The key benefit of adopting a cloud approach is one of scale – the cloud provider can potentially offer a better service at a lower cost because the scale of its operation means it can afford the skilled people and state-of-the-art technology necessary to deliver a secure service.
In general, a large cloud provider is likely to provide a better and more secure IT service at a lower cost than a small to medium-sized enterprise can provide itself.
While the public cloud offers applications shared by multiple customers, the private cloud provides applications and infrastructure that are dedicated to a particular organisation. It allows organisations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources.
But the price to pay for this is that the costs are likely to be higher than for a public cloud because there is less potential for economies of scale, and resilience may be lower because of the limit on service resources available.
Adopting cloud computing may, then, save money, but how does it affect risk?
The information security risk associated with cloud computing depends on both the service and delivery models adopted, while the specific risks depend on the organisation and its individual requirements. The common security concerns include ensuring the confidentiality, integrity and availability of the services and data delivered.
The approach to managing risks from the perspective of the cloud service user is one of due diligence: ensuring that the requirements are clearly understood, the risks are assessed, the right questions are asked and the appropriate controls are included in the service level agreements (SLAs).
The principal information security-related issues that organisations need to address are summarised below:
- Ease of purchase: Anyone can buy access using a credit card. Your organisation may already be using a cloud service without a proper assessment of the risk.
- Service contracts: Those offered by cloud providers are often ‘take it or leave it’ and may contain less onerous obligations on the provider than a normal SLA. Key issues include: who owns the data, and how difficult would it be for you to get it back?
- Compliance: Identify the business requirements for compliance with laws and regulations and ensure the cloud provider can answer how they will meet these needs.
- Service location: Identify the legal issues that relate to the jurisdiction of the geographic location of the provider, service and data, and ensure that service contracts address these issues.
- Data security: Identify and classify the business data involved and specify the security requirements for this data in terms of confidentiality, integrity and availability.
- Availability: Identify the service availability requirements and ensure that the provider is capable of meeting them.
- Identity and access management: Specify the business needs for identity management and access control and ensure it will be delivered securely.
- Insider abuse of privilege: Confirm that the provider has processes and technology to properly control privileged access.
- Internet threats: Determine the level of protection needed against Internet-based threats and ensure the steps to be taken both by the cloud provider and internally are adequate.
Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits it provides. COBIT provides guidance for identifying the business requirements for the cloud-based solution; determining if the functionality is currently provided by an existing internal service and the governance needs based on the business requirements; and developing scenarios to understand the security threats and weaknesses (the Risk IT framework, based on COBIT, is ideal for this).
Finally, understand what the accreditations and audit reports offered by the cloud provider mean and actually cover.
Cloud computing can reduce costs by providing alternative models for the procurement and delivery of IT services. Many organisations have already adopted an outsourcing approach to internal functions that are not core and this approach naturally extends to IT. However, they need to consider the risks involved in a move to the cloud, and good governance provides a way for this.
For more information visit www.isaca.org/cloud for a free ISACA white paper on cloud.