The Case Against Cloud Computing, Part Two
- 02 March, 2009 09:36
A second factor that too broadly characterizes cloud computing as too risky is an over-optimistic view of current risk management practices. In discussing this with John, he shared some examples where companies do not manage compliance properly (or, really, at all) in their internal IT systems. The old saw about people, glass houses, and stones seems applicable here. In a way, this attitude reflects a common human condition: underestimating the risks associated with current conditions while overestimating the risks of something new. However, criticizing cloud computing as incapable of supporting risk management while overlooking current risk management shortcomings doesn't really help, and can make the person criticizing look reactive rather than reflective.
Associated with this second factor, but different-a third factor-is the easy, but damaging approach of treating all risks like the very worst scenario. In other words, identifying some data requirement as clearly demanding onsite storage with heavy controls and reaching a general conclusion that cloud computing is too risky for every system. Pointing out some situations or data management requirements cannot be met by cloud computing poses the danger that leveraging the cloud will be rejected for all systems or scenarios. You may disbelieve that this kind of overly-broad assessment goes on, but I have heard people drop phrases like "what about HIPAA" into a conversation and then turn contentedly to other topics, confident that the issue has been disposed of.
Some of this reflexive risk assertion is understandable, though. The lack of enthusiasm on the part of many IT organizations to embrace external clouds due to the putative risk might be attributed to risk asymmetry they face. That is to say, they can get into a lot of trouble if something goes wrong about data, but there isn't that much upside for implementing a risk assessment process and reducing costs by leveraging outside cloud resources. One might say IT organizations are paid to be the worrywarts regarding data security, which isn't really that much fun, but would affect their perspective on risk and could motivate them to be very conservative on this subject.
However, given the very real pressures to examine cloud computing for reasons of IT agility and overall cost examination, resisting it by a bland contention that "cloud computing is too risky; after all, what about X?" where X is some law or regulation the organization operates under is probably not a good strategy.
So what should you do to address the issue of risk management in cloud computing?
One, understand what your risk and compliance requirements really are and how you address those things today in internal systems. Nothing looks worse that asserting that cloud computing isn't appropriate because of risk and being asked "how do we handle that today?" and not having a solid answer.
Second, (assuming you haven't done so already) a risk assessment mechanism to define levels of risk and make it part of the system development lifecycle. Without this, it's impossible to evaluate whether a given system is a good candidate for operating in the cloud.
Third, assess your potential cloud hosting operators for their risk management practices. With this in hand, projects can have their risk assessments mapped against the cloud provider and a decision can be reached about whether cloud hosting is appropriate for this system.
The cloud hosting risk assessment should be treated as a dynamic target, not a static situation. The entire field is developing quite rapidly, and today's evaluation will probably not be accurate six months hence.
Pressure is going to be applied to IT organizations over the next twelve months regarding costs and, particularly, whether cloud computing is being considered as a deployment option. With a risk management framework in place, appropriate decisions can be made-and justified.
Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Batten Down the Hatches! A Guide to Protecting Data in Motion
- Forrester: The Three Stages of Cloud Economics
- Moving to a Private Cloud? Infrastructure Really Matters!
- Detecting the Enemy Inside the Network - How Tough Is It?
- Leading Through Connections – Insights from the Global Chief Executive Officer Study
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Moving to a Private Cloud? Infrastructure Really Matters!
The Cloud isn’t about locality. It is about quality of service delivery, cost, and whether the services consumed satisfy our objectives. For the enterprise, you need to select the right QoS to mitigate the inherent risks or you face the problem of losing data and the ability to execute operationally. Read on.
Detecting APT Activity with Network Traffic Analysis
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper will discuss how advanced detection techniques can be used to identify malware command-and control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
New Demands for Real-time Threat Management
Many organisations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organisations need to embrace two new security practices: real-time risk management for day-to-day security adjustments and real-time threat management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., advanced persistent threats, or APTs). Learn more.