As you know, change management is critical to the long-term success of every organization. This is especially true when it comes to IT, where change happens at an astonishing pace. But is your organization where it needs to be?
Guidance for Your Change Management Strategy
There is something equally exhilarating and frightening about change. It is a necessary factor in moving forward and growing as a business, but it’s also unfamiliar and intimidating. Unless you have a strategy in place for managing change – particularly on the IT front – it’s quite likely that you’ll focus more on fear and anxiety than hope and excitement.
That being said, here are some tips to help you approach IT change management from a strategic perspective.
Change management is all about planning ahead and being proactive. Once an issue already has occurred, or your organization finds itself in the midst of a major shift, it is too late. Doing damage control or trying to put out fires will take valuable energy away from other important tasks. Start early and always anticipate what will happen next.
Choose the right software
You don’t have to take on change management all by yourself. Automating some of the process with the right tools can make all the difference in the world. For example, a change management software, such as a help desk, can allow you to simplify the process by providing highly customizable solutions and automated processes to manage change requests and approvals.
It’s also helpful to have some sort of communication tool integrated within your change management software that allows you to reach all key stakeholders whenever and wherever they are. The sooner people are involved in the process, the faster you can get things moving on the right track.
Choosing the right tools becomes even more important the larger the organization is. This is something the California State University (CSU) system has discovered firsthand when it comes to making key changes to its IT system.
Any IT system change that occurs on the main campus has to also go through each of the 23 satellite campuses and the thousands of employees, faculty and students at these locations. So, whereas a small change might not have a major impact at the main campus, it can have drastic effects when compounded over two dozen campuses. In order to simplify the process and make it easier to manage, CSU uses an automated change management system from Cisco that allows upgrades to occur automatically across the entire system. The results at CSU have been far better than if change management were handled manually.
Focus on the outcome
While change management is all about taking the necessary steps to move from Point A to Point B in the most seamless and efficient way possible, the focus always has to be on the outcome. When it’s all said and done, change management exists to ensure your IT department is set up for future success.
One of the biggest mistakes organizations make is assuming that change management is all about deploying the right technologies and setting up the appropriate processes. While these are certainly important components of change management, it’s actually your employees who have to execute.
“If these individuals are unsuccessful in their personal transitions, if they don’t embrace and learn a new way of working, the initiative will fail,” explains Prosci, a leading change management firm. “If employees embrace and adopt changes required by the initiative, it will deliver the expected results.”
You have to learn to prioritize engagement of all key stakeholders; otherwise, you’ll find it challenging to make any progress. Start preparing them early and often.
At the end of the day, change never happens as anticipated. You may have a perfect plan for what you think will happen – and even have complete buy-in from all individuals and departments involved – but something will inevitably go awry. A willingness to adjust will serve you well.
Overlook IT change management at your own peril
The word “change” probably evokes a range of emotions. Your mind may jump to past experiences of change that were negative or unwelcome. Or, perhaps you have had good experiences with change and get excited at the thought of doing something new. But regardless of your personal history with change, you need to prepare your enterprise for the future by developing a specific change management strategy. Embracing technology-driven change management is vital if you want to be successful in the modern business world.
One of the biggest technology advancements in recent years is the expansion of the cloud, allowing users to have more space on their computers or mobile devices, with access to their documents, videos and pictures that are all conveniently stored in one place.
Similar to the commercial security system, the cloud can be used to ensure the safety of documents and other private information. Companies that use the cloud as storage and also as security take advantage of the unprecedented scalability, the quick deployment and the savings that come with it. There also are risks behind using the cloud that include a bigger chance of unauthorized access to private information, legal risks and a lack of control.
With so many people making the switch to the cloud, there are new opportunities for people both in business and in private employment. The cloud can cause confusion regarding who is actually in control. A business owner has control over what happens and how that business is run, but when it comes down to it, the vendor is the one with all the cards. For example, the vendor can change the pricing at any moment, and with clients depending on the services provided, companies are forced to pay whatever price to ensure those services will continue.
Vendors are having difficulty adapting to the changes caused by the outbreak. As they scramble to keep up, vendors can often lose control of the situation. In a survey by ScienceLogic, it was discovered that less than one-third of IT professionals actually have the control they need in order to keep their business efficiently moving forward.
