Do you fear the auditor more or the attacker?
It is a key question for IT leaders thinking of dabbling in on-demand computing provision through the cloud. For many information security office rs, there is only one answer, particularly for firms operating in highly regulated sectors: A lot of companies fear the auditor more. If you hold data internally, you can show the auditor your controls, but the cloud makes such demonstra tions more difficult.
The resulting complications mean many businesses still shy away from on-demand IT. About 40% of UK companies use cloud computing systems, according to the Information Systems Audit and Control Association. This represents a significant proportion of British organisations, but implementation levels certainly with regards to large-scale enterprise systems are nowhere near matching the cacophonous intensity of supplier hype.
While suppliers often portray the cloud as ground-breaking, most independent commentators agree there is nothing inherently new about on-demand IT. Mainframe computing and hosted technology have been around for many years. Application service provision (ASP), for example, represents an often forgotten stage of hosted computing that might be more usefully viewed as the early stages of software-as-a-service (SaaS).
The on-demand marketing push which started from about 2008, means anything hosted suddenly represents ?the cloud?. So, why is the current phase of hosted services different? Most CIOs appear unsure, especially while suppliers continue to hype services and swerve security concerns.
Exploring the cloud
Many CISO?s have run a trial of cloud-based provisioning service of some description, often using the opportunity to help capture error data relating to the failure of systems. The approach invol ved using the cloud as a virtual datacentre, renting processing power and disc space on-demand to aggregate error logs.
Success here allows the CISO and their team to explore the applicability of cloud for other business areas. But results have been inconclusive, particularly with regards to the persistence and recover-ability of data. The studies often leave the CISO to conclude that the potential wider use of cloud is complicated.
While the on-dema nd provision of computing resources can help drive down costs, it can also increase risk ? especially for a UK business operating in a heavily regulated sector, such as gambling. CISO?s needs to be able to provide a complete audit trail, and providing such visibility to a supplier?s infrastructure is an inherently complicated task.
CISO's need to know where their information is at any point in time, and they need UK data to be kept in a UK cloud. Finding a su pplier to meet that demand is a significant challenge. The cloud supplier must prove that the datacentre is secure and that information will not be moved between locations.
Less regulated industries are more likely to make an e arly move towards the cloud. As good as the technology could be, heavily regulated firms will have concerns until suppliers are able to answer the question, "where is the data being held"?. The market needs to think more carefully abou t regulated businesses.
A supplier might be able to confirm that data will be held in a particular location for the majority of time, for example, but the potential for a change in location, and a lack of visibility to supplier records, will not satisfy the auditor.
The likely growth in cloud computing means a new approach is required. The sudden growth in on-demand computing could lead to suggestions that the techn ology is now moving faster than legislation, and that auditors need to take a more sophisticated approach. But for now, responsibility once again lies with the suppliers.
Many CISO?s expect use of on-demand computing to increas e, especially as the cost of silicon is now so low that power and air-conditioning are by far the biggest costs associated with running a datacentre. Analyst firm Gartner confirms the inevitable emergence of on-demand provision, with clo ud computing leading its recent list of top 10 strategic technologies for 2010.