|A white paper from ISACA and an expert blog posting are valuable resources for CAEs and their staff members who have not yet assessed the potential promises and privacy and security pitfalls of this new technology trend. |
A recent blog posted by Rebecca Herold recounts a Thanksgiving 2009 dinner conversation among family members. Herold, a well known information privacy, security, and compliance consultant, mentioned casually over her turkey and mashed potatoes that she was working on an article on the privacy and security implications of cloud computing. After an awkward period of silence and shared glances, one relative asked, “Are cumulus more dangerous than cirrus to computers?”
Many excellent primers on this fast-growing, high-potential trend in enterprise computing were published in 2009. Among them is “Security Among the Clouds” (PDF), a 20-page white paper from the public accounting and business services firm PricewaterhouseCoopers LLP. Sadly — and alarmingly — many business executives still are no more knowledgeable about the potential benefits and risks of cloud computing than Herold’s family members. CAEs and their staff members who are among the uninitiated will benefit from reading two new documents on this topic.
The first is a 10-page white paper, “Cloud Computing: Business Benefits With Security, Governance, and Assurance Perspectives” (PDF), from ISACA. Even though ISACA is a global association of IT professionals, including IT auditors, this document is targeted at nontechnical readers and begins with the generally accepted definition of cloud computing from the U.S. National Institute of Standards and Technology: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications, and technology services that can be rapidly provisioned and released with minimal management effort or service-provider interaction.
The document compares IT services offered in the cloud to those provided by a utility. Just as organizations pay for the electricity, gas, and water they use, the white paper notes, they now have the option of paying for IT services on a consumption basis — without large investments in IT infrastructure.
This document continues by detailing without prejudice both the cost-saving promises of cloud computing and the potential security and privacy risks and other potential pitfalls. It provides details such as cloud computing service and deployment models and essential characteristics, but always in easily understandable language.
As one would expect of an organization comprising IT management and auditing professionals, a great deal of the white paper is devoted to the governance and change-management issues raised by cloud computing, strategies for addressing the cloud’s inherent risks, and the challenges its adoption poses for internal auditors and other assurance providers. Among those challenges detailed in the document are transparency, privacy, compliance, trans-border information flow, and certification.
The white paper closes with a prescient observation that will ring true among CAEs: “While cloud computing is certainly poised to deliver many benefits, information security and assurance professionals should conduct business impact analyses and risk assessments to inform business leaders of potential risks to the enterprise. Risk management activities must be managed throughout the information life cycle, and risks should be reassessed regularly or in the event of a change.”
Herold’s own extensive posting on the technology-focused blogging site Information Security Resources is another new information offering on cloud computing. “On Privacy and Cloud Computing Challenges” addresses the benefits and risks of individual-focused cloud computing services such as Google Documents — more commonly known as Google Docs — and Adobe Photoshop Express. These risks were highlighted recently when Google revealed that hackers had penetrated its cloud-based e-mail service, Gmail, in search of users who are critical of China’s human rights and information filtering practices.
However, the blog posting also extensively discusses business-specific benefits and risks of cloud computing, including the still cloudy legal, regulatory, and privacy issues raised by this technology. The most interesting and valuable sections of the posting for CAEs concern the issues to address and the questions to ask when evaluating a cloud computing service provider, two free online vendor security assessment tools, and a listing of cloud-related issues to address within the organization’s policies and procedures.
The blog concludes with the stark reminder, “Committing to a cloud computing service without first considering the legal and compliance risks, and without knowing the security controls that exist, could result in very significant negative business impact from noncompliance and/or security incidents, well beyond the savings that using the cloud service brings to the business.”