Cloud use is improving faster than the organizations that control it due to security exposures and unnecessary financial costs. As concerning as that may be, the cloud also leads to new business techniques and opportunities that enable innovation. Businesses worried about the future want to know the best ways to help the company succeed. Sometimes this leads to moments of uncertainty and confusion. These moments can benefit a company by helping it and its employees succeed in different situations and environments.
Believe it or not, a degree of chaos can be effective. Companies that risk confusion and a lack of control often jump ahead in their industry. Businesses such as Gartner, Amazon Web Services, Microsoft and Azure have used the cloud as a service to their customers. Each business estimated and received an increase in revenue just by switching to the cloud.
In the business world, it is important to be updated when it comes to technology but even more important to be aware of management tactics. In this case, the cloud is both an advancement of technology and a useful management tactic. In order for a company to truly succeed, it needs to have a culture that thrives on new ideas and new technology. Organizations that stick to old, outdated ways often become overwhelmed when trying to gain control in the fast-adapting technological environment.
Technology clears the path for employees and companies to become part of an innovative business landscape. There are always risks when it comes to new technology, but taking the chance to learn the new developments can help a business take the lead in their field. The cloud provides a company with the chance to use the extra space as an opportunity to not only help the business succeed but also to help its employees discover new learning and business techniques.
Cloud-based computing and storage is increasingly popular—to the extent that some companies are cutting hard drive space to encourage users to shift toward the cloud. And while the cloud is convenient, allowing your files to travel easily and across devices, that kind of convenience isn’t exactly what you want when it comes to protecting medical files. Is your cloud use secure enough to meet Health Insurance Portability and Accountability Act (HIPAA) standards? Here are some factors to consider.
A Quick Overview
There are a lot of cloud systems available these days, but the first thing you should do when choosing one is compare baseline HIPAA compatibility. Amazon S3, Dropbox and iCloud are not compatible with HIPAA practices out of the box. Most other major systems, including Box, Egnyte, Google apps, and CrashPlan Pro are HIPAA compliant. Identifying the outsiders reduces your choice of cloud systems, allowing you to focus in on the details of compliant plans.
EHR or HIPAA
In addition to cloud computing, many physicians are shifting to digital recordkeeping, using what are known as electronic health records (EHR) systems. These systems are great for centralizing patient data and encouraging collaboration across different medical practices that share the same EHR vendor. However, EHR requirements and HIPAA privacy standards aren’t exactly the same.
The first rule of managing EHR in accordance with HIPAA standards is that you should never trust an EHR vendor that says you don’t need to worry about their HIPAA compliance. Although your specific files may be HIPAA compliant, other practices used by external vendors may not be; for instance, their cloud storage security may be lacking. Additionally, although EHR systems have all the features needed to be fully HIPAA compliant, you’ll need to check to make sure they are properly configured. If necessary safeguards are turned off, your patients’ data may be at risk.
Don’t Play Hide and Seek
Rather than establishing thorough HIPAA compliant practices, some organizations still think that what is known as “security through obfuscation” is a valid system providing the necessary protections. Realistically, though, this is possibly the worst of all security practices. This kind of security focuses on hiding your computer network, but tends to disregard proper antivirus software.
Additionally, such practices tend to reveal other lacking security practices within the organization, such as indiscriminate file sharing (between virus-infected computers, no less). Simply hiding your network doesn’t count as securing your files – a skilled hacker can easily access even an invisible network.
BAAs Are Not Enough
Google has a great reputation in the cloud-computing world, and with health organizations with high security standards. This means that medical practices using Google apps often feel confident that their files are safe, as long as they’ve signed a Business Associate Agreement (BAA).
BAA agreements might keep your information safe on an internal level, but this agreement won’t help secure patient files when transferred to other digital environments. Instead, when transferring files, using end-to-end encryption is the safest bet. This system will keep your data HIPAA compliant, even when it leaves the Google cloud.
Consider Adoption Side Effects
It’s great to choose a new HIPAA-compliant cloud system for your business, but in our pursuit of better data management systems, we often forget to consider the human elements of adopting new systems. Before choosing a new system, then, it’s important to ask whether your employees will be able to effectively use the new system, and whether there are other options they may find more convenient.
