Get the latest news alerts: at Twitter.
By Bob Broda, Special to Local Tech Wire.
Editor’s note: This is the first in a series of articles about trends, opportunities and challenges in “cloud computing.” Bob Broda is the founder and managing partner of .After over 20 years in the Information Technology and Public Utility sector, Bob now focuses exclusively in compliance and risk management.
RESEARCH TRIANGLE PARK, N.C. – The cloud computing phenomenon seems to have appeared in the market out of nowhere. Hardware vendors, software vendors, service providers are all touting the business benefits of Cloud Computing.
Although the term is relatively new and evolving, the concepts are based on mainly new technologies in infrastructures (mainly virtualization and cloud), new application technologies (Web 2.0 and parallel processing architectures) and expanding network connectivity options ( Cisco’s Data Center 2.0 and 3.0 initiatives, along with growing bandwidth options and multi-vendor solutions.
The idea that purchasing only the services you use from a cloud environment may allow businesses to both save money and focus on their core business is an enticing proposition in the current economic climate. However, it is critical for business consumers to understand the infrastructure, components, and service delivery characteristics of the service offering being considered.
However, concerns about security, privacy, reliability, and operational concerns top the list of potential barriers. Gartner predicts that it will be 2012 before the cloud computing offering becomes main stream. These concerns are typically mitigated by the providers supplying a SAS70, where an external third party comments on the strengths of internal controls based upon identified objectives.
Business leaders need to evaluate whether the provider’s objectives are consistent with your goals and practices? How are the auditors going to react when the business cannot identify the location of the data or where the processing takes place, not to mention whether there is sufficient capacity to support peaks in operations or proprietary solutions that inhibit data relocation or recovery to a secondary provider. No matter where the data resides, the legal and regulatory, record keeping and fiduciary duties of the business do not change.
These “Cloud” solutions will have to be auditable before SAS70s can be issued. Large businesses will not endorse this environment until they are assured that their legal and business issues are adequately addressed.
In the mid 90’s, people were hesitant to supply their credit card information over the web. People had the same issues and concerns over security and privacy. Now people supply their personal and credit card information daily. The convenience and value proposition of Cloud computing are too overwhelming for these concerns not to be overcome.
Microsoft has been able to earn the ISO 27001:2005 accreditation and SAS70 Type I and Type II attestations for the Microsoft cloud infrastructure. This sets the stage for product and service delivery providers to more efficiently obtain additional certifications and attestations as appropriate. Please note that the ISO certification is for the management processes put in place to address information security concerns, and the SAS70 is for services that Microsoft offers in regard to cloud computing, one can only assume their software is included in their service offering.
When evaluating service offerings an in-depth look is required to understand and assess what is being offered. The term “Cloud” tends to represent a wide variety of offerings. It is important to separate the reality from the hype, nearly anything to do with network-based computing, storage and applications is being positioned in some way as "cloud" (Damoulakis, May 2009). As such, it is crucial to fully understand the underlying technologies, how they are being deployed, managed, and updated consistent with an accepted IT framework.
Once in the “cloud”, coordinating releases, ensuring data integrity through either backup or replication and integrating into the System Development Life Cycle are critical to the long term success of moving your application to the virtual world. Considerations around data security become paramount in a shared environment with the loss of “Security through Obscurity”. Not to mention, what was once tangible, Performance and Capacity Planning, has taken on a rather cloudy view.
Visage will explore the Cloud in more detail, specifically focusing the internal controls necessary to allow service providers and business alike to take advantage of this Cloud concept in a regulatory environment.
Planned additional white papers:
• Considerations for moving to the cloud
• A fully auditable cloud – fact or fiction
• Cloud Computing and Business Resiliency
• Service Level Considerations for Cloud Computing
• Change Management implications for Cloud Computing
• Information Security implications for Cloud Computing
• I don’t need a SAS70 because…
• A CIOs view of Cloud Computing
About the author: Bob Broda is the founder and Managing Partner of Visage Solutions. After over 20 years in the Information Technology and Public Utility sector, Bob now focuses exclusively in compliance and risk management. Bob has spoken at several national and international events and provided training on the subject of Sarbanes-Oxley, Internal Controls and Risk Assessments.
Prior to forming Visage, Bob held a variety of roles including: Vice President and General Manager at an international conglomerate, holding profit and loss responsibility for a software and services business unit; Vice President of Development for a software company; key role in the acquisition and integration of a major services company into a computer manufacturer. By offering Customer Information and Accounting systems to utilities, Bob has gained a unique perspective in applying business process and requirements gathering skills to compliance and risk management solutions.
Bob earned a B.S. in Information Systems from Kings College and an Executive MBA from Southern Methodist University.
