Organisations moving to the cloud need to establish a risk profile to determine which IT infrastructure and applications they can trust to be managed on their behalf by a third-party cloud provider.
This was the general consensus among attendees at two CIO Australia’s roundtables luncheons in Sydney and Melbourne titled, ‘Cloud computing – are you in control?” sponsored by CSC.
Attendees at both roundtables agreed that some CIOs have not embraced the popular cloud computing model because it lacks the level of control that they expect from an enterprise environment. This is potentially made worse with the increasing popularity of public cloud services within businesses.
However, it is possible to have the benefits the cloud computing provides – such as scalability, flexibility and improved application performance – without necessarily losing total control.
Joe Demian, head of IT at investment management organisation, Future Fund, said performing due diligence on cloud providers and integrating the management of those providers into existing security processes can provide some assurance to the business that a key hosted application and hosted information is secure.
“We tailor the level of due diligence on cloud providers based on the nature of the information that they host on our behalf and the business criticality of the applications that we intend to leverage,” he said at the Melbourne roundtable.
“This due diligence considers the guidelines and requirements that we are expected to comply with as a federal government agency,” he said.
“We are comfortable with the fact that we internally manage and physically host the data that is of high and strategic importance to our business including the internal assurance of its quality. This allows us to push and pull data between our platform and any number of hosted cloud based solutions” he said.
Interior construction firm Schiavello Group established a risk profile when the company started buying network-as-a-service (NaaS) and software-as-a-service (SaaS) offerings, said the company’s Group CIO Krist Davood.
“We established our risk profile – under international standards ISO27000 and SP 800-30 – with descriptive elements that IT and the business would understand,” he said.
“That gave us an appreciation of what our risk appetite was and that was higher than we originally anticipated so this understanding of our risk profile is critical.”
Is it ok to lose some control?
Whether or not an organisation is prepared to relinquish control often depends on which services and information is being trusted with a cloud service provider.
“It certainly depends on the information,” said Berys Amor, director of technology at law firm, Corrs Chambers Westgarth. “As a law firm, we have a lot of regulation and compliance and our client’s data is treated differently than say, a retailer’s data.”
We established our risk profile – under international standards ISO27000 and SP 800-30 – with descriptive elements that IT and the business would understand
Simarjit Chhabra, CIO, at global provider of life safety and security solutions, Xtralis, agreed that the risk profile of putting information in the public cloud, is different not only for each industry but varies from firm to firm.
“While most of us have good intentions for keeping our organisational data secure within the ‘known’ boundaries, which we guard and protect. However, some of us continue to hold our organisations at ‘gunpoint’ using security in the cloud as a threat without realising the real value of the data to the firm,” he said.
“You need to determine the value to your firm of the information that you are putting out there in the cloud.
“In the past, we were quite secretive about emails. Today we are much more comfortable putting information out on Google Apps.”
But what happens when systems and applications fail? Peter O’Donoghue, CIO at South East Water said “when things go wrong, that’s how you find out how much control you have.”
“It becomes a very interesting question when you are trying to troubleshoot issues around ‘who is actually accountable for fixing the problem?’” he said. “This does create a number of risks to your organisation.”