How to Deploy Safe, Effective Clouds
In its 2014 "Building Trust in the Cloud" paper, EY (formerly Ernst & Young) reports on the increase in cloud computing adoption that has occurred in the past several years. In 2010, just 30 percent of respondents to EY's 2013 "Global Information Security Survey" said their companies used or planned to use cloud computing. By 2012, that jumped to nearly 60 percent.
EY Senior Manager of Advisory Services Justin Greis is confident this uphill trend will continue and told Baseline in an email that it is now commonplace for enterprise systems once thought "impractical" or "impossible" to move to the cloud are now able to be migrated.
"For organizations that have not invested in IT in many years, cloud delivers a real jumpstart to their capabilities," Greis wrote. "For organizations that have kept pace with technology trends, the cloud provides flexibility, scalability, interoperability and the promise of cost savings. Those benefits are hard to ignore. We believe cloud adoption will continue to grow, and in the very near future, every organization will have some part of its core business model enabled through the cloud."
Despite the growing trend toward deploying cloud computing, 38 percent of respondents to EY's security survey said they had not taken precautions to decrease inherent security risks. Others said that their executives balked at cloud adoption based on the fear of moving data over a public network or doubts about laws and regulations in transmitting information over international borders.
To achieve a safe, effective cloud computing deployment, EY advises executives to shift their focus toward building a secure, trusted and audit-ready (STAR) cloud environment. These six domains contain the various controls and procedures required to support a STAR environment: organization, technology, data, operations, audit and compliance, and governance.
The level of "maturity" that a company exhibits in each domain is typically reflective of its industry or sector, according to Greis. For example, financial data companies are typically strong in the data domain, whereas personal health information businesses may be advanced in auditing and compliance.
"The model does not require a company to mandate that every control element or best practice be in place in the cloud," he said. "But it does force the company to analyze the cloud environment and make a risk-based decision if the results of the analysis put the company at risk—or represent an opportunity."
Companies that have IT executives who ignore or avoid cloud computing may have to deal with shadow IT: Employees may begin to implement their own cloud solutions, thereby creating security risks and other issues in the process. Shadow IT can become problematic when companies continue to view cloud computing as a nuisance rather than a solution that is capable of meeting it "trust requirements," according to Fawaad Khan, EY's Americas cloud leader.
"The key for any company is to recognize that the cloud has penetrated the perimeter and they need to adopt a framework to build a secure, trusted and audit-ready environment," Khan stated in an email to Baseline. "Without an effective cloud framework, shadow IT will soon overshadow IT."