61% of respondents are currently using, evaluating or planning to use cloud computing-based services within the next year.
As cloud computing is evolving, so are the buyers of cloud services.
Savvy business professionals have recognized the speed and efficiencies that embracing cloud technology can bring.
Cloud computing has given birth to a new breed of business user: a sophisticated consumer who can choose which services to consume and combine them as easily as ordering from a menu.
Understanding cloud computing implications
Many organizations are still unclear of the implications of cloud computing and are increasing their efforts to better understand the impact and the risks. Out of 16 information security areas, respondents named cloud computing as their top funding priority for the coming 12 months, and it ranked second among all other categories in the areas most likely to receive more — rather than less — funding than the previous year.
Does your organization currently use cloud computing-based services?
Our appetite for external cloud services has increased our dependency on third parties and dimmed our view into the inner workings of core business applications. As organizations become increasingly locked in to their cloud provider, they face compliance risks – contracting, legal and integration.
Moving to the cloud is nothing less than a complete transition of business processes, including the risks associated with it.
Key risks and challenges related to cloud computing
- Compliance and privacy. Cloud computing is often “borderless,” but compliance is not. For cloud users it is often not clear where data resides, which creates challenges for legal compliance or privacy.
- Information security and data integrity. Processing data with a cloud service provider followed by communication over the internet, as opposed to keeping it entirely within a company network, increases data and information vulnerability. The cloud brings new challenges when it comes to application security, identity and access management, authentication, encryption and data classification.
- Contract and legal. Contractual risks stem primarily from the types of contracts that companies enter into with cloud service providers. Those contracts should include the service level agreements (SLAs) and key performance indicators (KPIs) that are used to agree and evaluate performance.
- Governance and risk management and assurance. Organizations will want to ensure that the cloud approach fits well within their overall business goals in terms of both the benefits and the risks. Organizations need a governance model and a cloud strategy, including a cloud risk management approach.
- Reliability and continuity of operations. Continuity of the business is critical, so it is important to understand a cloud provider’s geographical coverage and how this may affect cloud users. In addition, cloud users are depending on their cloud service providers’ business continuity program, disaster recovery capabilities, and capabilities regarding operations and support processes, such as incident management and service desk.
- Integration and interoperability. The integration of systems in the cloud is a significant undertaking. Systems need to be able to talk to one another between the cloud user and the cloud service provider. To provide for ongoing interoperability, technology changes and systems upgrades, including testing, must be addressed and managed.
Where is the guidance?
Despite the evolution of cloud computing, organizations struggle with the integration of external cloud computing into their business.
48% of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and just over half have not implemented any controls to mitigate the risks associated with cloud computing. Organizations, uncertain about their control options, select and implement only a subset of those available, sometimes none at all.
In the absence of clear guidance, many organizations seem to be making ill-informed decisions, either moving to the cloud prematurely or avoiding it altogether. The survey results indicate that although many organizations have moved to the cloud, many have done so reluctantly, evidenced by 80% of respondents who are challenged to deliver information security initiatives for new technologies such as cloud computing and virtualization.
Almost 90% of respondents believe that external certification would increase their trust in cloud computing.
Building trust in the cloud
Many organizations have begun the governance process, addressing many of the perceived challenges through service attestation registries and consistent audit frameworks like those used in the financial services industry.
Much progress toward a consistent trust model has been achieved, and we expect that many respondents will find increased comfort with providers who participate in the trust community.
As the cloud industry evolves, so must the ability to trust, through the development of regulated trust standards. Currently, there are alliances working toward this goal, both private and federal.
Organizations must continue to leverage the guidance of these organizations, aligning with industry practices to encourage standardization across service providers.
| Our perspective |
- Choose verification above trust.
- Understand who owns the risks before entering a cloud agreement.
- Plan for continuity and select providers that are transparent about resiliency build backups and test recoverability.
- Proceed in using the standard security processes and techniques that have worked effectively on other technologies in the past.
- Align your business and information security strategy, and continuously assess risks to comply with regulations and industry standards.
« Previous | Next »