Network Security Audit Risk Assessment Information Security Consulting Computer Forensics

 



Cloud Computing - Thunder and Lightning on your Horizon?

As organizations automate more and more of their manual processes, the Internet is increasingly becoming an important tool in the delivery of IT services. Several years ago, organizations purchased software on CD-ROMs and DVD media. Today, users have the choice of downloading software from the Internet or using their browser to access software that runs outside the organization on Internet servers. The use of external software on Internet servers is called Software as a Service (SAAS).

Instead of writing software for a workstation, software developers are now writing software programs that run on Internet servers. This software may run on servers outside the organization on other companies’ data centers. Some examples include web sites such as Amazon.com and Salesforce.com.

In the past, individual applications ran in the Internet cloud. Now, entire data centers are moving to the cloud, accessible by a wide range of users. Cloud computing describes a grouping of service offerings that includes application software, data storage, and computing. The computing can be delivered over the Internet (public cloud computing) or within an organization (private cloud computing).

Cloud advantages over desktop software
Many SAAS applications are available at little to no cost. In addition to lower software costs, IT administration labor costs are reduced as software does not need to be installed and constantly patched. SAAS applications tend to be supported by paid advertisers, thus subsidizing the cost to the software user.

Another benefit is group collaboration. In the past, software was loaded on many distributed devices. With the Internet cloud, software and data can be stored on centralized servers facilitating access to data by a large group of users.

Cloud computing offers almost unlimited storage of applications and data. No longer must users and IT staff be concerned about collecting and archiving volumes of data.

Mobile applications
Employees want functionality and access to data from a number of different locations. The Internet cloud allows hand held Personal Digital Assistants (PDAs) and laptop users to access applications and data from a variety of locations. Internet cloud computing allows information to be accessed by a number of different devices (desktop, laptop, mobile phone, GPS, etc.) since the applications and data are stored at Internet data centers.

Mobile computing will drive more applications to the Internet cloud. The cloud is an ideal way of supplying software and data to small computing devices that don’t have the storage and processing power to hold volumes of applications and information.

Application interfaces
Internet applications leverage the power of end user devices by introducing to browsers features commonly found in the graphical interfaces on desktop applications. Better software development tools support applications that can run on a wide range of devices from desktop browsers to smart phones.

Pubic cloud computing risks
As with any other form of technology, organizations must address a wide range of cloud computing risks:

  • User traffic – in the past, applications and data were stored locally. With Internet cloud information accessed via Internet lines, connectivity and bandwidth usage may become a critical issue if Internet users create Internet access bottlenecks.
  • Internet connectivity – connectivity to the Internet increases in importance. If Internet connectivity is down for an extended period of time, employee productivity will drop. Redundant high speed Internet lines may be needed to help mitigate this risk.
  • Employee productivity – applications and data that are stored on user hard drives tend to have fast response times with little impact on the employee. Internet applications may experience delays and not be able to manage volumes of data. Service Level Agreements (SLAs) with the cloud computing vendors can provide response time, throughput, and other metrics that help protect the organization.
  • Lack of availability – there are risks related to having a critical software application programmed and managed by an outside entity. If a vendor’s software application ceases to function, the organization may experience financial losses as well as damage to its image and reputation.
  • Confidentiality – SAAS vendors may store data in a central repository. This repository may hold data from many different businesses, even competitors. The organization should determine if it is appropriate to store the type of information (client lists, pricing, intellectual property, etc.) on external servers.
  • Integrity – since data is stored on outside servers, the organization must ensure information integrity. Balancing controls, managing information stored on external servers, monitoring, and other controls must be used to protect the organization.
  • Compliance – information collected, stored, archived, and secured must meet regulatory requirements.

Privacy issues
In exchange for lower cost service delivery, users may have to provide personal information. This information is often used to deliver custom advertisements. The cloud model may require sharing of information with other marketing alliances in exchange for the convenience and low cost of using Internet cloud applications.

Many SAAS vendors focus on one area of specialty, storage, e-mail applications, on-line backups, etc. Organizations must rely on the vendor’s security solutions to protect their information. Unfortunately, for many SAAS vendors, their focus is on service functionality, not security.

Private cloud computing
Organization data centers adopting the technologies and practices of public cloud infrastructures can be considered private clouds. Private clouds are data centers within the corporate perimeter, within the firewall.

Software applications can be designed for both the public and private cloud infrastructure. Tools such as systems management software, clusters, grid technology, and load balancing permit private clouds to employ utility like environments with computing resources and applications provisioned with greater efficiency.

Cloud computing service delivery considerations
IT managers should take professional care and due diligence when evaluating cloud computing applications.  Organizations should consider the risks to their data including loss, disclosure, or alteration.

  • Design – since a service provider can go out of business, create a network design diagram showing the data that is outsourced and how information flows from your organization's network to the service provider.  This document can also be of assistance in the event of e-discovery and litigation.
  • Service levels - your organization should determine if the outsourced provider has professional, high performance infrastructures that can guarantee levels of performance delivery.
  • Support – user and technical support must be determined up front. Will first level user support be provided by their staff or yours?
  • Redundancy – organizations should have redundant solutions that allow systems to continue operating even during single component failure. This includes the Internet software application as well as the organization’s connectivity to the Internet.
  • Backups – make arrangements with the service provider to provide periodic physical backup media to your organization or to an external third party.
  • Contingency plans – business continuity and disaster recovery plans must be updated and tested on a regular basis.
  • Private clouds – IT departments have the administration costs and responsibilities of acquiring, installing, managing, and securing data centers.
  • Security – public and private clouds must ensure information availability, confidentiality, and integrity.

Summary
While outsourcing software applications to the Internet cloud isn’t for every organization, many firms have found that cloud computing can be a simple, reliable, and cost effective solution.

Both the Internet cloud vendors (SAAS) and the organization should have audits performed on a periodic basis.:

  • SAAS vendors - audits help ensure system availability, information confidentiality, and data integrity.
  • Organizations - audits ensure organization management that the firm is managing its cloud computing risks.

Risk assessments and audits help organizations identify, manage, and reduce their risks.

Tags: cloud computing | risk assessment | software as a service | saas

Take our Challenge.   Copyright © 2006-2011 Altius Information Technologies, Inc.  All rights reserved.    On-line Support.    Privacy.    Site Map.    Contact Us.