The past few years have changed how organizations perceive—and how they use—cloud technologies. If that sounds fairly obvious to you, it should. After all, the cloud has evolved significantly over the past few years. In addition to large-scale use of Infrastructure as a Service and the continued expansion of virtualization technologies, we are also starting to see new models emerge. Platform as a Service for example, while still comparatively less used (relative to other cloud models), has seen new service types emerge (e.g., “serverless”), while Software as a Service has continued to proliferate.
A few years ago, ISACA published a detailed model for practitioners on how to calculate return on investments (ROI) for cloud deployments. As we all know, historically, much of cloud adoption has been financially driven, meaning executives see the cloud as a way to reduce costs, to leverage economies of scale and to allow them to focus resources (and time) on their core competencies rather than the workaday mechanics of supporting technology infrastructure, running a datacenter or otherwise maintaining the substrate upon which their business applications run. The cloud provides a vehicle they can leverage to do that.
From this point of view, the economics are very important. They are important because, from a governance point of view, we need to be able to systematically measure financial outcomes to make sure we are getting what we expect for our investment. From an audit and security standpoint, they are important because additional things we might do to ensure assurance outcomes (such as audit and assess cloud providers) or to ensure security outcomes (such as implement specific controls based on how we employ those services) impact the financial profile, and, by extension, make it potentially more difficult to both ensure those outcomes while maintaining the anticipated economic return.
The value proposition for cloud might be changing though, as supported in recent research ISACA conducted on the topic of cloud ROI. The fact that it is changing points potentially to 2 things. First, it potentially changes how we as risk, security and assurance professionals evaluate cloud deployments. Second, from a governance standpoint, it informs how we measure cloud deployments and ensure continuous improvement in our organizations overall.
What Has Changed?
In 2017, ISACA surveyed a population of just over 100 senior technology leaders (i.e., those with chief information officer-level responsibility) to ask them about the practices they follow in calculating cloud ROI. The results are surprising. Specifically, it appears that technology leaders are becoming less reliant on financial justifications to support cloud usage relative to what they have looked at in the past, meaning the financial outcomes are still clearly important, but the data suggest that there might be a more nuanced story in play.
Compare, for example, this survey with one conducted by Information Week in 2014. While most organizations do still evaluate ROI from a financial point of view as part of their deployment, fewer are doing so. There are a few reasons why this might be the case, but another data point in the survey helps support the conclusion that a solid financial justification might be less necessary than in the past. Specifically, the survey also found that most of those that do not explicitly calculate ROI are building business cases that are based on other, nonfinancial reasons. These might not have easy-to-calculate financial impacts; for example, what is the financial impact of something like increased business agility or better mobile device support? There almost assuredly is one, but explicitly calculating what it might be in hard numbers is a fairly difficult task.
If this is true, it means that cloud usage is compelling for reasons over and above the raw financials. To the extent that there is also cost offset or other compelling financial outcomes, so much the better. But even without those financial outcomes, it seems as though organizations want to use the cloud anyway. While it is possible that something else is at work that is harder to see driving these results, the Occam’s razor interpretation is that nonfinancial value is being realized.
The next logical question is what that means from a practitioner point of view. If, in fact, the model is changing, as it looks like it is, what does that mean for those in the practitioner space?
There are 2 implications of this, as alluded to earlier. The first is that governance models that include the cloud need to specifically incorporate and account for these factors in addition to the financial picture that is (ideally) already evaluated. We need to have a way to evaluate performance relative to these other gains to ensure that we are building continuous improvement and that we are using resources optimally for the betterment of stakeholders.
The second implication is an optimistic one for security and audit practitioners. Given that other business reasons may be driving cloud adoption, it appears that budgetary and resource challenges that we have had to face in the past have been reduced. Consider the situation, for example, where an organization seeks to adopt cloud for cost-control reasons. Should a security or assurance requirement increase the costs (and let us be honest, they sometimes do), discussions about putting that requirement in place do not compromise the business case for making the transition in the first place, meaning there is potentially less pressure to put those controls in place.
Ed Moyle is director of thought leadership and research at ISACA. Prior to joining ISACA, Moyle was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. In his nearly 20 years in information security, he has held numerous positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers and senior security analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as an author, public speaker and analyst.
Eduardo Gelbstein and Viktor Polic
For a long time, organizations and individuals have relied on third-party services relating to data, information systems, and infrastructure, and many lessons have been learned in the process.
Cloud computing has established itself as a potentially valuable addition to the portfolio of third-party services. But cloud computing can introduce several issues for data owners, particularly when the data is considered sensitive in terms of confidentiality, access rights and privileges.