This is a common problem for companies choosing between Office 365 and Google apps for their cloud computing activity. Both Microsoft and Google will sign BAAs that offer HIPAA compliance, but the two programs have different strengths. This is where considering use and convenience is important. If you work a lot with documents, you might think that Office 365 is the way to go—most of us came of age writing everything in Word, so why not? The main reason not to, it seems, is that Google Docs’ collaboration systems are helpful and the platform is more convenient. The reverse seems to hold for spreadsheets.
If you can’t get your team on board with a new computing system, no amount of security regulation in the world will help you. Be sure to clearly to tell your staff about organizations with which you have BAAs, the legal risks of using other systems, and their responsibility to patient privacy as health field employees.
Cloud adoption is trending—and it is an inevitable choice for any enterprise that wants to stay relevant in today’s interconnected world.
The security of storing and processing critical data outside of the enterprise’s control is a central factor to the analysis of cloud adoption.
So whether your organization employs a cloud-first strategy or is still sitting on the sidelines of the cloud game, there are three key steps to understanding what risks the cloud poses to your data.
- Assess your current cloud usage. What cloud services are your users already using to do their jobs? Security leaders should sponsor a project to inspect all network traffic using a web proxy server or cloud access security broker (CASB) to fully identify your enterprise’s app consumption. The next step is differentiation between enterprise-sanctioned apps and rogue shadow IT apps. The prevalence of shadow IT is either unknown or underestimated by the IT departments at most enterprises. The mounting risks from decentralized and uncontrolled cloud service adoptions for the gamut of enterprise applications has left CIOs wondering how to best assess the extent of shadow IT services that have migrated to the cloud without any adequate control measures or oversight from IT. While these shadow IT systems may have served as a quick win to the business when implemented, the legacy impact of these cloud solutions is redundancy and an increased attack surface throughout the enterprise. As surveillance and data leakage concerns continue to haunt consumers and businesses alike, security due diligence of cloud solutions is paramount.
- Adjust your strategy to reduce cloud risk. There may be significant cost and efficiency gains possible by moving select services to the cloud. Risk reduction measures should be evaluated concurrently to securely scale your cloud adoption. Consider cloud identity management solutions for single sign-on to enable centralized access controls, including multifactor authentication options. Further, automated user provisioning will inject security into your application portfolio management. Another recommendation to security leaders is to leverage a layer 7 next-gen firewall for web traffic classification and control. This visibility will allow you to block risky, nonbusiness apps, such as peer-to-peer sharing, or restrict quasi-business apps, such as file sharing services, to only privileged users/groups with a demonstrated need.
- Plan your future cloud model. Whether your business users want to consume Software as a Service (SaaS) solutions or your IT infrastructure teams see value in Infrastructure as a Service (IaaS) offerings, there are many ways to mitigate your risks while satisfying both sides. Advanced security analytics, data context and application auditing made available by CASBs can enable deep integration into many foundational enterprise apps (Office 365, Google Apps, AWS, Azure). It is also imperative to formalize your application risk assessment when choosing between cloud-based SaaS and increasingly available on-premise SaaS solutions for those critical services that your risk managers cannot bless to the cloud. Some niche cloud service providers (e.g., Github, JIRA) also offer on-premise options to customers, and new Docker container technologies (Replicated) are now allowing vendors to offer the same SaaS experience, but delivered on-premise, in an effort to keep a better handle on enterprise data and security. In the ultimate decision of cloud adoption, your future cloud model may well be sitting behind your own firewall.
Gary Miller, CISSP, CISA, CIA, CRMA, CCSA, ITILv3
Senior Director of Information Security at TaskUs
Note: Gary Miller will present on shadow IT risk and cloud governance at ISACA’s 2016 North America CACS conference in New Orleans, 2-4 May 2016. To learn more from him and other expert presenters, register here.
Cloud computing has the ability to offer organizations long-term IT savings, reductions in infrastructural costs and pay-for-service models. By moving IT services to the cloud, organizations are more geographically distributed than ever before and the pace of business gets faster every day. Online collaboration has become a business necessity—there is no other way for distributed teams to work as quickly and efficiently as business demands. With virtual, paperless environments becoming more common, simply locking the doors at night no longer protects merchants, banks, customers or the business they conduct.
