We have underestimated the risk involved in any wholesale migration of business computing to the cloud, says Alan Calder.
The cloud is increasingly dominating the IT horizon. The problem is some people seem to think that it is all silver lining — and no rain.
Software as a service (SaaS) and the increasing use of the 'free' web IT infrastructure is being treated as the way to cut investment in hardware, software and IT staff. And of course we have all become very familiar with the argument that SaaS is a much more cost-effective alternative to licensed software.
Many of the reasons for opting for computing in the cloud are sound. But security and privacy concerns are just as pertinent here as in all other areas of IT. In fact, whether you subscribe to SaaS or implement web services on your in-house servers, cloud computing does not make these issues go away.
Hostile electronic environment
Indeed, they may even end up becoming even more critical. Data stored on your SaaS partner's servers is exposed to the same hostile electronic environment and data compliance requirements as your own.
Even at one remove, you are still responsible for personal information under the Data Protection Act, credit card data under Payment Card Industry compliance, and corporate information.
In practical terms, a cloud computing project is no different to a conventional software installation and requires significant project management and time to make sure it is controlled effectively.
That is not to down play the positives. When you subscribe to a SaaS service, the investment associated with implementing and supporting conventional systems is unquestionably avoided. The capital and operating expenditure savings can be significant.
In addition, when you subscribe to a web-hosted application, you free your team from supporting high-cost, time-consuming in-house IT functions. But the economies of scale that SaaS brings through multi-tenancy also increase security concerns.
Like any other branch of business IT, cloud-based services are shadowed by the drive to compliance, good data hygiene and best practice in information management. The same range of essential topics has to be addressed, from ISO27001 compliance, rigorous development lifecycles, threat profiling and security testing, all the way to secure coding guidelines.
A simple checklist of your cloud supplier's credentials is...