What's stopping CFOs putting their money on cloud computing?

The challenges facing finance chiefs - and how to overcome them

Heavy investment in in-house financial systems, combined with fears about reliability and data security, have put many CFOs off cloud computing. However, moves are now afoot to address some of those concerns. Cath Everett reports.

The appeal of cloud computing to finance directors has grown recently, in direct correlation with budget squeezes and a desire to cut costs in difficult economic circumstances.

But most CFOs, unless they work in start-ups or small companies, have so far been wary of putting sensitive financial data into the cloud, even though some are already using such services to analyse small anonymised statistical datasets.

Many CFOs have also already invested heavily in SAP or Oracle and are unlikely to evaluate new options until these large on-premise systems have reached the end of their useful life. Even more CFOs have been put off by concerns about information security and assurance.

But these concerns are now being addressed. An independent group called Common Assurance Metric is putting together a cloud vendor audit and certification programme to help organisations manage the risk of going down this route. The scheme is expected to launch by the end of this year.

So what are the challenges facing CFOs contemplating using the cloud for financial systems?

1. The problem of definitions
One of the first obstacles that CFOs will encounter when evaluating whether or not to use cloud services is that the term can mean different things to different people.

Yet the issue is not simply one of semantics, but rather one of information governance, because organisations need to know where important data is being held - not least for compliance and auditing purposes.

The two most confusing terms that are often used interchangeably are:

• Cloud computing

Cloud computing is a form of outsourcing, by which vendors supply mainly computing services to lots of customers over the internet. Services can range from applications such as billing, which is classed as software as a service, to IT infrastructure - such as storage - or infrastructure as a service, and application development environments, or platform as a service.

The services are provided via massively scalable datacentres running thousands of virtualised processors. This approach means that workloads are not processed on a single machine but are distributed across multiple servers, which can be located anywhere in the world.

Moreover, because applications are multi-tenant in nature, which means a single version of the package runs on a server and is accessed by multiple customers or tenants, system resources can be shared among a large pool of users, which cuts costs.

Managed or hosted services

This second approach is also a form of outsourcing, but in this case suppliers host either vanilla or customised applications on a single dedicated machine based in a datacentre in a location of the customer's choice. Such applications are not shared with other clients, but services can still be accessed over the internet.

Some traditional cloud vendors such as IBM and Amazon are now beginning to broaden out their range of services by providing customers with local datacentres and even dedicated servers on which to run their applications, but Derek Kay, director of cloud services at Deloitte, said that such options do inevitably cost more.

"We're seeing more richness in provision and more differentiation on pricing but if you want the cheapest possible service, the idea is that you give away the most control. The more control you want to retain, the more expensive it is," he said.

Recommendation
Ask providers to clarify how they intend to deliver your service so that you understand the risks involved and know exactly what you are getting for your money.

2. Information assurance concerns
Because it is the CFO's job to sign off on projects, he or she bears ultimate responsibility if things go wrong and sensitive financial data is lost, stolen or replicated. As a result, finance chiefs need to think...

...through the information assurance issues involved in moving to a cloud delivery model.

One of the key challenges here is whether providers can deliver in line with corporate security policies as well as prove they can do so for auditing purposes. Issues such as suppliers allowing one's own staff to wipe data from disks once a contract is ended are worth thinking about in this context, as is their ability to comply with data protection laws and Freedom of Information requests.

On the other hand, many large cloud vendors these days comply with the American Institute of Certified Public Accountant's Statement on Auditing Standards (SAS) 70 Type 2 standard, which certifies the controls that providers put in place in areas such as IT and financial reporting. While such accreditation may be considered sufficient for less sensitive data, it may not be adequate for other more delicate areas where CFOs may prefer to send in their own auditors - if allowed.

Service level agreements (SLAs) are another consideration. Because the cloud model is based on high levels of repeatability, unless CFOs work for huge enterprises, they are unlikely to be able to negotiate terms and conditions, although they may be provided with gold, silver and bronze options.

Consequently, they should take a long, hard look at what levels of availability and reliability are required and whether they are in a position to compromise. With smaller cloud providers, it may also be worth seeking assurances that they have the ability to increase system capacity as they take on new customers.

As Deloitte's Kay noted: "The danger is that people just stumble into bad practice, as anything that makes it easier to buy and implement things carries a fundamental risk. You can't afford not to do things right just because they're quicker or you'll just end up in the 'faster disaster' syndrome."

Recommendation
Undertake due diligence and ensure that cloud providers can replicate the appropriate security policies and procedures. Agree realistic SLAs and make certain that services are scalable enough to meet present and future requirements. Finally, ensure that everything is clearly written down in the contract.

3. Integration issues
Moving data from one application to another, whether it is located in the cloud or in an on-premise system, is a big and expensive undertaking. It involves...

...migrating historical information, rejigging data structures, ensuring databases are stable and developing interfaces between relevant systems to ensure that information does not end up being held in counter-productive silos.

Another thing to think about here is the potential need to rework business processes and introduce new workflows. Staff will also need to be retrained to use the new service and to operate in new ways.

Recommendation
Evaluate how much time, effort and money will be required to migrate data and rework business processes.

Potential solution: Common Assurance Metric
The aim of the Common Assurance Metric (CAM) group is to evaluate, test and certify cloud providers and rank them in relation to risk and their ability to meet customer requirements and industry standards.

The group first met in Barcelona in early April and comprises the European Network and Information Security Agency (Enisa), global information governance body the Information Systems Audit and Control Association (Isaca) and the Cloud Security Alliance.

John Walker, a panel member of Isaca, is involved in the initiative. He said cloud vendors have various levels of services and the market is quite immature "so CAM is intended to provide customers with some level of assurance about what they are getting for their money along the lines of what PCI-DSS [the Payment Card Industry Data Security Standard] does for card services."

The idea is that CFOs will be able to go to a website and view a tiered matrix of vendor profiles, rated on factors such as security profile, how datacentres are run and operated, what services providers support, how they adhere to standards and how environmentally friendly their business practices are.

Each vendor will be accredited by CAM and issued with a check mark similar to that provided to organisations which comply with ISO standards.

"It's about being able to use trusted services rather than take a risk and it should give CFOs the mechanics to help make decisions based on fact, not on what they're told by the vendors," said Walker.