Cloud adoption is on a rise
Over the last few years, cloud computing has emerged as one of the most defining secular trends and its effects are beginning to be felt across various industries. Organizations are using the cloud technology to increase operational efficiency, improve collaboration and gain competitive edge by delivering differentiated services. The shift to cloud helps organizations in achieving business agility enabling them to be more responsive in the rapidly changing market.
Owing to the benefits, the cloud adoption is increasing at a fast pace. The cloud market is expected to grow to US$121 billion dollars by 2015, by growing at a CAGR of 26% from the US$37 billion value in 2010. As the organizations of all sizes are adopting cloud technology, cloud adoption has almost doubled between 2011 and 2015.
Speedy ride is interrupted by roadblocks
Despite the rapid escalation of cloud services use, many executives remain hesitant to endorse a “cloud-first” approach as the technology is still immature and has many associated risks. Some fear that communicating information over a public network will increase its technology surface area and make them more vulnerable to cyber-attacks. Others worry that cloud service providers (CSPs) offering the same infrastructure to multiple clients in multiple locations will be unable to maintain segregated confidentiality. Such risks are broadly associated with:
Cloud architecture: Architecture risks arise if the provider does not achieve performance requirements related to availability and reliability that organizations and the provider agree to in the service level agreements at the outset of the contract.
Cloud regulations: Organizations are expected to carefully comply by regulatory obligations while storing data on cloud. Thus, organizations and CSPs need to thoroughly understand the legal and regulatory requirements in each jurisdiction in which the organization and the provider operate.
Information security and privacy: Many organizations are concerned about relinquishing control of their business information to CSPs. They are exposed to information security risks including unauthorized access to network and data. Similarly in terms of privacy, confidentiality of private information is also paramount for organizations.
Cloud governance: When embarking the cloud journey, organizations want to make sure they have a clearly defined cloud strategy that is aligned to the broader business strategy, is compatible with existing architecture, adheres to laws and regulations and provides the desired return on investment. Without a sound governance strategy that applies to both the organization and the CSP, organizations risk ineffectiveness, loss of control and potential harm to their reputation from negative legal or regulatory action.
Business continuity: Cloud users are dependent on CSP’s business continuity program and disaster recovery capabilities. It is, therefore, important to understand the geographical coverage of a cloud provider and how this may affect cloud service consumers (CSCs).
A robust ecosystem will foster adoption
To continue to increase the adoption of cloud, it is important to mitigate the above mentioned risks and make cloud environment more secure, trusted and audit-ready.
Secure: A secure cloud ecosystem has the appropriate controls to protect the confidentiality, availability and integrity of the systems and data that resides in the cloud. Appropriate procedural and technical protections are in place to protect data at rest, in transit and in use.
Trusted: A trusted cloud ecosystem is designed to stand the test of time. It should provide high availability and resilience to adverse events.
Audit-ready: An audit-ready cloud ecosystem has continuous compliance and is certified to meet specific industry regulations. Appropriate procedural and technical protections are in place with proper documentation that can be verified for compliance purposes.
Call for a trusted cloud ecosystem
Building trust in the cloud requires customer to look beyond his own cloud environment and establish controls for the entire connected ecosystem. Six key dimensions need to be addressed to build a trusted cloud ecosystem. These dimensions form a model that helps organizations understand the characteristics of a trusted cloud ecosystem and provides the guidelines to deliver on them.
Organizations should have a clear visions and strategy for migrating to the cloud. It is imperative to conduct a comprehensive analysis of mission, objectives, current and further state, cloud requirements and have full understanding of the risks of migrating to the cloud.
A move to the cloud also requires changes to the IT organizational structure since it calls for updated roles and responsibilities of resources. There needs to be a shift away from “operators” of the technology environment to “governors” of the ecosystem.
Further, an effective change management plan will allow the transition to cloud to be achieved in an orderly, controlled and systematic manner with the primary goal being overcoming any resistance to change.
In terms of financials, the metrics for measuring Return on Investment (ROI) for the cloud model are vastly different from existing methods. These metrics should to be defined, implemented, and tracked to determine that ROI from cloud is as expected.
Cloud computing can bring transformational changes to an organization’s IT portfolio, based on the services an organization may be looking to move to the cloud. The underlying technical configuration of the controls that exist in the cloud can make the difference between a trusted ecosystem and an inevitable breach.
While moving to cloud, infrastructure requirements may be as simple as improved network bandwidth and uninterrupted internet access or as complex as implementing the entire cloud computing environment. Based on infrastructure complexity, a phased approach to incorporate the new computing environment may be helpful in ensuring success.
As applications move to the cloud, it requires adaptation to new development platforms and techniques as well as more robust application development standards.
As organizations move towards supporting applications via portable devices by leveraging the cloud, security controls between these devices and cloud-based services is of prime importance. However, managing a wide variety of employee-owned devices can pose challenges from security perspectives.
Further, as new threats and vulnerabilities emerge, companies need to define processes for anti-virus, patch and vulnerability management.
The use of cloud services often results in the organization’s information assets being physically stored in different geographic locations, including various countries. As legal and regulatory obligations vary from country to country, organizations and CSPs need to work together, to ensure data privacy, to build a complete understanding of information location and protections applied to information assets.
Further, access of data needs to be monitored by proper identity and access management (IAM) controls to ensure that right people gain access to data and services.
Moving from an on premise solution to a cloud solution has a significant impact on IT operations. As the CSC gives control of IT operations to the CSP, CSCs should verify a CSP’s ability to align its IT operations processes to well-known industry standards. The CSP should also have a program in place to monitor compliance to the governance commitments.
In addition to verifying the operational controls, organizations and CSPs should negotiate a quality control process, including testing and acceptance criteria for each service to ensure the CSCs business needs and service-level agreements are met. CSPs also need to establish robust business continuity and disaster recovery processes to ensure risk mitigation.
- Audit and compliance:
To ensure audit and compliance procedures, there should be a coordinated combination of consistent and defined internal policy compliance, regulatory compliance and independent auditing. These procedures should initially identify location of cloud deployment, cloud service model used and kind of information processed on cloud. Once this data is identified, the audit function should establish audit plans and activities, including regularly scheduled independent reviews and assessments.
Based on the risk assessment, audit and compliance functions may identify the need to obtain varying levels of assurance over controls maintained by the cloud provider. At a minimum, CSPs should have a third-party assurance report (such as SOC1, SOC2 or SOC3 depending on the needs) as it will provide a recognizable point of reference for auditors and assessors.
Accountability, oversight and transparency are paramount in the cloud ecosystem. CSCs should determine a mechanism to regularly evaluate the effectiveness of security measures, including incident response process and plans.
Further, governance in the cloud is a shared responsibility between the CSP and CSC .CSCs should also implement a risk management program that takes into account CSP risks and risk treatment plans. It is important to have a robust governance mechanism as well-developed governance results in scalable programs that are repeatable, measureable, defensible and constantly improving.
Turning fear to opportunity
The time has come to develop a holistic cloud trust strategy — one involving key stakeholders from both the business and IT to provide a secure cloud ecosystem with the proper checks and balances that enables a controlled and cost-effective investment in the cloud.
By developing a cloud trust model to assess and monitor, improve and enhance, and certify and comply with their cloud ecosystem, IT professionals can turn fear of the cloud into an opportunity to address increasingly complex security and privacy challenges.
“Global cloud market will be worth $121bn by next year, report finds,” Cloud Tech website, , accessed on 7 October 2015;