By Lawrence Dinga, MSc, CISSP
Cloud computing is emerging as a rapidly evolving and disruptive technology that has the potential to make IT organizations more responsive. According to NIST definition of cloud computing, it is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This essentially means cloud computing offers unprecedented scalability to an organization’s IT processing and administrative capability unlike those available in “traditional” in-house infrastructures. Rather than procure, deploy and manage a physical IT infrastructure to host their software applications, IT organizations are increasingly deploying their infrastructure into remote, virtualized environments, often hosted and managed by third parties.
The use of cloud computing has potential benefits to organizations, including increased flexibility and efficiency. This is because virtualized services can be rapidly re-configured or scaled to meet new and evolving requirements without the need to acquire new and potentially redundant hardware. Almost instantaneously, additional capacity can be added, moved, or removed in response to dynamically changing processing needs. A new application support system can be initiated to meet increased demand in a matter of hours rather than weeks. Should demand fall back, the additional capacity can be shut down just as quickly with no surplus hardware now sitting idled. In its new report, Gartner estimates that the public cloud market overall will grow 18.5 percent, to $131 billion, in 2017 from $111 billion in 2012.
It is important for organizations transitioning to the clouds to understand both technical and jurisdictional aspects of cloud computing. Technically, the organization needs to understand what cloud computing service models, often referred to as “SPI Model,” where “SPI” refers to Software, Platform or Infrastructure (as a Service), respectively. They also need to understand the four deployment models as well as the five essential characteristics of cloud computing. Without a clear understanding of the higher-level architectural implications, it is impossible to address more detailed issues rationally.
Understanding the fundamental issues of governance and risk management in cloud computing is important since they concern the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management, and compliance. Organizations should also assure reasonable information security across the information supply chain, encompassing providers and customers of cloud computing services and their supporting third party vendors, in any cloud deployment model.
There are legal and jurisdictional aspects raised by moving data to the cloud. These issues include considerations in a cloud services agreement as well as issues presented by electronic discovery and digital forensics investigations not forgetting incident response. In many countries throughout the world, numerous laws, regulations, and other mandates require public and private organizations to protect the privacy of personal data and the security of information and computer systems.
To summarize, you need to understand the importance of what you are considering moving to the cloud, your risk tolerance and which combinations of deployment and service models are acceptable. You should also have a good idea of potential exposure points for sensitive information and operations.