Cloud computing is gaining ground among big businesses.
In a research note, The Cloud Wars: $100bn at stake, Merrill Lynch said that by 2011 the potential market for cloud computing could amount to $160bn, of which $95bn will comprise business and productivity applications.
The term cloud computing refers to the growing trend for organisations to buy scaleable IT resources from an external provider as a service over the internet.
Users do not need to have knowledge of or control over the technology infrastructure in the ‘cloud’ that supports them.
Mark Webber, partner with the law firm Osborne Clarke, says that forms of cloud computing, such as bureau services, have been around for years.
But cloud computing in relation to software, storage and processing as a service offering is a more recent trend and something that more businesses are considering, Webber says.
“Businesses are starting to deploy their services through the cloud on a wider scale due to a number of key benefits it brings, such as harnessing super-computer levels of power and making use of resources around the world from wherever they are more readily available and on a more cost efficient basis.”
Ready to use
The main advantage attributed to cloud computing is that the IT service is ready to use. In other words, the business doesn’t have to adapt to use the technology.
Also the cloud service ‘consumed’ can be scaled up or down according to need, all the time benefiting from the economies of scale produced by a shared service.
Lastly, different pricing models can be used by the cloud provider, including ‘pay as you go’ or fixed plans to suit the consumer.
So buyers of so-called cloud services have made up their minds about the cost benefits of effectively outsourcing their IT resources and paying according to usage—but are the potential risks associated with this emerging business fully understood?
Understanding risks
Dawn Simmons, TMT practice leader at Jardine Lloyd Thompson, agrees that cloud computing is in vogue for good reason.
“It’s an all encompassing term used to define a lot of different services. The benefits of cloud computing are increased capacity and capabilities without huge investment in IT infrastructure, software development and licensing,” she says.
But there are potential disadvantages in ‘moving into the cloud’, she warns:
“It's still in fledgling stages with providers offering a slew of different services, so a lot of the disadvantages are yet to be learned.
"Some of the most prevalent issues with cloud computing services are security of data, regulatory issues, data recovery (down-time) and data storage.”
Control and security
Legal expert Mark Webber says the chief concerns around cloud computing can summarised under two headings: control and security.
“Compliance with data privacy laws across jurisdictions, the potential for confidential information to be disclosed without any management, protection of IP rights—these are some of the issues that need to be considered before embracing cloud computing,” he explains.
The data security risks in the cloud come from handing over control to the service provider. Webber says it is important to ensure that the provider is taking steps to maintain the security of that data.
“The levels of protection afforded to data in one jurisdiction may not be the same in another, and placing the right (legally compliant) obligations on the service provider in the documents is key, particularly given the likelihood that (personal) data will be transferred internationally,” he says.
Insurance coverage
Webber advises potential cloud users to consider insurance coverage beyond the assurance provided by a proper contractual relationship.
JLT’s Dawn Simmons confirms that insurance cover that addresses cloud exposures is available through cyber risk policies.
However, Simmons says that cloud computing is likely to impact the cyber risk sector in terms of frequency and severity as it becomes more popular.
As a result insurers will scrutinise the insured’s contracts carefully to see how risks are mitigated and transferred.
Rik Ferguson, solutions architect at internet security specialists Trend Micro, believes that the increasing centralisation of valuable data (many customers to one cloud provider) presents a tempting target for hacking activities, both physical and computer-based.
Physical security becomes increasingly important in a data warehouse environment, he says: “Imagine how much data could be downloaded onto a multi gigabyte USB drive.”
“Alternatively, if data stealing malware is deployed at critical points in high use network infrastructure it can generate large amounts of data for criminals to use and/or sell for prolonged periods of time,” Ferguson adds.
Investigate security
Ferguson says it is important for any cloud customer to thoroughly investigate and obtain assurances related to security, both electronic and physical at the cloud provider.
“In many ways, cloud services can be likened to banking—you take many of your most important assets (your information assets) and regularly entrust them to a courier (your ISP) to transfer them to your bank (your cloud service) and in much the same way you need to ensure security and trustworthiness at each link in the chain of custody,” Ferguson says.
Gartner, the IT research and advisory company, suggests seven specific security issues that customers should raise with vendors before selecting a cloud vendor:
1. Privileged user access. Get as much information as you can about the people who manage your data. Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.
2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider.
3. Data location. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.
4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Find out what is done to segregate data at rest. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.
5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. Ask your provider if it has the ability to do a complete restoration, and how long it will take.
6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing. If you can’t get a contractual commitment to support specific forms of investigation then your only safe assumption is that investigation and discovery requests will be impossible.
7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired by a larger company. But you must be sure your data will remain available after such an event.
