Freely subscribe to our NEWSLETTER

Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers. The cloud is not a single model, but covers a wide spectrum ranging from applications shared among multiple tenants to virtual servers used by a single customer. The risks associated with cloud computing depend upon both the service model and the delivery model adopted. This article focuses on two specific risks: availability and lock-in.

A major objective of IT services is that systems, applications and data are available to authorized users when and where they are needed. Benefits of the cloud are that, because of its scale, it can potentially deliver services that are more resilient to failure and more responsive to changing levels of demand. However, adopting cloud computing necessarily cedes some control of some of the IT infrastructure to the cloud service provider (CSP). So how can an organization adopting the cloud make sure that this will satisfy its need for business continuity?

Organizations adopting the cloud need to determine the business needs for continuity of any services and/or data being moved to the cloud. They should have policies, processes and procedures in place to ensure that the business requirements for business continuity are met. These involve not only the CSP, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies. These policies, processes and procedures for the cloud should form part of a complete business continuity plan. Global IT association ISACA has developed IT Control Objectives for Cloud Computing and other resources that can assist organizations with this plan (www.isaca.org/cloud).

It is often claimed that the cloud provides flexibility, but how easy is it to change CSPs? There are a number of factors that can make changing providers difficult. There may be contractual costs incurred on termination of the service contract. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow. When data are returned, they may not be in a form that easily can be used or migrated. Cloud services (built using cloud platforms, PaaS in particular) may be based on a proprietary architecture and interfaces, making it very difficult to migrate to another provider.

Organizations need to balance the benefits of adopting a particular cloud model and CSP against the potential risks and costs of becoming locked into that provider. Contracts should be carefully reviewed to ensure that ownership of data is clear and the terms for its return on termination of contract are acceptable. The risks of building business services based on a proprietary technical architecture are high and technical standards should be adopted where possible.

When selecting a CSP, how can the customer ensure that the claims (for example, regarding service availability) made by the potential providers can be substantiated? The customer may wish to perform an audit of the provider, but it may not be practical for the provider to allow every potential customer to perform its own audit. Certification of providers by a trusted third party is a way to satisfy this need.

Certification of providers can provide an independent confirmation of their claims about services provided. However it is important to understand what these service organization controls (SOC) reports cover.

Mike Small is a senior analyst at KuppingerCole, a member of the ISACA London Chapter’s Security Advisory Group and a fellow of the BCS. Previously, Small worked for CA, where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA, including ISACA’s Information Security and Risk Management (ISRM) conferences.