|Cloud computing is popular but it pays to examine the pitfalls, to ensure that you make an informed choice before putting your data into the hands of cloud service providers.
What do real CSOs and CISOs think of cloud security issues, and what do they do when under pressure to reduce IT costs? A recent survey conducted by ISACA of over 1,800 U.S.-based IT professionals found that most mission-critical IT services continued to be delivered in-house, with only 10% of respondents saying they planned to use cloud computing for mission-critical IT services in the future. One in four said they did not plan to use cloud providers for any IT services.
Jim Reavis from the Cloud Security Alliance concedes that ‘Compliance is a major “hindrance”, causing enterprises to take a slow approach to many cloud-based projects ... It’s one thing if you get hacked and you have the auditor signed off on IT, but in the cloud if you get hacked and don’t have the auditor signed off, you can lose your job.’
(ISC)2, the certification body that manages the CISSP certification, asked 36 participants in its anonymous annual survey of federal government CISOs about their uses of cloud computing. 72% said they do not yet use cloud computing because of uncertainties about cloud computing security. These CISOs said they were happy to use cloud computing for non-sensitive applications or for data with no sensitivity in the event of loss. That reflects what we are hearing: with the right provider safeguards, companies are comfortable to outsource some non-business-critical applications and data to the cloud but, in the foreseeable future, nothing else.
Cloud computing is attractive for its low cost, low support ‘user pays’ model. However, any decision to use this facility for non-trivial data and applications needs to be taken with care, and must take into account the potential consequences for your organisation. Likewise, any business case for cloud computing must include the potential costs to mitigate or rectify problems. These costs are real and must be offset against the benefits.
As Nigel Stanley from Bloor Research advised: ‘Issues that surround the outsourcing of data to a third party, no matter how trusted, are complex and involved. The level of care and due diligence needed before entering into a service agreement with a supplier is great and the cost of making a mistake can be huge. A cloud computing solution, appropriately designed and backed up with decent security and reliability, is undoubtedly a very useful business tool. But like life in general, let the buyer beware.’
More recently, Stanley added another caution: ‘The race to the cloud has seen a number of organisations fall foul of data protection regulations and issues such as data privacy. Of course the cloud delivers some interesting business benefits but these must be balanced against the associated security and regulatory issues - joining the dots between security and compliance initiatives when talking about cloud computing can be very tricky.’
It is clear that you need to evaluate carefully the security, regulatory and legal protection surrounding the custody of your data, whether it is handled internally or by a cloud provider or a combination of both. Either way, the security posture and the reputation of your business will depend on your making a business decision that is fully-informed.