News Stay informed about the latest enterprise technology news and product updates.

Cloud computing forecast: Some risk ahead

Cloud computing is merely the latest form of application hosting, but clouds disassociated from a company's physical assets pose critical questions about third-party compliance.

Cloud computing is generating a flurry of interest as new services enter the market. Right now, cloud computing is fine for smaller companies seeking cheap computing capacity on a retail basis, but to find its place in large enterprise IT operations, it will have to meet tough requirements for governance, risk and compliance (GRC).

More on cloud computing
Cloud computing providers debate compliance, security and transparency

Cloud computing initiatives show wide range as VMware touts cloud OS
The successor to time-sharing and the application service providers of the dot-com boom era, cloud computing does those forerunners one better by letting customers launch a service without human interaction and often with just a credit card. Amazon Web Services (AWS) are often cited as the quintessential cloud service, with Google Inc.'s Google Apps not far behind. Sometimes mentioned in the same breath are the longer-established Software as a Service providers, such as Inc.

For customers, the question arises: Can anything so easy to use provide the reliability and security needed to run a business, protecting intellectual property and keeping customer data secure? Until that question is answered satisfactorily, businesses are unlikely -- with good reason -- to make a significant commitment to cloud services.

"The big issues are going to be privacy and security issues. The purchaser needs to get a comfort level with what's happening with data and where it will be. Everything flows from that," said Janine Bowen, a lawyer specializing in technology and intellectual property issues and a partner at McKenna Long & Aldridge LLP, an Atlanta law firm.

Jim Hietala, research director and principal of the Compliance Research Group, warned, "Just because you've outsourced the function, you haven't magically outsourced the risk. You still own the risk and liability. Risk management is the hurdle that cloud providers are going to have to cross to reach large enterprises."

What can go wrong: Murphy's Law in the cloud

The first worry of most customers is simple data security. Does a cloud provider implement sound security practices? Will confidential information be kept far from prying eyes? Reliability is also a major worry. Cloud services have suffered a number of well-publicized outages, proving that the concerns of customers are justified. Just where the data is located may be a concern -- will it remain in the U.S. or leave the country? Then there's vendor viability. Coghead Inc., a startup provider of cloud services for application developers, went out of business in early 2009. And when a vendor goes out of business, will the data and applications be portable to another provider?

Cloud providers are striving to address each of these concerns. Industry experts note that the security levels maintained by cloud providers are often higher than those of smaller companies that are often their customers. "Cloud security should be better than a company's own. In a cloud environment, economies of scale come into play. The cost is shared across dozens of clients. A 24/7 operations center can monitor how people access and protect data," said Niall Browne, chief information security officer at LiveOps Inc., a company that provides cloud-based contact center services.

To alleviate the concern about vendor viability as well as vendor lock-in, IBM and Cisco Systems Inc. announced in March the Open Cloud Manifesto, a pledge among cloud providers to maintain a set of open standards that would enable portability between services -- an important piece of insurance should a provider go out of business. The pledge quickly garnered several hundred adherents.

Where is the data?

Cloud computing, by its very nature, places data in limbo. "If you outsource to Acme in Bangalore, you know where the data might be either here or in Bangalore. But in the cloud the data could be anywhere in the world," said Peggy Eisenhauer, principal of Privacy & Information Management Services, an Atlanta-based consultancy.

Oftentimes, where the data is located does not matter. However, there are instances when it is very important. If a company handles data relating to citizens of European Union countries, the guidelines of the European Union Directive on Data Protection must be followed, regardless of the data's physical location.

"The data must be protected as if it were in Europe," said Michelle Dennedy, chief governance officer for cloud computing at Sun Microsystems Inc. There are other instances as well. For example, Dennedy said, in a private cloud that Sun created for the Canadian government, the data must remain within Canadian borders.

Tools for risk assessment

Even if many risks are addressed successfully, cloud computing -- like any IT operation -- will never be completely risk free. Experience has shown that outages will unexpectedly occur and vendors will come and go. So before you punch in a corporate credit card number, you should take stock of your company's tolerance for different kinds and levels of risk.

