IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines Auerbach Publications

IT Performance Improvement

Management

Security

Networking and Telecommunications

Software Engineering

Project Management

Database


Share This Article



Free Subscription to IT Today





Powered by VerticalResponse

 
The 7 Qualities of Highly Secure Software by Mano Paul, ISBN 9781439814468
Strategy and Business Process Management: Techniques for Improving Execution, Adaptability, and Consistency by Carl F. Lehmann, ISBN 9781439890233
Process-Driven SOA: Patterns for Aligning Business and IT by Carsten Hentrich and Uwe Zdun, ISBN 9781439889299
Emerging Wireless Networks: Concepts, Techniques and Applications edited by Christian Makaya and Samuel Pierre, ISBN 9781439821350
IT's All about the People: Technology Management That Overcomes Disaffected People, Stupid Processes, and Deranged Corporate Cultures by Stephen J. Andriole, ISBN 9781439876589
Cloud and Virtual Data Storage Networking by Greg Schulz, ISBN 9781439851739
IT Best Practices: Management, Teams, Quality, Performance, and Projects by Tom C. Witt, ISBN 978-1-4398-6854-6

The Deadly Sins of Cloud Computing

Mike Small

Cloud computing provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of information technology (IT) service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However, many organizations are sleepwalking into the cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource the organizationís responsibilities. There are issues that may be forgotten or ignored when adopting cloud computing strategies. In a recent survey by ISACA, 30 percent of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterpriseís security in the next 12 months.

Most people are aware of the concept of the seven deadly vices that are said to explain human weaknesses. These are wrath, greed, sloth, pride, lust, envy and gluttony, and are sometimes referred to as the seven deadly sins. Of these vices, one above all can lead to problems with cloud computing: sloth. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud.

Sloth affects cloud computing activities because it can lead to inattention to details such as:

  • Not knowing you are using the cloud: This sounds irrational, but it happens more frequently than would be expected. It is easy to buy a cloud service using a credit card, and your organization may be using the cloud without the appropriate people knowing about it. When you buy the cloud service that way, it is likely that you have agreed to the terms and conditions set by the provider and these may not be appropriate for your needs. You should ensure that there is a proper process for obtaining a cloud service and that it is followed. Definitions of various cloud types are available from ISACA.
  • Not assuring legal and regulatory compliance: Many organizations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the cloud that you will not lose this compliance.
  • Not knowing which data are in the cloud: One of the key legal requirements for many organizations is compliance with data privacy laws. These mandate where personally identifiable data can be held and how it must be processed. If you donít know what data you are moving to the cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data such as spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the cloud to manage risks and ensure compliance.
  • Not managing identity and access to the cloud: Controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application are moved to the cloud. The best way to achieve this is through the use of identity federation based on standards such as Security Assertion Markup Language (SAML) and Active Directory Federation Services (ADFS).
  • Not managing business continuity and the cloud: Organizations adopting the cloud need to determine the business needs for continuity of any services or data being moved to the cloud. To support this they should have policies, processes and procedures in place to ensure that theses business requirements are met. These involve not only the cloud service provider, but also the customer as well as intermediate infrastructure such as telecommunications and power suppliers.
  • Becoming locked-in to one provider: It is often claimed that the cloud provides flexibility but how easy is it to change a cloud service provider? A number of factors can make changing providers difficult, for example, there may be contractual costs incurred on termination of the service contract. The ownership of the data held in the cloud may not be clear and return of the data on termination of contract may be costly or slow. When data are returned they may not be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, platform as a service [PaaS] in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider.
  • Not managing your cloud provider: You need to manage your cloud provider just like any other outsourced IT service provider. This means defining and agreeing to metrics via service level agreements and then making sure that these are achieved. A customer may wish to perform an audit of the provider but it may not be practical for the provider to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. However it is important to understand what these service organization controls (SOC) reports cover. Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides.

Related Reading

Cloud Security Challenges

Cloud Computing with Software as a Service (SaaS)

Key Cloud Strategies: First Steps

About the Author

Mike Small, CEng, FBCS, CITP, is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole. Until 2009, Mike worked for CA where he developed CAís identity and access management product strategy. He is a frequent speaker at IT security events around EMEA. He will be speaking at the ISACA EuroCACs/ISRM conference, on 10-12 September 2012, in Munich on the subject of identity and access solutions, access governance, ensuring business continuity in the cloud and avoiding lock-in in the cloud.



© Copyright 2012 Auerbach Publications