SaaS/Cloud Audit Demands Could be Costly - InformationWeek
IoT
IoT
Cloud
Commentary
5/14/2009
09:26 AM
David Linthicum
David Linthicum
Commentary
50%
50%

SaaS/Cloud Audit Demands Could be Costly

"Cloud computing providers require strong audits," according to SC Magazine's Angela Moscaritolo, who focuses on security in the world of SaaS and cloud computing. In reading through this article I kept returning to the fact that the cost of security, together with audits, could make cloud computing, including SaaS, cost prohibitive.

"Cloud computing providers require strong audits," according to SC Magazine's Angela Moscaritolo, who focuses on security in the world of SaaS and cloud computing. However, in reading through this article I kept returning to the fact that the cost of security, together with audits, could make cloud computing, including SaaS, cost prohibitive. The value proposition of cloud computing is about saving money, after all.

The recommendations are clear:

"With respect to data security, organizations must review the vendor's data protection techniques to ensure appropriate cryptography is used for both data in rest and in motion, and make sure the appropriate documentation is available for auditors. In addition, the provider's access control and authentication procedures should be reviewed, and companies should find out if third parties have access to the information."

And,

"Also, to ensure data security, companies should review the service provider's architecture to make sure proper data segregation is available and review their data leak prevention (DLP) deployment to prevent insider attacks, the report recommended."

And,

"Before utilizing a cloud computing provider's services, organizations also must conduct a feasibility study that engages legal, risk, and compliance officers to determine if cloud computing is appropriate with respect to laws and regulations the business is subject to. Next, organizations should determine which security, legal, and compliance needs are most important and find a vendor that meets those requirements, the report recommended."

The list goes on.

Auditors, lawyers, security specialists, etc.? The cost of placing some of IT outside of your firewall seems to be getting expensive quickly, not to mention complex.

There are two core drivers here: One is the cost reduction that cloud computing, including SaaS, promises. Two is the fact that cloud computing is now "way cool," and popular, and that's been driving much of the recent push. However, you need to consider both issues together. In other words, how much does it really costs to be cool?

Perhaps applications that require a great deal of security, and thus require many audits and legal protections as describe above, don't belong in the clouds in the first place. I suspect the cost of insuring and maintaining high-end security on the cloud computing platforms will be cost prohibitive, in many instances. Thus, without the cost benefit, cloud computing including SaaS loses its luster for business.

Having said that, I'm seeing a lot of enterprises move toward cloud computing anyway. They are thinking they can bring their security requirements along for the ride, attempting to treat cloud computing providers as owned and controlled assets. They are not. Therefore, they will have to introduce the rigor associated with ensuring security, and, thus, they will face the added costs.

It's politically incorrect to push back on cloud computing these days, but even the cloud computing providers will tell you that if you have excessive security requirements, perhaps you're not right for us. The larger corporations will expect cloud computing providers to work like their existing hardware and software vendors, bending over backwards to accommodate special needs. Unfortunately, for now, it does not work like that."Cloud computing providers require strong audits," according to SC Magazine's Angela Moscaritolo, who focuses on security in the world of SaaS and cloud computing. In reading through this article I kept returning to the fact that the cost of security, together with audits, could make cloud computing, including SaaS, cost prohibitive.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll