The cloud offers enhanced IT service availability and flexibility but introduces new risks. Successfully selling the cloud involves ensuring that these risks are properly managed and that customers understand their responsibilities.
Lock-in: It is often claimed that the cloud provides flexibility, but how easy is it to change CSPs? There are a number of factors that can make changing providers difficult and it is important to be upfront and make these clear to a potential customer. There may be contractual costs incurred on termination of the service contract. The terms for the return of data on termination of contract should be clear and when data are returned, they should be in a form that can easily be used or migrated. Cloud services (built using cloud platforms, PaaS in particular) should be based on industry standard architecture and interfaces, making it easy to migrate to another provider at a future date.
Provider Certification: The customer may wish to be able to audit the CSP; however it is not practical to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. There are two common types of report that are offered SOC 1 and SOC 2. SOC stands for “Service Organisation Controls” and the reports are based on the auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements which became effective in June 2011). A CSP may also provide an auditor’s report based on established criteria such as Trust Services (including WebTrust and SysTrust). In addition there are assessment schemes where organisations who are members of the scheme are able to access the assessment (made according to a standard) of a provider made by another member.
It is important that an organisation can identify the business requirements and that the cloud service is selected to meet these needs. For most organisations cloud services will co-exist with existing IT services. The key difference is that while internal services are directly managed cloud services are indirectly governed. Adopting a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides. The global IT association ISACA has developed IT Control Objectives for Cloud Computing and other resources that can assist organizations considering a move to the cloud.
Mike Small is a senior analyst at KuppingerCole, a member of the ISACA London Chapter’s Security Advisory Group and a fellow of the BCS. Previously, Small worked for CA, where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA, including ISACA’s Information Security and Risk Management (ISRM) conferences