2010 saw the introduction of several new US state and federal privacy regulations, each with specific penalties and reporting requirements. Also in 2010, the Identity Theft Resource Center identified 662 reported data breaches, up 33 percent from 2009 and encompassing more than 16 million records. In nearly any environment, from personal to corporate to government, data are the key assets. Keeping those data accurate, private and secure has received a sharpened focus. Getting control over data has been a daunting challenge under conventional computing models, and cloud computing makes the job even more difficult.
Lowered costs, maximum flexibility and “on-demand” capacity responses are the promises of cloud computing. While those elements are compelling, cloud computing changes many basic assumptions about managing and governing an IT environment. Consequently, many of our management, risk, assurance and governance process assumptions must be revisited. That is especially true with respect to data.
In a pure cloud-computing environment, every part of the computing model may exist in multiple places and those places may change dynamically. Add the global reach of large-scale cloud computing providers and “where and when” data are located may take more than a moment to answer. The absence of an explicit assumption about “place persistence” changes nearly everything about assurance, controls, risk and oversight.
A recent ISACA survey indicated that 45 percent of US IT professionals thought the increased risks of cloud computing outweighed the business benefits. That number begs the question about what exposures are being created by the 55 percent who believe the benefits outweigh the risks (and who may or may not have done a risk assessment).
Larger organizations with effective IT governance processes would assess the risks of cloud computing and proceed accordingly. We know from experience that IT governance structures and formal IT risk assessment processes are far from pervasive. More concerning are managers who commit the organization’s data to cloud computing without considering the risks and consequences.
Fortunately, we are beginning to see a broader risk focus on cloud computing. Products and processes are being introduced that focus on data management, compliance and assurance. We are, however, a long way from having a comprehensive set of management tools and techniques to manage our data in the cloud. So, do you really know where your data are?
W. Austin Hutton, CISA, CISM, CGEIT
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.