There are a number of standards and frameworks that address GRC as it relates to cloud services, although most came into existence before cloud computing burst onto the scene. No matter. The underlying principles haven't changed. "It's the same approach as for any outsourcing service. The governance and risk assessment process is the same," Eisenhauer said. Some assessment standards provide questionnaires for clients to send to service providers so they can make risk decisions. It often makes sense for both the cloud provider and cloud customer to rely on a third party to certify the cloud service as compliant with the standard.

The following are some of the most common guidelines:

  • The Payment Card Industry Data Security Standard (PCI DSS) specifies data security requirements for conducting credit card transactions. For a cloud service to accept credit card payment, its network must comply with PCI DSS. In addition, for the cloud service to handle credit card processing on behalf of customers, it must also comply with the standard.
  • BITS, a division of the Financial Services Roundtable, has a shared assessments program, an industry-sponsored approach to vendor risk management and compliance that covers outsourcing providers.
  • ISO/IEC 27002 provides best practice recommendations on information security management.
  • ISO 31000 is a guide to principles and implementation of risk management due to be published this year.
  • The Federal Financial Institution Exam Council (FFIEC) offers a guide to risk assessment for users of outsourced IT services. The FFIEC is an interagency body of the U.S. government that prescribes standards for federal agencies.
  • Statement on Auditing Standards No. 70 (SAS 70), compiled by the American Institute of Certified Public Accountants (AICPA), was originally created as a standard for data processing and other service providers. It encompasses two types of audit: Type I and Type II. Type I covers the service providers' controls at a given point in time; Type II includes Type I information as well as test results over six months.
  • Like SAS 70, the Generally Accepted Privacy Principles were compiled by the AICPA.

Large vs. small

The approach of large companies to assessing cloud service risk is likely to differ greatly from that of small companies. Although companies of all sizes should study the frameworks listed above, a large company, which could be a juicy target

Just because you've outsourced the function you haven't magically outsourced the risk. You still own the risk and liability.
Jim Hietala
research director and principalCompliance Research Group
for a company seeking to recover damages, should have its lawyers write detailed contracts including guarantees with cloud providers. A small company without an in-house legal staff would do better to work with a cloud provider that takes a proactive approach to risk and compliance by helping customers consider these issues and protect themselves.

Sun's Dennedy is working as a go-between for her company and future customers of Sun Cloud, a cloud computing service announced in March and slated to be available later in the year. Her job is to make sure that governance, risk and compliance, including the protection of intellectual property and personal privacy, are dealt with effectively when customers utilize Sun Cloud, so the risks to both customers and Sun are minimized. "I'm like a kind of Switzerland," sitting between the customer and Sun's cloud services, she said.

Another way of helping smaller companies address their concerns about risk is for third parties to certify the reliability of cloud providers. Because the guidelines are in the public domain, customers should demand their cloud providers conform to them. "Get a copy of their certification report," Browne advised.

Conclusion: Know thyself

It's important for users of cloud services to understand themselves as companies and the purposes for which they will use such services. Only then can they match their needs to the right services and manage the level of corresponding risk.

"Putting up a server in 10 minutes to handle innocuous information is one thing; processing mission-critical data is another," Browne said. He suggested that companies start small with a single cloud-based server or storage array and build on a successful experience to gradually add more critical data. Bowen echoed that note of caution. "Be intentional and careful about what you do and do not put in the cloud, and take the time to read the terms and conditions."

As companies grow, their needs as customers will change. They should therefore continually reassess their approach to risk. "Businesses need to do ongoing assessments and evaluation. You do risk assessments at a point in time," Hietala said, adding regulations are not stagnant but constantly evolving. That requires vigilance on the part of IT and compliance pros to keep up with them in order to maintain compliance.

As customers in greater numbers implement cloud-based services, cloud providers will come to a clearer understanding of their role in risk management. "When the providers hear from large customers what it will take for them to adopt -- risk management, compliance and visibility into control -- they will get there," Hietala said.

Stan Gibson is a Boston-based technology journalist.

Dig Deeper on Compliance framework software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.