While the benefits of cloud computing are easy to understand (e.g., lower cost, flexibility, transfer of accountabilities for operational activities), it is prudent to remember the old adage, “If it looks too good to be true, it probably is,” and devote time to a detailed assessment of the issues described in our recent Journal
Cloud-related issues raised in conference discussions and various publications focus on concerns such as:
- Data ownership and what the service provider is or is not allowed to do with this data
- The use of encryption and management of the encryption keys and digital certificates
- Identity and access management
- Compliance with data protection legislation, particularly about the location of the data
- Compliance with privacy protection legislation
- Terms of contract, including the right to audit the service provider
- Confidentiality and nondisclosures by the service provider
- Access rights to data by the personnel of the service providers and its suppliers or service providers
- Guarantees that in the case of termination of a contract there will be no copies of data left with the service provider
Other issues that could effect cloud computing are:
- The impact on the data owners if the service provider goes out of business or is the target for an acquisition by a third party
- The feasibility of terminating a contract and migrating the data (and related services) to another service provider
The real issue may be one of timing—the cloud is likely to be part of the service portfolio offered by third parties for many years to come. Optimists and risk takers will no doubt gain the benefits of cloud computing sooner and gain valuable experience in doing so. Those whose risk appetite is limited and deal with custom, critical applications may choose to wait until the issues discussed in our Journal
article have been addressed and resolved appropriately.
Biswajit Mohapatra, Vinay Parisa and Joydipto Banerjee
In our recent Journal article
, we talk about how enterprises are adopting technologies like cloud, analytics, social and mobile tools to drive a strategic advantage. Emerging businesses that are born on the cloud have these technologies as part of their DNA and are at an advantage, as they can focus on a small number of core competencies that are integral to their business, unlike established enterprises that were formed using a strategic but different business model from the internet era. We are at the cusp of a smarter era where systems and applications are designed to interact with each other and generate a lot of data. Businesses are starting to depend on sophisticated analytics to distill insights and context from this increasing volume of digital information. These insights are changing the way enterprises do business with their customers. By 2020
, it is expected that there will be more than 200 billion connected devices, and machine-generated data will be 42 percent of all data.
In the infrastructure world, as cloud computing evolved, it became increasingly evident that there was still room for traditional applications and hardware. A new deployment model, the hybrid cloud, started to emerge, and with it the automation that was built for the cloud started to find use in the traditional datacenters. By abstracting the infrastructure, the cloud automation makes it possible to scale the resources between public and private clouds to offer a perfect solution for unique requirements. Cloud automation software also includes monitoring and predictive analytics solutions, which are used to analyze the data generated by the infrastructure in order to allocate appropriate resources for applications, there by bringing a greater level of optimization.
Gartner predicts that by 2016, 25 percent of external application implementation will be on mobility, cloud, analytics and social computing services and more than 50 percent of application modernization efforts will address business demand for enhanced functionality to legacy systems and not cost reduction. Enterprises lacking a modernization strategy are going to lose a lot of ground and will face an uphill task of playing catch-up. For an enterprise to be successful across technological eras, it must continuously reinvent itself and embrace innovation and be early adopters. These new technologies enable rapid change, growth and innovation in business. A modernization strategy is essential for an organization, and big data will be the key to hidden opportunities.
By Tim Myers
Many companies rely on threadbare IT resources or external advisors to guide them in making technology decisions and are understandably wary when considering new options, especially the multitude of software as a service (SaaS) features now available to them in the cloud.
Companies that are considering cloud-based services for the first time or that have made only marginal forays into the use of public or private data centers should walk before they run. As any battle-scarred veteran of the business world knows, new programs or projects stand a much better chance of success—and widespread acceptance—if they are approached in a methodical manner.
Rather than flying into the cloud headfirst, the prudent choice may be to take a more modular approach. With advice from IT leaders and any outside experts, companies can test out the cloud by piloting it first with 1 cloud-ready enterprise function, like accounting, email services or data backup. This way, organizations will quickly learn what works, what needs tweaking and whether or not the cloud is proving to be beneficial from a return on investment perspective.
Importantly, while assessing this initial foray into the cloud, the rest of the business will run as usual. Thus, any problems or delays can be ironed out without disrupting the rest of the enterprise.
If the cloud is living up to its billing, organizations should be ready to add on additional cloud-ready functions and applications and enjoy further cost, productivity and security benefits. And given that 87 percent of cloud users surveyed
recently would recommend the cloud to a peer or colleague, the likelihood of satisfaction is high.
Although the cloud is much buzzed about in the tech world, it is still new enough to be feared by many, especially by those who do not fully understand it. Most people see its benefits in flexibility, speed and cost savings. By automating processes from the cloud, organizations can achieve the benefits of automation faster and more economically than ever before.
Over the years, I have had first-hand experience with organizations that have been reluctant to automate their business and IT processes. It is not because they were afraid of automation, but because they were concerned about how they would implement it. In a survey
commissioned by Redwood Software in 2012, the results found that even though 87 percent of representatives from top global enterprises believe that automation is key for productivity, 99 percent still spent a lot of time doing repetitive manual tasks, with almost two-thirds (63 percent) of companies spending more than a quarter of their time on manual tasks. Each of these manual tasks costs the organization money every day.
In fact, implementing automation from the cloud eliminates many perceived barriers to automation. Any decision required to kick off a process improvement initiative with automation from the cloud does not require buying additional infrastructure or hardware. Automation from the cloud makes it much more feasible. Rather than just accessing applications, infrastructure or data, business and IT professionals can now build in automation that is easy to implement, change and expand. Perhaps surprisingly, the cloud can also offer more security than on-premises solutions. Because process automation touches so many activities across so many systems, shifting these to the cloud can avoid systemwide slowdowns and keep everything running smoothly. Think of how many times you have heard complaints that something critical to operations is running slow because of, for example, a system copy in progress. Now imagine that never happening again for you or anyone else across your entire organization. It is possible.
From the automobile to Google Glass, every bit of innovative technology is initially met with fear and skepticism. When innovation can affect an entire company’s overall performance, it is no wonder that it is approached with some trepidation. However, being a late adopter of advantageous approaches, such as automation from the cloud, can cost companies real money. As early adopters begin to share their success stories with those who are more hesitant, do not be surprised if cloud-based automation is the norm everywhere very soon.
Shah H. Sheikh, CISA, CISM, CRISC, CISSP, CCSK
There has been a great deal of focus and attention on cloud services and the benefit they bring—financially and operationally—to organizations. Little is done to understand the exact security implications that are likely to be faced when discussing security in the cloud. When this particular topic comes into question a plethora of subject areas related to security come into play, such as data security (residency, custodianship, destruction, transference), legal liability for data that cross as transborder data flow, disaster recovery, service level agreements, right-to-audit clauses, cloud service risk management, service monitoring, security auditing, and logging in the cloud. The list goes on.
When an organization is looking to outsource elements of IT services into the cloud through the platform, software or infrastructure (PSI) as a service model, it is important to establish a cloud security charter outlining the security requirements from a high-level perspective that are aligned with the organization’s information security policies. The charter itself is driven either technically or through management but ultimately must have the blessing of the board. In its simplest form, the charter identifies what is required from an information security perspective to rubberstamp and approve transitioning services into the cloud. The establishment of the charter is intended to align the organizationwide strategy for cloud adoption and signifies the role information security plays in that strategy and the overall governance.
Following good practices in the industry and implementing standards developed by international organizations provide a solid framework on the life cycle of managing security within the cloud. The issue of cloud security cannot be avoided, and the answer is certainly not product- or solution-based. The traditional security professional mind-set must change, new security techniques need to be adopted and a framework that addresses and manages security risk in the cloud throughout its life cycle needs to be nurtured into the overall cloud transition process from the onset.
Dan Bogdanov, Ph.D. and Aivo Kalu, Ph.D., CISA
Imagine a skilled artisan who can craft items out of clay. She uses practiced steps to turn the raw material into a useful object, and she is so experienced that she can work blindly without seeing the item in progress.
Now imagine a computer that can process your data blindly without seeing them. Such a machine would change computing as we know it. If we could use these computers to provide services on the Internet, the data owners could use the services without fear of their data leaking to third parties. The processing of private data could safely be outsourced to computing resources rented from a cloud service provider.
All this has been hard to do until now, as the data owners have not had enough control over their data once they upload the data to an online computer. Now, new developments in the field of computer security have taken us one step closer to a computer that can work on your data without seeing the values.
In our recent ISACA Journal article
, we introduce a novel way for building online services with unparalleled privacy guarantees. The approach is based on secret sharing and secure multiparty computation—two cryptographic techniques that protect information from the computer host during both storage and processing. This is a major step forward from standard encryption that only provides protection during storage and forces us to decrypt data to process them.
explains the technology and presents case study examples of its use to protect confidential financial information.
We believe that secure multiparty computation technology has great potential as it solves a range of data confidentiality problems. For example, according to a recent report by Discovery News
, the new technology was used to determine if two satellites collide without forcing satellite owners to disclose the exact trajectories.
