Protiviti Inc., a global business consulting and internal audit firm, has today warned organisations to have a clear understanding of the risks associated with the implementation of cloud computing, as the number of UK organisations adopting cloud-based solutions steadily rises.
Over the last two years, Protiviti has seen a significant increase in demand from organisations requesting advice, including clear guidelines on selecting a cloud provider and on best practice implementation.
By switching to cloud computing, companies can significantly reduce overheads as they will no longer house their own hardware and software. Instead, they can pay for the provision of services as and when they are needed on a revenue basis. Industry analysis* has predicted that by 2012, a fifth of companies will house no IT infrastructure of their own.
Ryan Rubin, UK head of security and privacy at Protiviti said: “Sensible and properly selected cloud computing usage can bring long-term, bottom line benefits to companies. However, as with all new initiatives, the balance between risk and reward will need careful evaluation. Many enterprises and their employees are already using the cloud for software as a service solutions such as Salesforce.com or simple email solutions such as social networking sites such as twitter, Facebook, linked-in and web email hosting platforms such as Hotmail and Yahoo.”
“All enterprises are different in their attitude to risk and their approach to cloud adoption will require careful analysis of the opportunities and equally clear identification and management of the risks.”
Recent outages from two major cloud providers and security breaches of outsourced providers of services such as payment processing and email marketing illustrate the reality of risks associated with using cloud providers. Such risks could lead to a potential loss of data, availability of systems and reputational damage. Whilst these risks can be managed, enterprises need to play an active role in ensuring that risk exposure is reduced and appropriate mitigating activities are undertaken to anticipate scenarios where vulnerabilities may occur. The choice of provider and decisions regarding the cloud strategy to adopt (private cloud, hybrid model, public could) will have a significant impact on the exposures that enterprises will have to face in the future.
Due to the quantity and quality of critical data being transferred and held by cloud providers, Protiviti is advising organisations to be careful to ensure appropriate governance and risk management is applied. In the cloud, businesses lose control of their hardware and software, as they depend on a third party company, sometimes in another region or continent, to maintain the infrastructure that their business runs on. Organisations moving into the cloud are potentially liable to encounter such risks as having data and business processes stolen by a competitor if it’s not managed correctly.
Ryan Rubin, continues: “Even if a company retains ownership rights to its data, storing it elsewhere may open up the hosting company to some disclosure through official requests such as Freedom of Information Act requests. Another such worry by organisations is data breach, as information held in the cloud moves to unauthorised jurisdictions.”
Protiviti highlights several risks faced by organisations in the cloud computing process:
• Reliability. The business will be heavily dependent on an external independent supplier to ensure the service is available at critical times. Furthermore, the business will have much less control over the timing and/or duration of planned outages for maintenance.
• Security. Corporate information is being trusted to a third party and will no longer be maintained on a company’s server under its own control. The business will be increasingly dependent on third parties to keep sensitive data secure. Consideration will also need to be given to the impact on confidentiality clauses and Non Disclosure Agreements already signed with customers and suppliers.
• Immaturity of cloud suppliers. Being a new way of delivering IT services there is no long established track record of success either from new companies specialising in cloud services or from established technology companies now providing cloud services.
• Legal jurisdiction implications. Given the flexibility which forms the basis of the business model for cloud suppliers, it is possible that data could be held on servers anywhere in the world at any time.
• Business continuity issues. Whilst cloud services generally are resilient and reliable, in order to provide assurance on business continuity, any disaster planning must take into account the implications of services currently operating in the cloud that may be disrupted.
• Potential for growth in ‘shadow IT’. Given the range of services offered by cloud suppliers and the relative ease with which such services can be provided and set up, there is potential for individual business departments to satisfy at least part of their own IT needs through directly contracting with an external cloud supplier.
• Impact on IT department morale. The impact of traditional outsourcing on the current internal providers needs to be managed in a sensitive and informed way; the potential move to the cloud also needs the same sensitivity.
Ryan Rubin, concludes: “Whilst the case for adopting at least some measure of cloud computing is compelling, as with all technology-based solutions, there are risks associated with the cloud. Most of these are traditional risks that businesses have long had to manage and mitigate and are similar to other IT outsourcing risks. However, some of the risks become more relevant or more complex in relation to cloud computing.
“If a company has to keep sensitive information such as financial or personal records, a hybrid solution can be worked out to keep some data secure in-house while still leveraging the power of the cloud. There are several traditional and emerging IT governance frameworks available to enterprises to assess cloud providers and assist in identifying business risks and service priorities. We encourage enterprises to apply these frameworks as a matter of course when evaluating cloud providers or negotiating contracts prior to taking on new services”