Research: Cloud Risk
Cloud Cover: Managing Risk in a New Paradigm
Perhaps the only thing more discussed than the promise of cloud computing is the host of questions swirling around the concept: Are these services really ready for prime time? Is my organization ready for these services? Where is my industry on the adoption curve? Which providers can we trust? Will they deliver as promised? Should enterprise IT be embracing this trend, and if so, how fast, and in which cases?
When we first explored the governance, risk and compliance issues surrounding cloud computing, in an April 2009 report based on our February 2009 survey, we concluded that the decision to use cloud-based resources would not be an matter of if but of when. The business case for adopting lower-priced resources for specialized computing is a compelling one, and there is real promise behind all the hype surrounding the “cloud.” However, careless adoption will result in unmanaged risk—risk that could ultimately lead to some very negative outcomes. Downtime. Unforeseen costs. Security breaches. Lost data, legal headaches and potentially brand-tarnishing events. We postulated that, ultimately, the real question IT needs to ask is whether a given cloud provider can perform Service X within the organization’s acceptable risk appetite.
It was clear then that, as much as InformationWeek Analytics readers were intrigued by cloud computing’s promise, they were equally concerned about associated risks. Of the 547 business technology professionals who responded to our February 2009 poll, more than half worried about security defects in the technology itself and loss of proprietary data. One year later, not surprisingly, this dynamic still holds true: In our February 2010 survey of 518 business technology professionals, security concerns again lead the list of primary reasons not to use cloud services. Our respondents’ comments illustrate the wide range of opinions in this debate. “Has everyone forgotten the dot-com meltdown?” asks a senior VP for a utilities company. “Whole Web sites, along with the companies that ran them, disappeared, never to be seen again. I want to control my own future as much as possible.” Counters an IT professional from an educational institution: “As we grew to over 5,000 accounts, the management, backup and maintenance [of our e-mail servers] got to be prohibitive. We now enjoy 99.999% reliability, up to 20 GB of space per user and are able to deliver more services through Google Apps then we could offer previously.”
Many other respondents commented on how pushing certain functions to an outside provider freed up both staff and computing resources to address more pressing problems. If the benefits are clear, so is the need to manage governance, risk and compliance. In this report, we’ll investigate how that management needs to occur. Smart organizations will tackle issues head on, and reap the rewards of their efforts. Outsource with no controls in place, however, and you could get burned.
Make no mistake—there’s as much opportunity for disaster as there is room for benefit.
Survey Name: InformationWeek Analytics 2010 Cloud GRC Survey
Survey Date: February 2010
Region: North America
Number of Respondents: 518