Ron Speed, CISA, CRISC, CA
Businesses around the world are witnessing a flood of new cloud computing services entering the market. These offerings are making it easier for almost anyone to engage and access, and they cover everything from personal file backup to major production server and application services.
Will cloud computing deliver lasting economic benefits to businesses? What is the best use of cloud services and can they be adopted in ways that do not put a business’s risk profile in peril? These are questions that will, and should, be debated in boardrooms for some time to come. One thing for sure is that the cloud computing trend is putting pressure on traditional IT governance processes to adapt. For businesses to make prudent decisions regarding the adoption of cloud services, IT governance and risk managers need to work closely with business managers to promote understanding of key cloud computing principles and to help establish effective governance practices.
For those not familiar with the term, “cloud computing” describes Internet-based technology (either software, platform, infrastructure or a combination) that stores and processes information and is provided as an on-demand service.
So what is so new and revolutionary about this? On the surface, it sounds like an Internet version of IT outsourcing. Well, in a way, it is, but with a few important differences. To explain, it helps to use an analogy: Take people who commute to work by driving their own cars, but arrive late due to traffic, roadwork delays and frequent breakdowns (as their cars are old and poorly maintained). Now, they might choose to address this situation by buying navigational devices, upgrading their cars, securing regular maintenance services or even by hiring professional drivers to take them to and from work. This approach would be similar to delivering an outcome using traditional IT service models, with the use of a driver similar to traditional IT outsourcing.
An alternative approach for addressing the situation could be for people to trade in their cars and buy yearly tickets to take the train to work. By doing this, people would essentially be giving up the individualistic approach to commuting and adopting a standardized, technologically agnostic approach to achieving the same outcome. The whole problem with unreliable cars and the costs of driving are replaced with a solution with a completely different cost structure as well as different risks and opportunities. This approach is analogous to transitioning to the use of cloud computing services.
Similar to this analogy, there are several important trade-offs that occur when transitioning to cloud computing from traditional IT (whether in-house or traditional outsourcing). Exactly what these trade-offs are depend on the specifics of the services being engaged, but the typical ones to be aware of are:
Clearly there are pros and cons of both traditional IT and cloud-based services. But one of the great aspects of the flood of new services coming onto the market is that almost all businesses can benefit—through cost reduction, risk mitigation or both—from the increase in choices available. For this reason, it makes sense to keep an eye on new services as they emerge.
To understand the risk and reward profiles of cloud services, it is important to understand the economics behind them. Here is a brief outline of the basics. Essentially, cloud providers are able to deliver services less expensively than in traditional IT service models due to two key factors:
Figure 1 depicts how these cost savings may look for a business that undergoes periodic peaks and troughs and has high unpredictability in its demand for IT services.
The potential cost differential between the two models is even greater when more layers of the IT stack are transitioned to the cloud. For example, for Software as a Service (SaaS), where software, platform and infrastructure layers are bundled into a single cloud service, cost savings are potentially greater than with Infrastructure as a Service (IaaS), where only hardware layers (e.g., storage, CPU, network) are provided. This is because efficiency increases as more and more components are standardized and bundled together.
As with the transportation analogy, neither approach (traditional IT nor cloud computing) will always be superior to the other. Cloud computing has introduced additional options for IT service delivery. For many businesses, an optimal approach that leverages the best of both models will achieve an improved risk-reward trade-off. Figure 2 depicts how this may occur.
Also, over time, cloud providers are aiming to create even greater cost savings as they capture larger market share and capitalize on economies of scale.
So if the cost savings from transitioning to the cloud are that compelling, why do businesses not move all their IT to the cloud? This is a fair question that is coming up regularly in boardrooms around the globe. But, unfortunately, the answer is not as simple as it might seem, as there are several other factors to consider, not the least being those relating to risk management, compliance and security.
Therefore, the right answer to the question, “Should I drive or ride?” is: “It depends.” It depends on the nature of the IT service, future growth expectations, the business’s risk appetite, legal and regulatory compliance requirements, and cost. With all these factors to consider, it is essential that businesses carefully think through their IT service delivery strategy and prepare a business case that covers all of these factors. Figure 3 illustrates an approach to measuring risk-mitigation costs so that they can be compared for different delivery models and reflected in a business case that might incorporate cloud services.
Figure 4 shows some examples of IT service delivery strategies, incorporating cloud computing and some of the key considerations.
The potential benefits of cloud computing are compelling, but it also brings a number of new and worrying risks. Following are typical control requirements or opportunities that businesses may need to consider when contemplating a move to the cloud. Keep in mind that, like the cloud itself, new technologies and techniques are emerging all the time.
