1. CLOUD COMPUTING: A FUTURE PREROGATIVE
Businesses are constantly looking for ways to improve efficiencies,
avoiding unnecessary costs; doing more with less, and ultimately
improve the bottom line. Stakeholders on the other hand are
becoming more impatient and expectations are forever increasing.
The business competitive environment is becoming fiercer and
revenue growth is becoming a difficult hurdle to achieve during these
trying times. As the business environment evolves and businesses
attempt to adapt, dependency on technology has become more and
more important. Technology has become an integral part of decision
making initiatives and both business and government have realised
that investment into information technology has become a necessity.
Failure to move quickly could spell long term economic difficulties
and declining profitability. In this business world of constant change
and resource limitation, how best do businesses adapt from a
technology perspective? Is cloud computing a possible answer?
What is Cloud Computing?
Cloud computing in simple terms can be defined as a big pool of
shared resources including hardware, software and other services
that can be accessed in the “cloud” whenever necessary. It is a
technology that is internet based and used as a mechanism for
accessing computer facilities. For application and IT users cloud
computing is the provision of applications, storage and computing
services over the internet from centralized databases; for application
developers it is a software development platform and for
administrators and IT infrastructure providers it is data centre
infrastructure. Cloud computing is seen and used in different ways all
with the aim of benefitting IT efficacies.
Cloud computing may be hosted in different ways depending on the
need: Main cloud computing deployment models include:
Deployment Model Description
Public Cloud The cloud infrastructure is made available to the general
public or a large industry group and is owned by a cloud
service provider, which sells these cloud services.
Private Cloud The cloud infrastructure is operated solely for a single cloud
service consumer enterprise. It may be managed by the
enterprise or a third party and may exist on or off the
consumer premises.
Community Cloud The cloud infrastructure is shared by several cloud service
consumer enterprises and supports a specific community that
has shared concerns (e.g. mission, security requirements,
policy, compliance considerations etc.). It may be managed
by the enterprises or a third party and may exist on or off the
community premises.
Hybrid Cloud The cloud infrastructure is a composition of two or more
clouds (private, community or public) that remain unique
entities, but are bound together by standardised or propriety
technology that enables data and application portability.
2. 2
Cloud providers have different service models focusing on one type
of functionality provisioning. These may include:
Service Model Description Benefits
Cloud infrastructure as a
Service
(IaaS)
The IT capability is that of
processing, storage, network and
other computer hardware-related
capabilities. The consumer can run
their own software (including
operating systems) on the computer
hardware-related capability.
Lower IT
infrastructure,
administrative and
maintenance costs.
Cloud platform as a
Service
(PaaS)
The IT capability provided is that of a
computing platform on which to run
the software of the consumer, which
was created using the programming
languages and protocols supported
by the specific platform.
Cost reduction,
especially in ensuring
security, and
scalability.
Cloud software as a
Service
(SaaS
The IT capability provided is that of
software applications for use by the
consumer. The software would be
run on cloud infrastructure (either
that of the SaaS provider or possibly
that of another IaaS and/or PaaS
provider), and be accessible by
means of a network accessing
device.
Low initiating costs,
painless upgrades,
seamless integration,
and easy
customization and
managed service-level
agreements.
These type of setups will have huge implications on cost structures
of those organizations using hardware and software as a key driver
to their business strategy. Similarly to the way electricity is
consumed, in Cloud computing we pay for what is consumed.
Is Cloud Computing becoming a Global Phenomenon
Tremendous growth in technology poses enormous challenges on
companies if they intend being relevant and competitive. They have
to continuously incur huge financial outlays on the latest technology
trends. As a result, companies are attracted to the concept of cloud
computing where upfront costs are minimal and access to IT
resources are not limited. The value proposition of cloud computing
is that organizations do not have to make huge upfront investments
for computer infrastructure, hardware, software and training. Instead,
organizations can use the resources provided by a cloud computing
service provider who would also take care of IT downtime and
support. The cloud computing model will transform the IT industry in
the next few years as it has experienced phenomenal growth and
remains attractive and cost efficient to small and medium sized firms.
IT Outsourcing verses Cloud Computing
Typically, IT outsourcing assist management with the offloading of
legacy systems that may be outdated and allows management to
focus on their key strategic initiatives. The benefits of IT outsourcing
include lower costs, higher performance assurance and quality,
professional and geographically dispersed services and creative and
structured leases to suite the client. Organizations would normally
outsource their IT function if the benefits outweigh the risks. IT
outsourcing and cloud computing has numerous similarities but also
have differences that may or may not be valuable to the client.
3. 3
Typical similarities include reduced costs, global scale, risk
minimization and quick time to market. However, notable differences
include:
High upfront costs regarding IT outsourcing as compared to cloud
computing where no or minimal upfront costs are needed;
Services are not necessary on demand in IT outsourcing whereas
cloud computing delivery structures are based on demand
services;
Cost is more transparent when it comes to cloud computing
whereas there tend to be lots of hidden costs in IT outsourcing.
Although similarities may not really cause clients to change; the
differences play a huge role on how buying decisions for IT
infrastructure and related resources are made within organizations.
Risks
The process of managing a secure cloud space can be more
challenging than creating a secure classical IT environment. The
main risks of adopting cloud computing are:
Misunderstanding responsibilities – in a traditional IT scenario
the security of data is entirely the burden of the company;
however, in a cloud computing setup the responsibilities are
divided between both the cloud provider and the client depending
on the cloud services adopted.
