The Visibility Factor: Assessing Cloud Risk
There's a storm of change brewing. For IT, the challenge is to guide our organizations to a safe balance.
A few months ago, my CFO forwarded me a rather sizable "pro-cloud" white paper that's been making the rounds in a number of non-IT executive circles. The paper, written by a venture capital team and targeting CXO readers, made some valid points. But its overarching message was an unapologetic push to use the cloud "whenever and wherever you can." The word "risk" didn't appear anywhere in the document.
The benefits of cloud computing might be real, but the blatant omission of any mention of a downside has all the hallmarks of blind hyping; we wouldn't be surprised if the authors had substantial stakes in one or more cloud providers. The paper also drives home the reality that this discussion, like it or not, is occurring far outside IT circles. In fact, some organizations are using cloud services without IT, security, or risk management teams even being aware that data is leaving the network. One organization we spoke with, for example, didn't know its employees were using Amazon's Elastic Compute Cloud services until those employees tried to expense the bills.
More Security Insights
White PapersMore >>
It was accounting--not IT--that blew the whistle.
Now, most enterprises have a hard enough time keeping track of their data, vendors, and contractors with a centralized IT department. The use of cloud-based technology by business personnel blows the centralized model apart, and herein lies the largest governance issue: Who gets to make the decision to outsource a given business function or data set? And who accepts the associated risks?
You'd think we'd have made more progress on the risk management front by now, given that the cloud hype has been spreading across enterprise IT groups for more than a year. We first polled the InformationWeek Analytics audience on this topic in February 2009. While the 547 business technology professionals who responded were intrigued by cloud computing's promise, they were equally concerned about the risks. More than half worried about security defects in the technology itself and loss of proprietary data. One year later, this dynamic still holds: In our February 2010 survey of 518 business technology pros, security concerns again led the list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.
"Has everyone forgotten the dot-com meltdown?" asks a senior VP for a utilities company. "Whole Web sites, along with the companies that ran them, disappeared, never to be seen again. I want to control my own future." Counters an IT professional from the education sector who has outsourced e-mail to Google: "As we grew to over 5,000 accounts, the management, backup, and maintenance got to be prohibitive. We now enjoy 99.999% reliability, up to 20 GB of space per user, and are able to deliver more services."
They're both right. Pushing some functions to a cloud provider frees both staff and computing resources to address other problems. But we need to do a better job managing risk, because make no mistake--there's as much opportunity for disaster as there is room for benefit.
To read the rest of the article, download a free PDF