what you do and do not put in the cloud, and take the time to read the terms and conditions."
As companies grow, their needs as customers will change. They should therefore continually reassess their approach to risk. "Businesses need to do ongoing assessments and evaluation. You do risk assessments at a point in time," Hietala said, adding regulations are not stagnant but constantly evolving. That requires vigilance on the part of IT and compliance pros to keep up with them in order to maintain compliance.
As customers in greater numbers implement cloud-based services, cloud providers will come to a clearer understanding of their role in risk management. "When the providers hear from large customers what it will take for them to adopt -- risk management, compliance and visibility into control -- they will get there," Hietala said.
Stan Gibson is a Boston-based technology journalist.