Businesses need to use encryption and stay alert. With traditional IT services, use of intrusion detection, alerting and prevention techniques has become common. But in terms of moving to the cloud, many of these tools are now in the hands of cloud providers, who may use these techniques to protect their networks and servers from attack. But, this does not mean that cloud providers will alert customers if a threat comes close to compromising customers’ assets. In fact, unless businesses tell cloud providers that they want to receive security-event alerts, cloud providers might assume that customers do not want to know.
Fortunately, many cloud providers offer their customers the ability to receive security-event alerts and even to flag the specific assets that they want to be monitored. Should a security event occur on a cloud provider’s network, businesses might still be reliant on the cloud provider to block an attack. They can, however, take their own evasive action to protect their assets, such as by bringing them offline.
Before engaging with a cloud provider, there is another major area that warrants consideration: legal and regulatory requirements. In the old (pre-European Union [EU]) days of pan-European train travel, every time a train reached a border, government officials would come on board and check passenger passports before passengers could proceed. And, just because passengers purchased tickets to a particular destination did not mean that they would be allowed to get there if they did not have the right visas, for example.
The cloud can operate similarly. Just because a business purchases a service that operates across data centers around the globe does not mean that the business is allowed to send its data around the globe. Data privacy and sovereignty laws and requirements have sprung up around the world over recent decades. If businesses handle data covered by these requirements, they need to travel in the cloud with great care, or risk breaching the requirements.
Adherence to these laws and regulations can be complex, as there are many gray areas and legally untested situations, such as what constitutes export of data. The best recommendation is to obtain legal advice before entering into any cloud arrangements, particularly when operating in heavily regulated industries, such as financial services or health care, or where systems involve personally identifiable information (PII). In some cases, businesses may want to (or even be required to) consult with regulatory authorities directly.
For businesses subject to strict data-privacy or export laws, there are measures that can be put in place. For example, they can seek a cloud provider that offers geo-specific services, i.e., services in which operations are confined within certain jurisdictional boundaries.
Depending on the circumstances, there are many other areas of potential legal complexity, too. For example, what happens if an incident occurs in the cloud? Does the customer have the right to conduct a forensic investigation? Who will be liable for damages? Clearly, obtaining good legal advice is paramount for businesses to protect their rights and meet their obligations.
When it is time for a business to start evaluating service providers against its needs, there is a very important factor to consider: transparency. Cloud computing is much more than just buying IT hardware or software. It is about engaging a service that may be entrusted to manage critical assets and services, and there may be little day-to-day visibility of how this occurs. But, businesses can and should ensure a level of transparency.
With a traditional IT model (either on-premise or for many outsource arrangements), getting visibility is usually a case of commissioning an audit, either by internal auditors or by an outside party. But, for cloud services, this option is much less likely to be available or even practical, as the cloud service provider’s processing may be distributed throughout the world.
Therefore, alternative methods of gaining visibility of security and control will often be needed. There are several methods available, and, recognizing the need to establish trust, cloud providers are investing more and more in providing the information their customers need. This is an area that is likely to grow and evolve, and maybe one day a single common standard will be in place. However, in the meantime, here are some typical methods used by cloud providers to provide transparency. Each has pros and cons; therefore, often the best approach is to seek a combination of these:
A note of caution: It is important not to take any audit report or certification at face value without examining its details. It is important to review its purpose, scope and any major exceptions, and to assess these against the business’s critical compliance, risk management and control needs.
Recently, news broke of Dropbox allegedly misleading customers regarding the levels of data protection provided by its service. This occurred shortly after Amazon’s EC2 service experienced major outages. With these and other events, media reports are asking, “Is this the end of the innocence of the cloud computing ideal?” The reality is that, as cloud services continue to grow and mature, there will be some derailments along the way. But the economics appear to be sound and compelling, and many of the technologies underpinning the cloud are maturing and proliferating quickly. So, it seems that cloud computing is an industry trend that is here to stay. That said, there are clearly a number of risks and uncertainties in transitioning to the cloud, so strong governance and control are an essential part of any decision to transition to the cloud.
But, for business managers who only glance at media headlines or skim glossy marketing materials, the path ahead may well be confusing and, at times, frightening. There are major opportunities here for IT governance and risk managers to educate and guide their business leaders on prudent ways to take advantage of the cloud. IT governance and risk managers can provide immense value in developing strategies that leverage the positive economic and risk-mitigation benefits of the cloud while also adopting control and assurance methods that help avoid the risks.
1 Kumar, Manoj; “Scandal at Satyam: Truth, Lies and Corporate Governance,” India Knowledge@Wharton, January 20092 A good comparison of the reports can be found at www.aicpa.org.
Ron Speed, CISA, CRISC, CAis an IT executive with more than 20 years of experience in IT, risk management, governance, security and consulting. He has led and advised on strategic transformation initiatives in Australia and the US. His areas of specialty include the financial service industry and Asia-Pacific regulatory compliance.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.