Every cloud has a risky lining

We have underestimated the risk involved in any wholesale migration of business computing to the cloud, says Alan Calder.

The cloud is increasingly dominating the IT horizon. The problem is some people seem to think that it is all silver lining — and no rain.

Software as a service (SaaS) and the increasing use of the 'free' web IT infrastructure is being treated as the way to cut investment in hardware, software and IT staff. And of course we have all become very familiar with the argument that SaaS is a much more cost-effective alternative to licensed software.

Many of the reasons for opting for computing in the cloud are sound. But security and privacy concerns are just as pertinent here as in all other areas of IT. In fact, whether you subscribe to SaaS or implement web services on your in-house servers, cloud computing does not make these issues go away.

Hostile electronic environment
Indeed, they may even end up becoming even more critical. Data stored on your SaaS partner's servers is exposed to the same hostile electronic environment and data compliance requirements as your own.

Even at one remove, you are still responsible for personal information under the Data Protection Act, credit card data under Payment Card Industry compliance, and corporate information.

In practical terms, a cloud computing project is no different to a conventional software installation and requires significant project management and time to make sure it is controlled effectively.

That is not to down play the positives. When you subscribe to a SaaS service, the investment associated with implementing and supporting conventional systems is unquestionably avoided. The capital and operating expenditure savings can be significant.

In addition, when you subscribe to a web-hosted application, you free your team from supporting high-cost, time-consuming in-house IT functions. But the economies of scale that SaaS brings through multi-tenancy also increase security concerns.

Like any other branch of business IT, cloud-based services are shadowed by the drive to compliance, good data hygiene and best practice in information management. The same range of essential topics has to be addressed, from ISO27001 compliance, rigorous development lifecycles, threat profiling and security testing, all the way to secure coding guidelines.

A simple checklist of your cloud supplier's credentials is...

...the basic starting point. When considering a SaaS subscription, look for organisations that are ISO27001 certified. Ask to see the supplier's Statement of Applicability to check the right controls are in place to meet your particular industry or organisational compliance needs.

Also check:

1. What are the security arrangements at the vendor facility?
2. What type of infrastructure is used to host client data?
3. What virus protection is there and how regularly are vulnerability scans and penetration tests run?
4. How often are the systems backed up and are system recovery processes in place?
5. What level of data encryption is used to protect website transactions? How is compliance with relevant data privacy regulations ensured?
6. Does the provider have a data back-up management process in place?
7. Where and how are back-ups stored? And how are back-ups encrypted and secured?

You will also want to know what sort of continuity arrangements are in place — look for BS25999 certification. Check that there is a service-level agreement that guarantees a specific amount of uptime. Also, find out what happens in the case of equipment breakdown and power failure? In addition, is the facility scalable? And is it monitored continuously?

Finally, there are big challenges involved in getting any sort of IT service right, let alone a new one like SaaS. However flexible SaaS is, you still have a significant time investment to get your application set up and configured so that it meets your business needs. Never underestimate the time required: a move to the cloud will need a project team, with a clear timeline, and lots of end user participation.

Then there is the impact on users: remember you may have to change internal processes to accommodate the limitations of whatever you are deploying.

All in all, approached with some forethought the specific cloud and general IT good-practice issues can be resolved. The subscription-based computing model offers benefits that cannot easily be ignored, but do not ignore the associated risks either.

Alan Calder is chief executive of security and compliance organisation IT Governance. IT Governance is the publisher of Application security in the ISO27001 environment.