Cloud computing provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of information technology (IT) service delivery models beyond managed and hosted services to a form that is packaged and commoditised.
However, many organisations are sleepwalking into the cloud. Moving to the cloud may outsource the provision of the IT service, but it does not outsource the organisation’s responsibilities. There are issues that may be forgotten or ignored when adopting cloud computing strategies. In a recent survey by global non-profit IT association ISACA, 30 percent of the 3,700 respondents said cloud computing is one of the top issues expected to impact their enterprise’s security in the next 12 months.
Most people are aware of the concept of the seven deadly sins of wrath, greed, sloth, pride, lust, envy and gluttony. Of these vices one above all can lead to problems with cloud computing—sloth. Clearly, a good understanding of cloud is critical, as is effective governance over the cloud.
Sloth affects cloud computing activities because it can lead to inattention to details such as:
- Not knowing you are using the cloud This sounds irrational, but it happens more frequently than would be expected. It is easy to buy a cloud service using a credit card and when a cloud service is bought this way, it is likely that the company's needs and the terms and conditions set by the provider are at odds. You should ensure that there is a proper process for obtaining a cloud service and that it is followed.
- Not assuring legal and regulatory compliance Many organisations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the cloud that you will not lose this compliance.
- Not knowing which data is in the cloud One of the key legal requirements for many organisations is compliance with data privacy laws. These mandate where personally-identifiable data can be held and how it must be processed. If you don’t know what data you are moving to the cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data such as spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the cloud to manage risks and ensure compliance.
- Not managing identity and access to the cloud Controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application are moved to the cloud. The best way to achieve this is through the use of identity federation based on standards such as Security Assertion Markup Language (SAML) and Active Directory Federation Services (ADFS).