The benefits and risks of cloud computingEducating yourself and your people on the benefits and risks associated with cloud computing is of the utmost importance.
Cloud computing is here and virtually every organisation is using it in some way, shape, or form. We look below at the opportunities presented by cloud computing, the risks associated with housing your sensitive data in the cloud, using virtual computing environments and vendor management considerations for those exploring their cloud options.
What is ‘the cloud’?
‘The cloud’ is an all-encompassing term for a virtualised information technology (IT) computing environment in which individuals and businesses work with applications and data stored and maintained on shared computing platforms. These may be hosted ‘on the Internet’ or run from in-house systems (i.e. a private cloud). Google's popular email system, Gmail, is an example of a cloud-based application, but this is just one model. Apple’s iCloud is another example. There are three main cloud service models — software as a service, platform as a service, and infrastructure as a service — deployed in four types of settings — private, community, public and hybrid clouds.
- Software as a service (SaaS) provides integrated access to a provider’s software applications. The provider usually has responsibility for nearly all the controls.
- Platform as a service (PaaS) provides access to basic operating software and services to develop and use customer-created software applications. Control responsibility can vary and is shared between provider and customer.
- Infrastructure as a service (IaaS) provides access to server hardware, storage, network capacity, and other fundamental computing resources. Most of the controls are the customer’s responsibility.
- Private cloud is accessible from the intranet or internally hosted, and used by a single organisation.
- Community cloud has infrastructure accessible to a specific community, group, or association.
- Public cloud is accessible from the internet, externally hosted, and used by the general public.
- Hybrid cloud is a combination of two or more clouds.
Cloud computing provides a scalable online environment that makes it possible to handle an increased volume of work without impacting system performance. Cloud computing also offers significant computing capability and an economy of scale that might not otherwise be affordable, particularly for small and medium-sized organisations, without the IT infrastructure investment. Cloud computing advantages include:
- Lower capital costs — Organisations can provide unique services using large-scale computing resources from cloud service providers, and then nimbly add or remove IT capacity to meet peak and fluctuating service demands while only paying for actual capacity used.
- Lower IT operating costs — Organisations can rent added server space for a few hours at a time rather than maintain proprietary servers, without worrying about upgrading their resources whenever a new application version is available. They also have the flexibility to host their virtual IT infrastructure in locations offering the lowest cost.
- Improved operations — Organisations can reduce the need to handle hardware or software installation or maintenance.
- Improved BCP/DR infrastructure — Organisations may leverage the process to create more robust disaster recovery and business continuity features and services, if properly managed.
- Higher efficiency — Organisations may be able to optimize their IT infrastructure and gain quick access to the computing services required.
Evaluating your options
- Environmental security — The concentration of computing resources and users in a cloud computing environment represents a concentration of security threats. Because of their size and significance, cloud environments are often targeted by virtual machines and bot malware, brute force and other attacks. Ask your cloud provider about access controls, vulnerability assessment practices, and patch and configuration management controls to see that they are adequately protecting the systems and your data.
- Data privacy and security — Hosting confidential data with cloud service providers involves the transfer of a considerable amount of an organization's control over data security to the provider. Make sure your vendor understands your organisation’s data privacy and security needs. Also, make sure your cloud provider is aware of relevant data security and privacy rules and regulations that apply in your particular jurisdiction.
- Data availability and business continuity — A major risk to business continuity in the cloud computing environment is loss of internet connectivity. Ask your cloud provider what controls are in place to ensure internet connectivity. Ensure that you have a backup plan for when the service is not available (not if it is not available). If a vulnerability is identified, you may have to terminate all access to the cloud provider until the vulnerability is rectified. Finally, the seizure of a data-hosting server by law enforcement agencies may result in the interruption of unrelated services stored on the same machine.
- Record retention requirements — If your business is subject to record retention requirements, make sure your cloud provider understands what they are so it can meet them. This should include litigation preparedness and litigation hold requests.
- Data management — Many organisations do not know where the data is and where it flows so it becomes difficult to manage. Organisations are often unaware of any subcontractor arrangements, which increases the complexity and the need to manage and control the processes.
- Disaster recovery — Hosting your computing resources and data at a cloud provider makes the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider if they have been tested.
- Transitioning — Organisations seem to be less well prepared in the event that they want to cease or change the contractual relationship. Ensure you know how you will get your information back and what the associated costs might be.
Many cloud provider options are available, each with unique risks. As you evaluate your choices and the associated risks, consider the following:
- Be diligent about understanding which controls the cloud provider is responsible for, and which controls they expect you to be responsible for. The further down the “cloud stack” you go (SaaS ? PaaS ? IaaS) the more responsibility for controls you assume.
- Cloud providers are sometimes reluctant to produce third-party audit reports unless an audit clause is included in the contract. Work to include audit clauses and other relevant, measureable Service Level Agreements (SLAs) in your contract. Some service providers may require clients to pay for reports.
- Some internal audit departments are performing control reviews of cloud providers, in addition to receiving and analysing third party audit reports. This is driven by certain
controls not being tested, exclusion of pertinent systems, or other factor that require on-site testing.
- Evaluate the capabilities for problem resolution. How will the provider work with you to resolve issues? Do you have a nominated individual who will help or are you at the mercy of a help line and a timeline that does not meet your needs? Standard cloud provider audit reports typically do not include vulnerability/penetration testing results. Providers are hesitant to allow scanning, as they believe this may compromise their infrastructure.
Cloud computing is a widely used format and we don't see this changing anytime soon. Knowing that you are managing the risks associated with housing your sensitive data offsite will give you confidence with the platform, so you can take advantage of the opportunities presented by the cloud. You will be well served to manage this relationship just like any other well-managed and monitored, well-contracted arrangement with a significant vendor.
For more information, contact:
Sue Ulrey, Risk Services Principal
T +1 317 574 9100
Randy Romes, Information Security Principal
T +1 612 397 3114