Cloud computing provides organizations with an alternative way of obtaining IT services and offers many benefits including increased flexibility as well as cost reduction. However many organizations are reluctant to adopt the cloud because of concerns over information security and a loss of control over the way IT service is delivered.
These fears have been exacerbated by recent events reported in the press including outages by Amazon and the three-day loss of Blackberry services from RIM. So what approach can an organization take to ensure that the benefits of the cloud outweigh the risks?
To understand the risks involved it is important to understand that the cloud is not a single model. The cloud covers a wide spectrum of services and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the Internet. A clear explanation of this range is described by NIST. This document describes the five essential characteristics that define the cloud, the three service models and the four deployment models. The risks of the cloud depend upon both the service model and the delivery model adopted.
When moving to the cloud it is important that the business requirements for the move are understood and that the cloud service is selected meets these needs. Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides:
- Identify the business requirements for the cloud based solution. This seems obvious but many organizations are using the Cloud without knowing it.
- Determine the cloud service needs based on the business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the Cloud is too high.
- Understand what the accreditations and audit reports offered by the cloud provider mean and actually cover.
No comments:
Post a Comment