ISSUE IDENTIFICATION- CLOUD COMPUTING Girish Subramaniam I. Issue Background and DefinitionOne has to be living under a rock these days if the person has not heard of CloudComputing. It is anemerging opportunity in IT service delivery, facilitating on-demandaccess to shared pools of computing resources—from networks and storage to servers andapplications. On top of efficiencies and cost reductions, it promises rapid delivery ofservices for business agility. Adoption is at a very large scale in most of the industriesand a survey reveals two-thirds of responding organizations are planning or adoptingcloud computing.Still, security and compliance concerns continue to slow adoption—it’s consistently thenumber one cited challenge to cloud computing. There is little or no control over businessdata (assets of the firm). This is because data lies in physical locations that are mostlyunknown (distributed database).Lack of Visibility= Lack of SecurityClouds are generally of two types:1) Public Clouds- that offer compelling scale and cost considerations but does not address the above concerns2) Private Cloud- that might be as costly as data centers but offer much better data security as there is a firewall in place.
II. Industry specific focus The industry that is impacted by the above concerns is the Financial Services Industry- Banking (Commercial/Retail), Investment Banks, Insurance. The most important element in this industry is client information. The data is of high criticality and has financial and reputational risk. Post-recession, tougher regulatory and compliance norms have been put in place wherein banks are required to focus tremendously on anti-money laundering, frauds that ultimately lead to proper Data Controls and Security. As mentioned earlier, Data security is the primary concern for the Financial Services Industrybefore it adopts the cloud. The two main criteria to be met are Data Control and Visibility:1) Control Availability- Accessing resources (data) and recovering resources in case of failure Integrity- Ensuring that only authorized persons have access to information and application Confidentiality- Protecting how personal data (information) is obtained and used2) Visibility Compliance- Meeting specific regulatory requirements/industry standard & rules Governance- Establishing usage rights and enforcing policies, procedures & controls Risk Management- Managing threats to business risks/interruptions The above criteria listed are very difficult to meet because of the following reasons:
1) Clouds are generally managed by Cloud Service Provider (external vendors). Data can be accessed by these vendors and thus a proper agreement needs to be in place for public clouds to ensure data security.2) Due to improper backups or application failures, there can be chances of loss of data.3) Since the data is stored in physical servers, the location of the data is mostly unknown given the complicated network of databases- especially in public clouds. This makes the site inspections and audits very hard and complicated.4) Constant connectivity is a must to ensure continuous access to data.5) High difficulty in migrating to another Cloud Service Provider.6) High dependency of the financial health of the Cloud Service ProviderDue to the recession, the financial markets are currently in the red and the banks/institutionsare finding it extremely difficult to make profits. Given that cloud computing is an emergingtechnology that helps clients reduce costs, a lot of industries have been adopting it and it hashad an impact on the balance sheet of the firms in those industries. Therefore, financialindustry wants to explore the usage of this technology and thus the above issue holds a lot ofimportance and concern for the firms within these industries.Understanding the Issue
It is very important for CIO and managers to get in-depth of the issues and ask questions such as: 1) Who can see my clients’ data? 2) What regulatory and compliance audits has the firm completed? 3) If the firm doesn’t keep data in its own systems, how can we ensure it is safe? 4) How complicated will my login process be? 5) If a client asks me whether we can guarantee security of his or her data, how should I answer? 6) What safeguards are in place to ensure data is never viewed by someone who shouldn’t see it? 7) If the system is compromised, what’s the emergency action plan, and how will that be communicated to our clients? The answers to these questions might help them in taking a decision of whether to go with Cloud Computing.Not Understanding the Issue One important thing to consider is that there might be situation in whichfinancial institutions leave themselves vulnerable to attack because they assume their cloud provider is taking care of security. Security and cloud hosting are two separate things, but the cost of entry is so low, and often so simple, that customers may not do as much due diligence as they should to find out whos responsible for security.
Therefore it is very important for CIO’s of banks/insurance firms to understand the issueswith respect to cloud computing.Source: Cloud Security Myths and Strategies Uncovered- White Paper Disadvantages of Cloud Computing- White Paper IBM white paper on Cloud Computing