April 15, 2011, 9:50 AM — In a troubled economy, cloud computing seems like a great cost saving alternative and it is. Whether in good times or bad, any pragmatic cost saving measure is a 'good' measure.
Google, Microsoft, IBM and all other known and unknown cloud providers offer today's CIO an array of major cost saving alternatives to the traditional data center and IT department. The temptation to put things on/in the cloud and sit back can be extremely compelling. But like everything that appears too good to be true, cloud computing comes with a set of risks that CIOs and CTOs would do well to recognize before making the plunge.
Before we get into the specifics of how best to manage risk when planning to move assets to the cloud, let's look at a few numbers to help us understand what the Joneses are doing. Is cloud computing already mainstream?
ISACA's 2010 survey on cloud computing adoption presents some interesting findings. Forty five percent of IT professionals think the risks far outweigh the benefits and only 10% of those surveyed said they'd consider moving mission critical applications to the cloud. In a nutshell, ISACA's statistics and other industry published numbers around cloud adoption indicate that cloud computing is a mainstream choice but definitely not the primary choice.
While some organizations have successfully moved part or all of their information assets into some form of cloud computing infrastructure, the large majority still haven't done much with this choice. So we ask, is it premature for organizations to have a cloud computing strategy? Au contraire! The CIO who has not yet begun to think of a cloud strategy may soon be left behind. In most organizations, there are definitely some areas that could be safely and profitably moved to the cloud. The extent to which an organization should move it's information assets to the cloud and take advantage of the tremendous benefits by doing so is determined by the application of a risk assessment framework to all candidate information assets. For this, it's essential to understand the risks and then have a mitigation strategy each.
Who accesses your sensitive data: The physical, logical and personnel controls that were put in place when the data was in-house in your data center are no longer valid when you move your organization's information on the cloud. The cloud provider maintains its own hiring practices, rotation of individuals, and access control procedures. It's important to ask and understand the data management and hiring practices of the cloud provider you choose. Large providers like IBM will walk their clients through the process, how sensitive data moves around the cloud and who gets to see what.