This means that exploitation will change from systems to web. Due to these changes, today’s business needs demand that applications and data not only move across physical and international borders, but also to the cloud and accessible by third parties. This loss of control is significant for security teams that must not only keep data safe, but also comply with the necessary security standards, including the Payment Card Industry Data Security Standard (PCI DSS). The payment card industry (PCI) should recognize that the most effective way to protect customer data is to protect the networks from the point of purchase to the application servers in their networks.
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices and applications.
Five compliance challenges organizations may encounter are:
- The cloud is relatively new technology and may be misunderstood.
- Clients may have limited visibility into the service provider’s infrastructure and the related security controls.
- It can be challenging to verify who has access to cardholder data process, transmitted, or stored in the cloud environment.
- Public cloud environments are usually designed to allow access from anywhere on the Internet.
- Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts.
Meeting the Compliance Requirements
Shared hosting providers must protect each customer’s hosted environment and cardholder data. From 30 June 2015, these providers must meet specific, additional requirements that are set out in an appendix A of PCI DSS Version 3. Below are a few highlights:
- PCI DSS requires that hosting providers ensure that each customer only runs processes that have access to that entity’s cardholder data environment.
- Access and privileges must be restricted to each customer’s own cardholder data environment.
- If a customer (merchant or service provider) is allowed to run its own applications on a shared server, it should run with the user ID of the customer, rather than as a privileged user.
- Logging and audit trails must also be enabled, unique to each entity’s cardholder data environment and consistent with PCI DSS requirements.
- Logs should be available to each customer, specific to their cardholder data environment.
- Processes must also be available to provide timely forensic investigation in the event of any compromise of cardholder data or systems.
- Even though a hosting provider meets PCI DSS requirements, the compliance of the customer using the service is not guaranteed.
- Each entity will need to comply with PCI DSS and validate its own compliance as applicable.
PCI DSS compliance is mandatory for banks, merchants and providers that process, transmit or store cardholder data. The risk of noncompliance is substantial, including fines, potential security breaches and loss of business.
Any enterprise that falls with the scope of the standard must implement it and seek compliance. Merchants who fail to comply might be forced to pay an extra percentage for noncompliance. There are also fines for storing sensitive authentication data, which is not allowed under the standard. Penalties for data breaches in noncompliant companies can be severe, including large fines as well as the threat of future exclusion from the payment card network.
Adesanya Ahmed, CRISC, CGEIT, ACPA, ACMA
IT Security and Connectivity Consultant, Petrovice Resources International Ltd.
Cloud service providers may have resilient data centers, but they cannot make themselves completely immune from catastrophic events, disasters, acts of terrorism or sabotage. While many emerging technologies help secure high levels of availability, there is the danger that some may assume that the need to plan for disaster scenarios has gone away. Unless critical IT is proven to be “bullet proof” under all scenarios and compliance is proven by conducting regular rehearsals, that assumption would be unwise and potentially business-threatening—as would the emerging tendency for enterprises to assume that current disaster recovery obligations and service continuity needs will be in-scope of the cloud consumption service on offer.
Enterprises considering cloud consumption models need to be careful not to inadvertently weaken years of good business continuity and disaster recovery practice. As the drive toward cloud consumption for critical business applications accelerates, CIOs and business continuity managers need to check whether dual remote site recovery or fail over from full disaster scenarios is covered within the contractual arrangements on offer, and that they are not merely signing up to an availability commitment based on non-disaster scenarios without realizing it.
They also need to establish if disaster scenario drills or rehearsals (arranged on a short notice of a couple days, not weeks or months) are included in the quoted price, offered at additional cost or maybe not available at all.
“Acid tests” ensure your short list of cloud consumption suppliers can provide evidence of:
- Managed, full remote site fail over due to a catastrophic event
- SLAs/OLAs stating recovery point (data loss exposure) and recovery time commitments
- IT service continuity management procedures for your cloud environment
- Managed fail back to normal operations when the crisis is over
- Non-obtrusive rehearsal capability based on complete site destruction
The good news for many, however, is that new cloud-based disaster recovery services provide improved data protection and recovery performance for both the cloud-consuming enterprise and non-cloud IT department, which may still be reliant on restoring data onto its own standby platform or supplied by its traditional disaster-recovery company.
