The Cloud: Resource or Liability?
May 18, 2012
Cloud computing is now part of the business vernacular, a term that circulates freely amongst companies and executives alike. But cloud computing also risks becoming a meaningless expression: an overused term that signifies different – and often conflicting – things to a variety of organizations. Think, instead, of the literal and figurative connections between clouds, those tiny droplets of condensed water that band together to form something greater, and the Cloud, which can provide value for businesses that want to maximize the power of technology. Educating ourselves about these similarities (and differences) is essential because we need a better working definition of the benefits – and limits – associated with cloud computing.
This emphasis starts with understanding the needs of organizations, where the need for certain services – such as data storage, analytics and process support – does not square with the costs of procuring and/or upgrading and maintaining new infrastructure and software. In that situation, companies will outsource these services to vendors. In turn, vendors typically provide these services through an on-demand, Internet-based model. And, by grouping these organizations together, vendors can – through economies of scale – aggregate expenses, deliver specific services and still make a profit…
From the vantage point of most businesses, the cloud also offers access to otherwise unaffordable services. Decreased costs, backed by new and innovative tools, result in a potential victory for managers and staff. These advantages may enhance profitability, while simultaneously lowering overhead and increasing overall efficiency. But – and this is an important caveat – the cloud may also mean loss of managerial control, along with a variety of security, compliance and privacy concerns. These challenges are the inevitable flipside of the positive effects of the cloud.
The risks associated with the cloud are, by no means, insignificant; news stories abound about hackers, compromised data and the release or destruction of information. These events are not anomalies, nor are they easily correctable “mistakes” that cyber experts can fix. Rather, these breaches – including the theft of trade secrets, classified government material, financial transactions and credit card numbers – are events of major proportions. And yes, some of these breaches are merely examples of hackers proving to themselves – and causing wholesale frustration among the public – that certain systems are vulnerable, and thus worthy of improved security.
Unfortunately, many of these hackers are nefarious characters, and they use illegally obtained data for their own criminal purposes, including identity theft. In fact, many of us know someone who is the victim of such an act, or we ourselves have received a letter from some organization expressing regret for outside successful attacks against our accounts. And yet, these events continue to happen – identity theft is an international epidemic – and protecting this information is not easy. These threats will only intensify as the cloud becomes more commonplace, which means there needs to be greater emphasis on risk management and data protection.
If we accept these facts, starting with the acknowledgment that no data is truly secure, the next course of action involves mitigating or transferring these risks. But mitigation can be an expensive and time consuming process, one that requires all manner of training, security protocols, software, personnel and compliance. A breach can still occur, causing disastrous consequences that destroy revenues and drive clients to competitors who offer the illusion of greater security. Remember: Mitigation offers no guarantee of success, regardless of how vigilant or resourceful an organization is. Think of mitigation as an attempt to delay the inevitable. Or, to borrow some sage advice from father, mitigation is akin to the idea that “locks keep honest people honest.” Which is to say, there is always a way for someone to bypass a locked door for the (perceived) treasure inside.
An alternative approach would be to transfer or share the risk with another group, such as an outsourcing vendor. Having a vendor manage a specific process or collection of sensitive data assigns responsibility to that entity, provided this role is in the vendor’s contract. That kind of legal verbiage does not mean that the hiring organization completely avoids liability, but it does shift the costs to mitigate risk – and the damage of a massive breach – to the vendor.
Should problems occur, including the theft or destruction of data, the vendor becomes the source of criticism and review. The hiring organization can hold up their metaphorical hands, and find a new vendor with ‘better’ security protocols. This approach is also a way to preserve valuable brand equity and status within the marketplace, something the hiring organization cannot afford to undermine.
No security is impenetrable, and even the biggest organizations (including Sony, Microsoft, Apple, Citigroup and the International Monetary Fund) are not immune from breaches; precautions need to be in place to anticipate these problems. Outsourcing management of these issues to a vendor via a cloud-based model is an alternative strategy. From a risk management perspective, preparing for these challenges – and having the right processes to handle various security threats – is a necessity.