Research: Cloud Risk
Cloud Cover: Managing Risk in a New Paradigm
Perhaps the only thing more discussed than the promise of cloud computing is the host of questions swirling around the concept: Are these services really ready for prime time? Is my organization ready for these services? Where is my industry on the adoption curve? Which providers can we trust? Will they deliver as promised? Should enterprise IT be embracing this trend, and if so, how fast, and in which cases?
When we first explored the governance, risk and compliance issues surrounding cloud computing, in an April 2009 report based on our February 2009 survey, we concluded that the decision to use cloud-based resources would not be an matter of if but of when. The business case for adopting lower-priced resources for specialized computing is a compelling one, and there is real promise behind all the hype surrounding the “cloud.” However, careless adoption will result in unmanaged risk—risk that could ultimately lead to some very negative outcomes. Downtime. Unforeseen costs. Security breaches. Lost data, legal headaches and potentially brand-tarnishing events. We postulated that, ultimately, the real question IT needs to ask is whether a given cloud provider can perform Service X within the organization’s acceptable risk appetite.
It was clear then that, as much as InformationWeek Analytics readers were intrigued by cloud computing’s promise, they were equally concerned about associated risks. Of the 547 business technology professionals who responded to our February 2009 poll, more than half worried about security defects in the technology itself and loss of proprietary data. One year later, not surprisingly, this dynamic still holds true: In our February 2010 survey of 518 business technology professionals, security concerns again lead the list of primary reasons not to use cloud services. Our respondents’ comments illustrate the wide range of opinions in this debate. “Has everyone forgotten the dot-com meltdown?” asks a senior VP for a utilities company. “Whole Web sites, along with the companies that ran them, disappeared, never to be seen again. I want to control my own future as much as possible.” Counters an IT professional from an educational institution: “As we grew to over 5,000 accounts, the management, backup and maintenance [of our e-mail servers] got to be prohibitive. We now enjoy 99.999% reliability, up to 20 GB of space per user and are able to deliver more services through Google Apps then we could offer previously.”
Many other respondents commented on how pushing certain functions to an outside provider freed up both staff and computing resources to address more pressing problems. If the benefits are clear, so is the need to manage governance, risk and compliance. In this report, we’ll investigate how that management needs to occur. Smart organizations will tackle issues head on, and reap the rewards of their efforts. Outsource with no controls in place, however, and you could get burned.
Make no mistake—there’s as much opportunity for disaster as there is room for benefit.
Survey Name: InformationWeek Analytics 2010 Cloud GRC Survey
Survey Date: February 2010
Region: North America
Number of Respondents: 518
Table of Contents
4 Author’s Bio
5 Executive Summary
7 Research Synopsis
8 The Case for the Cloud
9 Impact Assessment
10 Is Security the Top Risk?
11 Terminology Advances—Calling an Apple an Apple
15 Enter the SAS 70
21 Cloud Adoption Dynamics
23 InformationWeek Analytics Readers Speak
24 Governance and the Future
30 Appendix
About the Author
Greg Shipley has spent his career as an information security practitioner, starting out in IT operations, later moving into penetration testing, and eventually working his way up to in-depth product evaluation and security program management. He was formerly CTO of information security firm Neohapsis.
Greg is well known in the industry for his insight into technology and product trends. He is a contributing editor for InformationWeek and a frequent speaker for industry organizations such as IANS and ISSA. In 2001, Greg received the prestigious Neal Award from the American Business Media for Best Single Article, and he continues to be a prolific author today. Over the past 10 years, Greg has been responsible for evaluating, testing and writing about the evolution of information protection technology and has earned a reputation for in-depth and candid analysis.
|
Thread View | Flat View | 1Comments |
 Great articleComment by AliL Feb-07,2012 7:40:48 PMNice article Greg, I really liked the way you put forward all these information. Yes you are right, that still for some organization/person, there is a four letter word associated with cloud computing and that word is 'Risk'. They think that cloud is still cutting its milk teeth and being in its infancy is discovering the hard way that fire is. But I disagree! Speaking from personal experience, my end user experience has been phenomenal and I’m addicted to my HVD. I challenge anyone who says this to do a side-by-side comparison with my dinCloud HVD and a physical PC. Does your physical PC never crash? Your Internet Explorer never freeze? Or your OS never blue screen? The cloud is not some magical solution that can solve all your problems, but it certainly can solve most of them.Reply |