In what ways would you use this new technology? Read the article and let us know what you think in the comments!
Larry G. Wlosinski, CISA, CISM, CRISC, CAP, CDP, CISSP, ITIL
When IT security started becoming important to the protection of computer systems on the network, a fellow security colleague asked me a question that is even more relevant today. My colleague was an information system security officer (ISSO) who was having trouble convincing a user that annual IT security training was important and was required. The user had asked him, “Who is responsible for IT security?”
When the ISSO asked me the question, I responded “Is this a trick question? Everyone is responsible for security.” I believe this is even more the case today.
Over the past 15 years, I have seen IT security evolve from background checks and physical security concerns to defending the network against malicious software (e.g., viruses, worms, botnets, Trojan Horses, phishing attacks) initiated by mischievous and criminal minds, to defending against threats from established criminal organizations, terrorists and identity thieves. In today’s world, the skill set requirements have increased considerably and they continue to do so. IT security must defend the financial industry from ruin, prevent the loss of corporate secrets and safeguard the information of everyone in the organization (and with whomever they conduct business).
The threats have moved from direct terminal entry into the system (or network) to wireless devices of all sorts. You can see that almost all of the people around you have one or more wireless devices, such as a cell phone, laptop, digital notepad and iPod. Like all new devices, the inventors make products with new features and capabilities for public use, and it is up to those in IT security to protect the confidential, sensitive, personal and mission-critical data within the organization.
When it was once simply a matter of implementing defensive host and network software, the required security skills have evolved—they have become specialized because of the numerous types of attack vectors and the high number of criminal entities. Today, there are IT security specialists in system security assessment (and audit), security architecture, risk and compliance management, network and operations security, application security, incident response, computer forensics, penetration testing, malware analysis, contingency planning, and identity management.
Information security has become so complex and important to everyone that it has evolved into a service. In my recent Journal article
, I provide some insight into the shift in security responsibilities for organizations that have moved their data, and in some cases their systems, to the cloud. For those organizations that think that the ISSO is the only person needed to protect their data and systems, I invite you to read about how the security boundary is changing and how it now takes many people to keep your data secure.
William Emmanuel Yu, Ph.D., CISM, CRISC, CISSP, CSSLP
Not so long ago, all businesses had traditional brick-and-mortar operations. Employees had access to communications facilities within these brick-and-mortar facilities. Security was hinged on the fact that controls could be placed in both the facility and the equipment contained in the facility. Cloud-based communications offerings removed the tether to the office desk and Bring Your Own Device (BYOD) mobile-enabled offerings removed the tether to the office equipment. The untethering trends in communications have focused on 3 main areas:
- Electronic mail. Email solutions allow access from anywhere with Internet access and from a broad range of devices including mobile. A number of these offerings have value-added services such as spam and malware filtering, archiving and even some enterprise groupware functionality (i.e., calendar, address books, document sharing). Major players in this space include Google Apps, Rackspace Email and Zoho.
- Instant messaging. Email is frequently used as an instant messaging solution with the advent of push email. However, real-time messaging is making a comeback via mobile-centered instant messaging offerings (i.e., Whatsapp, Vibr, Facebook). Enterprise instant messaging functionality (e.g., organizational groups, directory services) has not quite managed to creep into these offerings yet. But, this does not stop business from using these channels.
- Telephony. Telephony solutions offer follow-me services that allow an enterprise user to have one telephone number that allows people to reach them either in the office or on the go (via mobile). These offerings are now available for entire enterprises and not just individual users. They have a rich set of enterprise functionality, including conferencing, recording, voice mail, messaging triggers and call routing. Gone is the day when companies needed to procure full IVR/PBX solutions to join the ranks of the enterprise “big boys.” Today, a credit card and Internet access can provide you with such services. Major players include Twilio and Ring Central.
In the new Wild West of communications, information security professionals must adjust to the mind-set that security via controls in well-defined and limited enterprise facilities—the Fort Knox Mentality—is coming to an end. Information is now scattered in many places: physically stored in disks with a hosting provider, in transit among many Internet and telecommunications providers, and cached in the many individual devices an enterprise user may carry. Today, all of these areas, including additional areas of concern such as safe harbor, right to forget, data repatriation and ownership, and need to clean as you go (CLAYGO), must be considered in the eyes of information security.
Read William Emmanuel Yu’s recent Journal article:
“BYOD Security Considerations of Full Mobility and Third-party Cloud Computing,” ISACA Journal, volume 1, 2013