Opportunities, management strategies and more
Cloud computing is here and virtually every organization is using it in some way, shape or form. Educating yourself and your people on the opportunities and risks associated with this technology is of the utmost importance. Let’s look at the opportunities presented by cloud computing, managing the risks associated with housing your sensitive data off-site, using virtual computing environments and vendor management considerations.
What is ‘the cloud’?
“The cloud” is an all-encompassing term for a virtualized information technology (IT) computing environment in which individuals and businesses work with applications and data stored and maintained on shared machines in a web-based setting, rather than physically housed in a user’s location. Google’s popular email system, Gmail, is an example of the cloud — but this is just one model. There are three cloud service models (infrastructure as a service, platform as a service and software as a service) deployed in four types of settings (private, community, public and hybrid clouds).
Service models
- Infrastructure as a service (IaaS): provides access to server hardware, storage, network capacity and other fundamental computing resources
- Platform as a service (PaaS): provides access to basic operating software and services to develop and use customer-created software applications
- Software as a service (SaaS): provides integrated access to a provider’s software applications
Deployment models
- Private cloud: accessible from an intranet, internally hosted and used by a single organization
- Community cloud: infrastructure accessible to a specific community
- Public cloud: accessible from the internet, externally hosted and used by the general public
- Hybrid cloud: a combination of two or more clouds
Cloud benefits
Cloud computing provides a scalable online environment that makes it possible to handle an increased volume of work without impacting system performance. Cloud computing also offers significant computing capability and economy of scale that might not otherwise be affordable — particularly for small and medium-sized organizations — without the IT infrastructure investment.
Cloud computing advantages include:
- Lower capital costs. Organizations can provide unique services using large-scale computing resources from cloud service providers, and then nimbly add or remove IT capacity to meet peak and fluctuating service demands while only paying for actual capacity used.
- Lower IT operating costs. Organizations can rent added server space for a few hours at a time — rather than maintain proprietary servers — without worrying about upgrading their resources whenever a new application version is available. They also have the flexibility to host their virtual IT infrastructure in locations offering the lowest cost.
- Ease of installation and maintenance. Cloud computing requires no hardware or software installation or maintenance.
- Optimized IT infrastructure. The infrastructure provides quick access to computing services.
Cloud risks
- Environmental security. The concentration of computing resources and users in a cloud environment also represents a concentration of security threats. Because of their size and significance, cloud environments are often targeted by virtual machines and bot malware, brute force attacks and other attacks. Ask your cloud provider about access controls, vulnerability assessment practices, and patch and configuration management controls to check that they are adequately protecting your data.
- Data privacy and security. Hosting confidential data with cloud service providers involves the transfer of a considerable amount of an organization’s control over data security to the provider. Make sure your vendor understands your organization’s data privacy and security needs. Also, make sure your cloud provider is aware of particular data security and privacy rules and regulations that apply to your entity, such as HIPAA, the Payment Card Industry Data Security Standard (DCI DSS), the Federal Information Security Management Act of 2002 (FISMA) or the privacy considerations of the Gramm-Leach-Bliley Act.
- Data availability and business continuity. A major risk to business continuity in the cloud computing environment is loss of internet connectivity. Ask your cloud provider what controls are in place to ensure internet connectivity. If a vulnerability is identified, you may have to terminate all access to the cloud provider until it is rectified. Finally, the seizure of a data-hosting server by law enforcement agencies may result in the interruption of unrelated services stored on the same machine.
- Record retention requirements. If your business is subject to record retention requirements, make sure your cloud provider understands — and meets — them.
- Disaster recovery. Hosting your computing resources and data with a cloud provider makes the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider if they’ve been tested.
Evaluating your options
Many cloud provider options are available, each with unique benefits and risks. As you evaluate your choices and the associated risks, consider the following:
- Cloud providers are sometimes reluctant to produce third-party audit reports unless an audit clause is included in the contract. Some hosts require clients to pay for reports.
- Some internal audit departments are performing control reviews of cloud providers, in addition to receiving and analyzing third party audit reports. This is driven by certain controls not being tested, exclusion of pertinent systems or other factors that require on-site testing.
- Standard cloud provider audit reports typically do not include vulnerability/penetration testing results. Providers are hesitant to allow scanning, as they believe this may compromise their infrastructure.
Cloud computing is a widely used format and we don’t see this changing anytime soon. Knowing that you are managing the risks associated with housing your sensitive data off-site will give you confidence with the platform, so you can take advantage of the opportunities presented by the cloud.