Cloud computing’s utility style business model is quite seductive - the notion that computing capability and capacity can be aligned with the peaks and troughs of demand for IT is of interest to many CFOs, CEOs and Boards.
Enterprises are enthused by the opportunity to unshackle themselves from the need for CAPEX and to own expensive IT hardware or software, or slavishly follow an upgrade cycle. While managing updates, patches and security can still be undertaken in-house there are models where organisations can co-source or outsource the technical personnel to handle all of this.
However, the C-Suite and Board members cannot shed the accountability for their information systems and it is important to recognise that while cloud reduces many risks, it also introduces others.
The key issue for any enterprise making the journey to the cloud, is that they lose control over the IT and staff. Yet they still need to ensure business continuity, properly discharge contractual and regulatory requirements, and have the flexibility to adjust the cloud services to meet changing business conditions.
As with IT under a businesses control, the three hallmarks of effective security in the cloud are confidentiality, availability and integrity.
While cloud services such as Office 365, Google Docs and salesforce.com are generally engineered to ensure high availability - enterprises are wise to remember that there are no iron-clad guarantees.
There may be a contract in place with a clearly defined service level agreement, even penalties for failing to meet those service levels, but what are the costs and consequential damages if the service is for any reason unavailable?
The business continuity issue remains and organisations regularly struggle to achieve an appropriate balance between cost, risk and value.
From a security perspective, viruses and malware remain a risk. Businesses still need the equivalent of an “air gap” in the data they own – a strategy where a controlled copy of the data is held in reserve so that if the unthinkable should happen, and the cloud service ground to a halt, the secured and separated data could be used to rebuild the applications. These controlled backups could be used to migrate to other cloud providers and form part of the business continuity and disaster recovery plans.
These additional controls clearly come at a cost, and is a step back from a pure cloud approach, where the appeal is often significantly reduced running costs. But the business benefits remain significant.
Additional concerns should be considered by organisations which are regulated by bodies such as APRA or ASIC, or which must adhere to the Privacy Act (1988) and the Australian Privacy Principles, must ensure the confidentiality of data wherever that is located, the cloud included.
Reputable cloud computer vendors go to great lengths to ensure that the information stored in clouds is secure, but it is important companies buying cloud services perform appropriate due diligence and confirm with cloud vendors that they have achieved appropriate security standards. Such security standards should complement an organisations internal Information security management system and will help protect cloud based data from the rising tide of malicious attacks.
The organisations policies and monitoring systems need to be established to meet specific risks of an organisation. For example, a HR systems could be configured to send alerts to IT and system administrators when an employee terminates or when they have not accessed a system for an agreed long period of time (so that their access can be disabled in a timely manner) and to have contractors’ access aligned with their contract start and end dates.
Establishing such policies and procedures, and ensuring they are actively monitored, enforced and policed will be critical if, in the event of a breach, the CEO, CFO or board member is asked "What reasonable steps did you take to ensure that management had monitoring systems in place to manage IT risks to an acceptable level?".
Enterprises need to remain pragmatic when implementing controls and to protect data in the cloud or on corporate assets – to ensure a balance between cost, risk and value. There is no point being so locked down that no-one can access the system when they need it.
To ensure that the risks to the organisations are adequately managed there is a need for a high level of communication and co-operation between senior executives and the IT team. While executives may understand the business risks of not having access to key systems, they might not fully appreciate the IT risks associated with the use of the cloud, just as IT may not understand the business risks.
Independent analysis undertaken by experienced and qualified governance and security professionals can identify blind spots in existing enterprise policies and processes, ensure that good IT practices are being followed by cloud vendors or outsourcing partners, and where necessary undertake testing to ensure that information systems are properly protected.
Proper business/IT governance remains as valid and important in the cloud as it does for companies which own their computer systems.
John Halliday is executive director of BDO based in Brisbane.