You should trust in cloud computing before you can get value from it

A few weeks ago, I presented to an audience of more than 100 CIOs why they should go for cloud computing. The conference organiser specifically asked me to focus on the advantages instead of the risks, since he thought that scaring people away from cloud was done too much by certain groups and media. Especially since the Amazon Cloud Drive incident, the organiser wanted to bring a positive message.

I liked the idea about this constructive approach and made my life easy by using the slogan “trust in, and value from, information systems”.

Even today many people interpret cloud computing as they see fit, so I started my presentation with the most recognized (NIST SP800-145) definition: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model promotes availability and is composed of:

  • Five essential characteristics (on demand self service, broad network access, resource pooling, rapid elasticity, measured service),
  • Three service models (IaaS, PaaS, SaaS), and
  • Four deployment models (public, private, hybrid, community).”

Since I knew the conference organiser treated the service models and the deployment models, I only needed to explain the essential cloud computing characteristics to the audience. Amazingly I noticed that most CIOs were not aware about 2 of the 5, namely:

  • on-demand self-service (where consumer can unilaterally provision computing capabilities as needed automatically without requiring human interaction with each service’s provider) and
  • Measured service (cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the used service).

I then focused on the elements which create trust in, and value from, cloud computing:

Trust in cloud computing:

  • Confidentiality – Cloud computing solutions provide by default proper authentication and authorization layers. Since these solutions are used by many organisations (being it infrastructure, or platform, or applications), the cloud solutions are better secure. Of course, the applications developed by a company on top of the infrastructure or platform remain the responsibility of the company. Also monitoring to prevent, detect and react to breaches in a timely manner is present.
  • Privacy – Cloud computing solutions provide proper measured protection of sensitive personal information which can be verified by any company.
  • Integrity – Cloud computing solutions provide similar protection of integer data.
  • Availability – Cloud computing service providers provide the infrastructure and bandwidth to accommodate companies with high speed access, storage and applications. While availability can be promised, companies should still ensure that they have provisions in place for service interruptions. Cloud computing even allows more reliable backup and recovery.
  • Resiliency – Cloud providers have disaster recovery equipment to ensure sustainability through any type of negative event.
  • Compliance – Any company must comply with a litany of laws, regulations and standards. If data are demanded by authorities, cloud computing service providers can provide this without compromising other information.
  • Licensing – Cloud computing allows companies to only use those licenses needed at a specific point in time without any concern of using illegal versions.
  • Reliability – Cloud computing provides solutions available wherever people are.
  • Monitoring – This is one of the 5 key characteristics of cloud computing solutions. Measurable transparent monitoring is provided by default by solution providers to companies. Of course, reading and interpreting the results remains the responsibility of the companies.
  • Integration – Cloud computing solutions provide proper connectors to integrate with existing internal solutions.
  • Network centric – Cloud computing solutions are by default offered via the network.
  • Transparency – Cloud computing service providers can demonstrate the existence of effective and robust security controls, assuring companies their information is properly secured against unauthorized access, change and destruction.
  • Certification – Cloud computing service providers can provide proper assurance that they are doing the “right” things. Independent assurance from third-party audits and/or service auditor reports is a vital part of any service provider assurance program.

Value from cloud computing:

  • Cost containment—Cloud computing offers companies scalability without huge financial commitments upfront for infrastructure acquisition and maintenance. Capital expenditure with cloud computing is much lower since services and storage are available on demand and are priced as a pay-as-you-go service. Capital expenditure is largely replaced with operational expenditure. Savings on unused server space and licenses allows companies to contain costs.
  • On-demand Convenience—A core added value for many companies since they can unilaterally provision computing capabilities as needed automatically without requiring human interaction with cloud services providers
  • Scalability and flexibility—Cloud services offer both increased flexibility and scalability for the evolving IT needs of companies, allowing for traffic spikes and reducing the time to implement new services whilst increasing innovation. Companies can also focus on their core business, rather than be concerned about solving peak business demands for performance.
  • Better resource pooling/usage—Cloud services allow to better use existing infrastructure at the service provider and increase productivity and transforming business processes through means that were prohibitively expensive before the cloud.
  • Business control over IT solutions—One of the major added value impacts of cloud computing is that the business is back in control over its solutions. Business departments can find their own solutions online and decide themselves if they go ahead or not (streamline processes), without too much intervention by others. Cloud computing allows business departments to decouple their IT needs and their infrastructure.
  • Centralized data (sort of)—Cloud computing allows data to be stored in a centralised accessible manner from the viewpoint of the user. Of course, with virtualization it has become impossible to physically pinpoint the exact physical disc where data is stored.
  • Faster implementation—Instead of extensive discussions, analysis and lots of people involved in developing and testing applications and data solutions, business units are able to activate and use practical solutions in days. This has a fundamental impact on the agility of a business and the reduction of costs associated with time delays.
  • Logging & Monitoring—One of the cornerstones of cloud computing is to automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and company of the used service
  • Green IT—Another added value of cloud computing is less energy usage at the company and using existing energy at the cloud computing service provider, who might have different locations and choose where energy is cheapest at any point in time.
  • Efficiency—Re-allocating information management operational activities to cloud computing offers companies the opportunity to focus on innovation and research and development. This allows for growth.
  • The premise of the cloud is that by outsourcing portions of information management and IT operations, enterprise workers will be free to improve processes, increase productivity and innovate while the cloud provider handles operational activity smarter, faster and cheaper. Assuming this to be the case, significant changes to the existing business processes will likely be required to take advantage of the opportunities that cloud services offer.

Obviously, in order to put things in perspective, I also made a list of focus points when implementing cloud computing:

1. Psychological impact: level of abstraction between the physical infrastructure and the owner of the information being stored and processed. Also no direct or indirect control of the physical environment affecting his/her data.

2. IT governance model: expand governance approaches and structures to appropriately handle the new IT solutions and enhance business processes.

3. Integration with internal IT systems: focus on the connectors between the internal systems and the cloud computing solution(s)

4. Network connectivity / bandwidth: without it, cloud computing solutions are not accessible.

5. Data location: When information can be stored anywhere in the cloud, the physical location of the information can become an issue. Physical location dictates jurisdiction and legal obligation. Country laws governing personally identifiable information (PII) vary greatly. What is allowed in one country can be a violation in another.

6. Shared tenancy: there might be interest to know with whom your company is sharing information.

7. Lock in with vendor: added risk with increased dependency on a third-party provider to supply flexible, available, resilient and efficient IT services.

8. Cloud Service Provider stability, reliability and viability: a typical focus point when working with an external party

9. Service portability: this point is usually forgotten but is necessary to think about, even before the contract is signed: what about the portability of the service to another cloud computing service provider?

10. Legal & regulatory compliance aspects (including licensing, contractual arrangements)

11. Information security management (including IAM): a proper overview of the different mechanisms used for information security is interesting for the company.

12. Incident response & crisis management: since cloud computing service providers are only accessible via networks, it is important to find out how incidents/crisis are handled, documented and escalated.

13. Business Continuity Management & Disaster Recovery Planning: some information about BCM & DRP is good to know from a company perspective to have guarantees on data and services availability.

14. Data archiving & removal: especially important at the end of any cloud computing contract, all data should be removed from the cloud computing service provider.

15. (Right to) Audit (pentest, screening, monitoring, etc.): this focus point makes it possible to have more transparency around different topics.

When I finished establishing this list of focus points and reviewed my list, I found that this list reminded me of a list I made more than 10 years ago. Indeed, this list of focus points is similar to the one for traditional (IT) outsourcing. So, for cloud computing, the focus points are not new, but need to be taken into account.

Cloud computing is a major change in how computing resources will be used, and as such will be a major governance initiative within adopting organizations, requiring involvement of a broad set of stakeholders.

Marc Vael, CISA, CISM, CGEIT, CISSP, is chief audit executive at Smals, a large Belgian IT organization with more than 1,800 people working for the Belgian federal government. He has more than 15 years of experience in evaluating, designing, implementing and monitoring solutions on risk and information security management, incident and business continuity management, data protection/privacy, and IT audit. An ISACA member for more than 15 years, Marc is also vice president of the ISACA Belgium Chapter, chair of ISACA’s Cloud Computing Task Force and Knowledge Board, member of ISACA’s Strategic Advisory Council, and past chair of the ISACA Communities Committee. He has been a visiting lecturer at Antwerp Management School (AMS) since 1997 and a deputy member of the Flemish Privacy Commission since 2010.