Business Development, HP Enterprise Services UK
As more organizations move their data to cloud-based platforms, best practices for protecting sensitive assets continuously evolve. One of the biggest stumbling blocks IT professionals face with cloud security is purely conceptual—fail to understand the cloud and you will fail to understand the threats your assets face.
Let’s explore four ideas about the cloud that have clear security implications, both good and bad…
Emulate the biggest cloud user
The single biggest user of cloud storage—and thus the biggest stakeholder in keeping it secure—is the US federal government. More than 50% of government organizations now store their data and applications on a cloud-based platform and almost US $2 billion is spent each year keeping these cloud services functional and secure.
So what does this mean for you? It means that, of all places, the US government may be one of the most worthwhile organizations to emulate when it comes to best practices for data security in the cloud. In fact, the White House’s cloud-computing strategy provides an excellent template for safely migrating sensitive data.
20% of data center devices are obsolete
Growing demand for cloud services has led to a virtual epidemic of providers upgrading their infrastructure in a haphazard, inefficient manner. In fact, data from the Uptime Institute indicates that one-fifth of all cloud servers are “obsolete, outdated or unused.” This widespread inefficiency represents a serious hidden security risk—many cloud users have had their sensitive data unknowingly exposed through systems that are improperly monitored, security resources that are stretched too thin, or improper offloading of old drives, servers and other hardware.
In this case, being vigilant about whom you work with is the best way to stay safe. Compliance with SSAE 16 or ISO 27001 usually indicates that a data center is prepared to meet the challenges associated with growth.
Data encryption does not equal privacy
Data encryption is a major selling point of many cloud services, and most of us have been brought up to believe that encrypted data is inherently safe. That changes in the cloud, however. If your encryption keys are being held by your provider, are your assets really secure? Whether it is a malicious insider or a government operative working under the auspices of the US PATRIOT Act, encryption keys are surprisingly accessible by third parties.
Instead, practice two-factor encryption of sensitive data—encrypt it before sending it to the cloud to make sure it cannot be accessed by an outsider.
The biggest threats may be from within
According to research conducted in February 2012 by IBM and the Ponemon Institute, the single biggest threat to sensitive data is user error. More than viruses, data breaches or insecure application programming interfaces, your own employees pose the biggest threat to the security of your cloud-stored data. Simple mistakes like improper password storage or forgetting to log off a shared workstation jeopardize countless assets every day.
For many organizations, the best investment that can be made in cloud-data security is training. Team members who have to access important data need to know proper safety techniques and these techniques should be implemented and enforced on a day-to-day basis.
Director of Technical Account Management—BlackStratus
Continue the conversation in the Cloud Computing community within ISACA’s Knowledge Center.
Some years ago, applications were mostly run on owned servers. Applications today are outsourced to large cloud service providers and run in a few large data centres. Public data on the uptake of cloud computing shows that in a couple of years, around 80% of organisations will be dependent on cloud computing.
The EU’s Vice President Neelie Kroes, who frequently highlights the potential benefits of cloud computing, said “Cloud computing will change our economy. It can bring significant productivity benefits to all, right through to the smallest companies, and also to individuals. It promises scalable, secure services for greater efficiency, greater flexibility, and lower cost.”
Of course, all cloud services are not fine. Adopting cloud computing is not without risks.
ENISA’s past publications on cloud security provide guidance on how to procure cloud services securely. For SMEs, for example, the key risk focuses on outsourcing services, augmenting possibilities of lack of governance and/or control. For public authorities, the main risk lies in loss of governance. In both cases, the mitigation was found to be proper and clear agreements (contracts, SLAs) about security, liability, etc.
Public bodies are key players in cloud computing in Europe, as its uptake can:
- Improve scalability, elasticity, high performance, resilience and security, together with cost efficiency.
- Enable and simplify citizen interaction with governments by reducing information-processing time, lowering the cost of government services and enhancing citizen data security. Governmental clouds offer to the public bodies (including ministries, governmental agencies and public administrations) the potential to manage security and resilience in traditional ICT environments and strengthen their national cloud strategy.