Data security and confidentiality issues – the biggest security
concerns with companies moving to cloud computing relates to
data security and confidentiality. In particular, concerns arise
around the data security lifecycle e.g. creation, storing,
accessing, modifying and transferring of data.
Lack of standards – the immaturity of this technology makes it
difficult to develop comprehensive and commonly accepted set
of standards. The excitement around cloud has created a flurry
of standards and open source activity for different aspects of
cloud computing thereby leading to market confusion.
Interoperability issues – when companies decide to move their
services to another cloud service provider for whatever reasons,
the lack of interoperability between service providers may block
or raise heavy obstacles to such a process.
Reliability breakdowns – the availability of services for cloud
clients can be severely impacted if connectivity problems arise or
if a service provider goes out of business.
Hacking and intrusion risks – security risks pose major threats
in a cloud environment
Malicious insider – information confidentiality, integrity and/or
availability can be compromised by a cloud service provider’s
employee who has reasons or is motivated to create a bad
impression on the service provider.
4. 4
Benefits of Cloud Computing
Saves money and time; it is efficient and collaborative;
Faster and more reliable than traditional IT;
It facilitates the sharing of applications, networks, software and
other IT related resources;
Businesses are able to scale up without any major upfront IT
infrastructure costs;
Scalability, simplicity and cost efficiencies; and
Enhancement of competitiveness.
Developing a holistic cyber cloud strategy
The following considerations of assessment areas should be
embarked upon when selecting an appropriate Cloud Service
Provider:
Organizational security – The vendor must have adequate
information system governance procedures specified in the
service level agreements.
Effective security controls – The service provider must outline
how data would be stored and retained and the existing security
should be highlighted to ensure data integrity and confidentiality.
The security policies should be comprehensive and included in
the service level agreement.
Access control – Vendors must have ways to detect
unauthorized activities and provide security for remote access of
data.
Legal implications – Discussions around the legal obligations
in terms of storing data offshore in other countries should be
carried out with the vendor if the organization has branches in
other countries or if the vendor stores the data in other
countries.
Exit clause – One of the common mistakes organizations make
are to ignore the “exit clause” when evaluating service
providers. In the event of failure of the cloud, steps need to be
highlighted at how to regain ownership and control of data.
Vendor lock-in – Organizations should be weary of lock-in
clauses of service providers. In the event of lock-in clauses or
service provider closures, data import and data moving
becomes more difficult and business clients can face serious
repercussions for data migration.
Typical questions to ask before signing a Service Level Agreement:
Do 3rd
party applications which the cloud provider access to
support business applications have access to client’s sensitive
data?
Is there any system testing and audit trial strategy?
Are patch management strategies defined and in place?
What security training is provided to the employees?
In case of data and power outages do the Service Provider have
appropriate backup strategies?
What is the staff hiring policy? i.e. vetting procedures.
What is the appropriate reimbursement cost in case of data loss
or damage? i.e. time scales, data retrieval process.
What is the level of certification achieved in terms of quality and
security compliance?
What are your management and reporting policies?
5. 5
Conclusion
Cloud computing is a technology that has the potential of changing
the way organizations do business in the future. As a result of its
sudden emergence, a large amount of research ranging from opinion
pieces on technical details, cloud computing advantages and
disadvantages, cloud computing risks as well as opinion pieces on
the potential impact of cloud computing on business, have been
written. With all the benefits and advantages that cloud computing
brings, it would probably make business sense to adopt this new
technology. However, before moving over to this new IT innovation,
companies need to understand the risks and value it would bring to
the organization in order to make an informed decision.
Cloud computing generally have different advantages uniquely suited
for different organizations but requires organizations to delft into the
concept of cloud computing so as to gain an appropriate
understanding in order for them to appropriately identify the exact
benefits. Organizations should clearly understand their reasoning for
moving to cloud computing in order to maximize the opportunity.
It is difficult to read business or information technology magazines or
articles without coming across the concept of cloud computing. The
current sluggish economic environment will force organizations to
consider cloud computing as an alternative as it will soon change the
way business is approached. It will force organizations to relook at
their IT strategies and the way they embark on their IT spend.
Although this new IT paradigm comes with risks and challenges,
there is a strong indication by experts that advantages and benefits
far outweighs the risks. Even though the understanding of cloud
computing may be limited, it is clear that top management need to
further educate themselves on the topic and will need to re-strategize
on ways of creating efficiencies, cost savings and business value.
Wayne Poggenpoel
Wayne is currently at the Human Science Research Council (HSRC) within the Enterprise Risk
Management Unit as the Compliance and Business Analysis Manager. His current responsibilities
include regulatory compliance for the entire organization as well providing various business intelligence
information in pursue of company strategy. Prior to the amalgamation of the Africa Institute of SA
(AISA) and HSRC, Wayne headed up the internal audit function of AISA, responsible for all internal
audit related responsibilities.
Wayne has Master’s Degree in Internal Audit coupled with a National and National Higher Diploma in
Internal Auditing as well as with international certifications in internal audit, control self-assessments
and government auditing (CIA, CCSA, CGAP). He has in excess of 17 years internal audit, risk
management and management consulting experience which crosses both private and public sectors. He
is a current member of the Technical Committee of the IIASA as well as a Member of an Audit
Committee Cluster of Gauteng Treasury responsible for the Departments of Agriculture, Human
Settlements, Infrastructure and Development, Roads and Transport and Cooperative Governance and
Traditional Affairs. Wayne has presented on various topics including internal audit at several
conferences and forums and have written articles for different magazines including the IIA Advisor.