iStock cloud security

Whether you like it or not, somebody in your company may already be using cloud-based applications - and you might not even be aware of it. Even when the CIO says "no" to cloud, many line-of-business leaders subscribe to cloud services on their own.

As Jim Reavis, executive director of the Cloud Security Alliance puts it: "Cloud computing might be seen as a sort of revenge of the business unit. The business unit may not be seeing enough responsiveness from the IT department in getting the systems they need. Now they just bypass IT and go directly to providers. Even in highly regulated financial institutions, with very tight controls, sales departments dealing with wealth management are using services such as on their own."

This behaviour is problematic for UK organisations for one big reason. The internal workings of a cloud service are such that it’s not always easy to know in which country data is stored. And when data is stored outside the UK, one runs a higher risk of violating the Data Protection Act.

Furthermore, according to the UK’s Information Commissioner’s Office (ICO): "In cloud computing it will be the cloud customer who will determine the purposes for which and the manner in which any personal data are being processed. Therefore it is the cloud customer who will most likely be the data controller and therefore will have overall responsibility for complying with the DPA."

This guideline holds true even when, for example, a sales manager uses a public cloud service such as customer relationship management (CRM). The commissioner’s office says:

"When using a public cloud, the ICO recognises that a cloud customer may find it difficult to exercise any meaningful control over the way a large (and perhaps global) cloud provider operates. However, simply because an organisation chooses to contract for cloud computing services on the basis of the cloud provider’s standard terms and conditions, does not mean that the organisation is no longer responsible for determining the purposes for which and manner in which personal data is to be processed. The organisation will continue to be a data controller and will be required to meet its obligations under the DPA."

In response to the ICO guidelines, Francesca Fellowes of global law firm Squire Sanders says, "A move to cloud services is likely to increase, not reduce, the need to protect personal data. This is because cloud computing utilises layered services (where different aspects of a service, such as hosting and development, are provided by a number of different providers) and allows for services to be provided from a variety of different locations, including from outside the UK. Cloud computing also allows for a multi-tenancy environment (where a cloud service provider acts as a data processor for a number of cloud customers). It is these characteristics of cloud computing which lead to increased efficiency and cost savings. It is also these characteristics that make regulatory compliance more challenging and increase legal risk."

To appreciate how easily an organisation can wander into a legal mine field consider the following simple example. Company X provides software as a service (SaaS) to the end user. To minimise their own exposure to fluctuation in demand, company X may use platform as a service (PaaS) offerings from company Y. In turn, company Y may subscribe to infrastructure as a service (IaaS) from company Z.

The end user may not know about companies Y and Z. What’s more, since company X is operating in a competitive market, they probably swap suppliers from time to time to get better prices. So even if end users start out knowing the country where their data is stored, they can’t always be sure the data stays in that country.

UK organisations have to pay particular attention in cases where data may be stored in the United States, which happens to be the world’s most developed market for cloud computing. The US is not on the "White List" of countries the European Union recognises as implementing adequate data protection standards.

In an attempt to allay fears, the US Department of Commerce issued a statement earlier this year to clarify how the Safe Harbor data protection agreements between the US and the EU applies to cloud computing. The view of the US Department of Commerce is that, as long as companies in the value chain agree in writing to provide at least the same level of data protection as is required by the Safe Harbor standards, compliance is ensured.

Many IT directors express other concerns when considering the cloud model.

Subscriber concerns

According to strategy consultant John Rhoton, author of Cloud Computing Architected: Solution Design Handbook: "Almost all the obstacles people imagine when considering cloud computing are based on some aspect of security. You have the broadest questions:

"Is my data encrypted at the data centre? Is my data encrypted between me and the data centre? Can anybody at the cloud provider hack into my data, whether it’s an employee of the cloud provider, hackers or other tenants?"

Rhoton points out that discussions on fundamental security questions frequently become emotional. But organisations that take a step back usually come to the conclusion that most cloud providers are experts at security, having to deal with the issues every day. Since few enterprises have the skills to match the cloud providers’ expertise, by going to the cloud, you probably wind up safer.

There are wider risk issues, Rhoton says. "What happens if the cloud provider goes bankrupt? How do I recover my data if I want to stop using that provider? How can I make sure the cloud provider doesn’t destroy my data? What processes does the cloud provider have in place to make sure my data isn’t compromised? Will my data always be available?"

Then the third area of concern, according to Rhoton, is all around compliance. "What legal liabilities do I have if I entrust my data, which is sometimes my customer’s or user’s data, with the cloud provider? Am I liable if that data is compromised? Will they store the data somewhere that can get me into trouble?"

A fourth area of risk Rhoton advises companies to look at is the risk of losing connectivity. You need a solid network for cloud computing to even be feasible, and you need a lot of bandwidth to have a reasonable user experience, especially for the applications requiring a lot of back-and-forth between the user and the central database. If you lose your connectivity, or if data rates are diminished, your team’s productivity can be severely hampered.

Once organisations get past these risks and adopt the cloud model, they have to content with at least three other common challenges:

  • Integration with legacy systems: This entails learning APIs and performing the necessary tweaks to get two or more systems, from two or more vendors, to work together.
  • Lock in to a cloud provider: It’s not always easy to switch from one cloud provider to another, or to move from the cloud back to on-premise. Furthermore, since users are stuck with the set of applications offered by a given service provider, switching from one provider to another usually means getting used to a new set of applications.
  • Costs that are higher than expected: Applications with large fluctuations in workload may be more cost effective as a cloud service, but applications with relatively steady workloads usually turn out to be more expensive over the long haul.

The silver lining

Despite these challenges, cloud computing has already transformed IT, and will continue to do so. Consider these four advantages subscribers are already enjoying:

  1. Workers can use applications and data remotely. No matter where they are in the world, as long as they can connect with a laptop or a smartphone, they have access and can share documents with co-workers.
  2. Little or no initial investment is required, and there are few or no exit costs. You pay only as long as you use it, so if you don’t like one application, you can turn it off and switch to another.
  3. You don’t need trained staff to run the service. The provider takes care of bug fixes, upgrades, backups and all other maintenance.
  4. You don’t have to gamble on capacity. If you are offering a new service, you usually have no idea how many people will be interested. Thanks to cloud computing you can increase or decrease capacity as needed.

The cloud computing uptake is so big that in a recent forecast, IDC says it expects worldwide spending on public IT cloud services to reach $47.4 billion in 2013. They also predict that figure to surpass $107 billion in 2017. "Over the 2013–2017 forecast period," says IDC, "public IT cloud services will have a compound annual growth rate (CAGR) of 23.5%, five times that of the IT industry as a whole."

IDC’s senior vice president and chief analyst Frank Gens explains an important trend: "The first wave of cloud services adoption was focused on improving the efficiency of the IT department. Over the next several years, the primary driver for cloud adoption will shift from economics to innovation as leading-edge companies invest in cloud services as the foundation for new competitive offerings. The emergence of cloud as the core for new 'business as a service' offerings will accelerate cloud adoption and dramatically raise the cloud model's strategic value beyond CIOs to CxOs of all types."

IDC also says that the United States will remain the largest public IT cloud services market, although its share will decline from 56.9% in 2013 to 43.9% in 2017, while Western Europe will gain share throughout the same period.

The good news for CIOs is that there seems to be a slight downward trend in lines of business procuring cloud services on their own. Presumably this is because organisations have experienced enough security breaches, downtime, or integration problems when business leaders are allowed to act on their own, that more people now know to involve IT.

IT directors should keep a close watch on applications with specific business use cases - those performing finance, HR, or customer relationship functions. These are the applications that are currently most likely to be procured by a line of business on their own.