ENISA conducted a study focusing on the implementation of cloud technologies in the public sector in 23 EU and non-EU countries. This research showed that issues still need to be addressed before all public authorities may safely adopt cloud solutions.
Security and privacy in the cloud appeared to be the most important barriers, restraining governmental authorities to “go cloud.” The risks identified in the ENISA 2009 risk assessment still exist and overburden the situation in Europe, for example, the risk of “loss of control/ governance” or the “locality of data.”
Many solutions exist, but they need to be taken into account at a national or even pan-European level. According to our study recommendations, a number of solutions would provide already significant mitigation to the current risks: the development of national cloud strategies to foster the adoption of governmental clouds; the development of a common framework for SLAs focused on governmental clouds; the buildup of a certification framework for cloud providers; the adoption of measures to ensure security across both private and public deployment models.
To improve the adoption of cloud computing in Europe, last year the European Commission published a cloud strategy that intends to promote the rapid adoption of cloud computing in Europe to “boost productivity.” ENISA’s focus on these new technologies--and the new risks that emerged from their adoption--should not, however, drive us away from managing the standard risks associated with IT operations and governance.
We look forward to working with industry and government experts to help customers mitigate risk and leverage the security opportunities of cloud computing.
Security and Resilience of Communication Networks Officer, ENISA
Continue the conversation in the Cloud Computing topic within ISACA's Knowledge Center.
On 11, October 2012, ISACA hosts a free webinar titled Cloud Market Maturity–Where Are We and What Does It Mean to Cloud Users? Below is a Q&A with webinar co-presenter Bhavesh Bhagat, president & CEO of EnCrisp LLC, which features some of the topics explored.
ISACA: Where are we in terms of cloud market maturity?
Bhavesh: I would say we are in early stages of “skeptical adoption and education.” Amongst B2B space and B2C space, we are in a stage of “ignorant euphoria.” The reason I use these two buckets is because both waves of cloud adoption fuel each other and both are, in a sense, interdependent. B2C has been leading cloud adoption, but those consumers have blissfully ignored and—in many cases—not cared seriously about the governance, privacy and security concerns in a tradeoff for convenience. We all love using our “i-devices and A-devices.” More needs to be done to educate even B2C cloud users. B2B adoption has been more cautious—as it should be. The maturity curve is in its infancy, but the unmistaken trend is to increase usage. Look at any major analytics firm’s numbers for cloud usage and it shows explosive growth in the next decade. This trend will be here to stay and will be validated despite the concerns of security and privacy, as these will be worked out and global standards will be established in a structured fashion in coming years. Both ISACA and the Cloud Security Alliance are doing an exemplary job in this regard, and the Cloud Market Maturity Study is a great example.
ISACA: What is the greatest change regarding cloud usage that we’ll see in the near future?
Bhavesh: Disruption and democratization of data. As cloud computing, in spite of all its challenges, permeates the B2B world, we will see a tremendous amount of disruptive innovation where old models of business are no longer applicable and new ways of thinking about processes will be forced upon the leaders at public/private enterprises. This disruptive innovation is a good thing—we have all benefited tremendously from iPhone, iPad and other tablet and smartphone hardware fueled by cloud software (on the back end) in the B2C space. With the ongoing evolution of the new generational shift in the workforce, the B2C innovations disrupting our consumption of technology will force B2B cloud adoption and process changes. This is not an “if” but a “when” scenario. In terms of data, we see that it will tremendously democratize technology and its usage. The Big Data wave is fueled by cloud on its back end. There are very real usages of Big Data driven by cloud: Who will click the most on your link for sales and marketing? What will we see in the next decade in cloud technology as businesses and consumers drive new data-driven transparency and democratization of processes in public and private spheres in health care and even corporate governance?
ISACA: Will adoption of the cloud continue at its current rate?
Bhavesh: I recently attended a cloud event hosted by a major vendor, and they claimed to have more than 80,000 global registered users. They billed it as the largest global tech event. By that example alone, I would say cloud adoption is here to stay and increase manifold. Cloud is a new way of consuming technology fueled not just by financial efficiencies but also by new realities of the world. It’s almost like global trade—countries in supply chains becoming so intertwined with one another that some major hiccup in one part of the world can now affect everyone else in real time. That’s perhaps a bad thing, but can you imagine, for example, the United States not doing business with other countries in coming years in spite of all financial and regulatory challenges? If anything, we are more interdependent than ever.
Cloud technology adoption and evolution fuels this transformation of our societies and our global trade, and the response is for the technology to evolve with this trend. I foresee cloud adoption increasing, but the rate will be variable based on the types of enterprises and industries. In the end, it’s kind of like online banking—many folks might still prefer meeting their regular clerk at their local bank, but a large majority of people in many countries are comfortable with financial transactions on the web, through some data pipe that they don’t see or hear or feel or audit. It will take less than a decade for this transformation with the cloud, I predict. This certainly poses challenges to us in the security, risk and governance professions, but that should be an impetus for more innovative thinking to provide solutions to our businesses, rather than to simply ignore the trend and not evolve pragmatically with it. Make no mistake, challenges are huge. How do we control data flow in a completely transparent manner? Who owns data? How do we audit this at every level in its lifecycle?
Our work is cut out for us…all aboard and all hands on deck!
ISACA members receive CPE for attending this free event. To learn more or to register, go here:
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.
Cloud continues to dominate headlines, with new reports appearing almost every week.
On 11 September, IDC published its “Worldwide and Regional Public IT Cloud Services 2012-2016 Forecast”. IDC expects global public IT services spending in 2012 to amount to more than US $40 billion, with public IT cloud services said to see a compound annual growth rate (CAGR) of 26.4 percent over the period from 2012–2016—five times that of the IT industry overall.
On 18 September, Gartner published its "Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 2Q12 Update". According to this report, the public cloud services market is expected to grow 19.6 percent in 2012 to total US $109 billion globally and will grow to US $206.6 billion in 2016.
And this week comes a new study from the Cloud Security Alliance and ISACA. This Cloud Computing Market Maturity Study reveals an initial understanding of the maturity of the cloud market in terms of what cloud service providers offer and how organizations use and gain value from cloud. This topic will be revisited in periodic project updates to document the evolution of cloud maturity.
According to this global study, the main issues to be solved are not technological challenges, but business-related issues. These include provider longevity, an understanding of data ownership and custodian responsibilities, legal issues, contract lock-in, and exit strategies. Respondents also say they are concerned that government regulations are not keeping pace with market changes.
The study reveals that the value of cloud is understood by the chief information officer (CIO) and technology management, and that cloud risk is addressed as technology risk, rather than as a business unit or enterprise issue. Furthermore, respondents report that board and executive management do not have a realistic understanding of cloud computing benefits or risk.
For cloud to provide enterprise-changing capabilities and the benefits that vendors have promised, it needs to transition from a technology solution to a business resource, which entails understanding what cloud is and what it promises, incorporating business and technical requirements into contracts, monitoring performance against requirements, and appreciating cloud-related risk within the wider context of the business and enterprise risk management.
Moving cloud from a technical innovation to a business enabler requires the attention of business unit and executive management. Cloud must become an agenda item within the governance and management structure of enterprises that wish to extract its value.
To facilitate this movement, ISACA has published a Cloud Computing Vision Series, which includes the following resources:
- Security Considerations for Cloud Computing (available as a free download to ISACA members) presents practical guidance to facilitate the decision process for IT and business professionals concerning the decision to move to the cloud.
- “Calculating Cloud ROI: From the Customer Perspective” (available as a free download to all) describes an approach to ROI that brings together an understanding of requirements, organization maturity, control considerations, and regulatory requirements to quantify benefits and costs associated with cloud computing.
- “Guiding Principles for Cloud Computing Adoption and Use” (available as a free download to all) identifies pressure points on enterprises when the structure, culture, policies and practices, and enterprise architecture have not evolved to address the changes inherent in the cloud computing shift. Its six principles for cloud computing adoption and use can guide management toward more effective cloud implementation and use, reducing the impact of pressure points, mitigating potential risk, and creating a more successful cloud implementation.
Click to Enlarge Graphic
How is cloud treated at your enterprise—as a technological issue or a business one? If the former, how are you helping your enterprise shift their perspective?
Yves Le Roux, CISM, CISSP
Technology Strategist, CA Technologies, France
Member, ISACA’s Guidance and Practices Committee
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.