Head in the clouds

Cloud computing is the buzzword on every IT leaders lips, but despite its benefits the cloud throws up its own security concerns says Floris van den Dool.

While the economy shows some signs of strengthening, executives are still pressured to cut costs but still deliver business-critical functions and solutions. One of the key trends that Accenture sees is increased interest in cloud computing as an opportunity to reduce both capital and operating expenditures.

Although there is growing recognition of cloud computing's benefits, progress is snagged on concerns about IT security. The threats include the very real dangers of data theft and compromise, loss of service and phishing incursions.

Four major security concerns worry businesses, which channel partners must address in order to capitalise on opportunities around cloud computing. First, they struggle to trust new and unfamiliar cloud providers as part of their extended enterprises. Will providers treat customer data with the same care? Where exactly is the data being stored? Second, they question whether cloud providers have enough infrastructure security to ward off cyber attacks. Third, do cloud providers have the mechanisms to manage, measure and report on industry regulations? And can they be accountable if they fail to comply? Lastly, who will be held responsible for service level guarantees and business continuity?

There are several actions that make sense for channel partners to follow right now to address the above issues. Accenture's empirical IT security work over many years with a wide range of organisations shows that the following fundamentals apply to cloud computing initiatives:

Carry out a detailed cloud risk assessment

Business and IT leaders must weigh the criticality of applications and data and decide what is "cloud appropriate". Gauge what risks they are willing to take – for example, whether to move new product data or customer data to the cloud – in context of the benefits and the laws and regulations that apply to where the data physically resides.

Get to know key cloud providers

As with any outsourcing arrangement, carry out detailed due diligence on providers' performance, including their financial performance. Confirm that they meet key standards. For example, regulations, standards, guidelines and codes of practice such as ISO 27001.

Analyse the data flow

This calls for charting the lifecycle of the relevant data assets, from development to their destruction. IT managers must know where data is at all times so they can help confirm that it is being stored and shared in compliance with local laws and industry.

Manage compliance

The regulatory complexities are enormous when doing business in multiple nations: some governments regulate the physical locations of the servers where organisations keep their data. Leaders cannot expect their cloud providers to "be compliant" for them. But they must expect them to provide what is needed to help achieve compliance.

Help strengthen continuity

What happens if something "breaks" while in the cloud? How is the data owner notified, and how quickly? How is the data recovered? These are the basics of best practices in business continuity, and they apply just as much to cloud computing as to any IT outsourcing arrangement.

Educate, communicate

Train employees on security policies and procedures and be very clear about how those policies and procedures relate to the cloud. For example, employees must adhere to corporate IT security policies when exploring cloud services for work-related activities, such as testing a new IT service or storing data.

At this point, what is needed in the channel and beyond is a rebuilding of trust as well as a renewed sense of perspective – a realisation that as with any other technology development, cloud computing initiatives come with their own unique set of risks and rewards. But the cloud must not be treated as an unknown to be wary of. Implemented and managed properly, it should not add risk. Ideally, it should do the opposite. The fundamental question is one of balance – weighing, as accurately and in as much detail as possible, the risks of a data security breach against the power of the cloud to directly address many of today's most pressing business issues.

Floris van den Dool is the Executive Director responsible for Accenture's Technology Consulting-Security business in Europe, Africa and Latin America (EALA). He has 20 years of IT and IT security experience and assists many Accenture clients with the implementation of security from a business, technology and process point of view.