By JIM WHETSTONE, a senior vice president of U.S. technology and privacy manager with Hiscox; and DAVID CHAVEZ, a senior vice president of global errors-and-omissions technology with the company
Would you send your child to a daycare you hadn't thoroughly vetted? Of course not. You want your child to be safe. Risk managers feel the same way about their organization's assets and data. When moving to "the cloud," they want to be sure that the technology resources and data that are their business's lifeblood are handled with extreme care.
Parents and risk managers share the same goals. Their provider must be prudent, experienced and hire with discretion. Above all, the provider must keep their child or data protected and accessible only to them and their inner circle. Inherent in both situations is a profound loss of control, necessitating extensive due diligence.
Even if an organization does not have a dedicated risk manager, small business owners and others should consider these risks, ask questions and take precautions to keep their data safe.
Cloud computing refers to applications and services offered over the Internet. Instead of running one's own network, requiring an investment of money and time, moving to a cloud-based computer system provides convenient, on-demand network access to resources that can be accessed rapidly with minimal management or service provider interaction.
Drawn by its cost savings, efficiency and nimbleness, companies are embracing the cloud. The global cloud market is expected to grow to $121 billion by 2015 from $38 billion in 2010, according to the research firm MarketsandMarkets.
Of special concern to risk managers, however, is that rapid growth is fast outpacing security. A recent study by the Ponemon Institute highlighted disturbing gaps. Of the 637 senior information technology practitioners polled, fewer than one in 10 said their companies vetted their products or trained employees to establish that their cloud computing resources met security requirements before deploying them.
Equally disturbing, corporate security professionals were involved in screening providers just 9 percent of the time, according to the survey, which polled businesses with 1,000-25,000 employees The majority of decisions were made by end users and business managers, with little oversight. Regardless of how the cloud is accessed, a company can't outsource its responsibility. To that end, risk managers must establish and enforce proper due diligence including vetting providers, writing a solid contract, setting reasonable expectations regarding service delivery, and establishing clear lines of communication and accountability for all three types of relationships client to cloud, cloud to third party, and client to third party.
Identifying and preparing for hazards inherent in the cloud is best handled between the information technology and risk management departments. Here are five risks that stem from the loss of control inherent in cloud computing, and strategies to mitigate them.
LOSS OF CONTROL OF NETWORKS
A company loses much of its control when it ceases to run its own networks. Sometimes that control is given piecemeal. Other times, it is given completely. Companies may agree to have their data stored in the cloud or have certain applications or their entire network run in the cloud. Regardless of how much control they relinquish, they must ensure that the cloud provider cares as much about protecting the data as the client does.
The client company should start by making sure that the provider knows and has experience with all of its software applications, protocols and operating systems. Without that experience, a cloud provider cannot prepare for errors, updates, outages and interruptions, as well as adequately plan for upgrades, enhancements, and the dreaded software "end of life."
Fortunately, one of the advantages of moving to the cloud is the agility of the cloud provider. It takes a lot of resources to monitor and update a network, and cloud providers offer those resources 24/7. It's critical that the cloud provider knows how to manage the unique features that make up the network.
Once a provider has been chosen, the client company must establish clear lines of communication and accountability. It should also set clear performance expectations and monitor how closely they're being met. Performance isn't just about up-time. Ask questions about physical security, employee selection, resource training and monitoring, patch management and disaster recovery. If the cloud provider isn't replicating an existing computer system, make sure it's clear how data will be stored and segregated, whether it will be encrypted, and how fast and how easily it can be retrieved.
Most importantly, the contract should seek to shift an appropriate amount of legal responsibility to the provider. In the event of a data breach, for example, the cost of notification, monitoring and other requirements should be the provider's responsibility.
Further, the contract must state with particularity how and when breaches will be reported and the protocol for responding to them. All cloud providers should be required to have comprehensive insurance, including general liability, professional liability (errors and omissions), business interruption, privacy and data breach coverage.
LOSS OF RELATIONSHIP CONTROL
Sometimes, a company may use a cloud provider to run applications they rely upon to communicate with key partners or customers. Those appsmight include payment portals, customer service centers, shared sites with vendors and the like. From the beginning, it's important to establish clear expectations regarding response times to inquiries and payments, the proper responses to customer queries, including the preparation of a pre-arranged script, and when to escalate problematic communications.
Transparency is important as well. Some client companies want to make it clear to their customers when they're leaving the company's website while others prefer the opposite, running their portals on a cloud that is branded as though it is their own. Regardless, the key is that no company wants to lose a customer or a key vendor because of an act or error of its cloud provider.
In most cases, the cloud provider will have multiple subcontractors that are typically unknown to the risk manager or other internal staff. This can be problematic. It's important to thoroughly understand who each subcontractor is and their qualifications. Cloud providers may use a multitude of subcontractors in all kinds of roles. Like any other company, a cloud provider is looking to save costs and may look overseas for such savings. Client companies should look very closely at any cloud provider that sends offshore any part of its services, particularly if the provider plans on storing or sending data outside of the U.S.
By definition, cloud computing implies some sharing of resources, whether it's servers or applications or even power and utility usage.Since this sharing of resources can be so diffuse and on such a large scale, it's essential to confirm that security isn't compromised. The cloud provider must be able to demonstrate that the client's data will be isolated from the data of other customers of the cloud provider and further, that access to the data is strictly controlled. The provider must treat the data as the asset it is and not merely a component of its revenue stream.
Another problem with shared resources is that efficiencies can be created only if the resources are in fact shared. Cloud providers are creating data centers throughout the world. Sometimes there's no telling precisely where data is being stored or which jurisdiction it's transmitting through. That could be a problem for a company that operates entirely in the United States and knows and obeys U.S. laws but is less concerned about international laws because it never expects to be exposed to a foreign jurisdiction.
Increasingly, there are new international regulations governing the handling of personal medical information, credit card data and Social Security numbers. A cloud provider should be able to tell its clients precisely where its data is stored and where it transmits.
Obvious risks arise from the fact that the cloud is not on the client's physical premises and is not in proximity to the client's employees. Problems that can't be managed remotely, or for which the client doesn't fully trust the provider, will suffer a time lag while the client company sends its employees to the site to make or oversee repairs.Some cloud providers scoff at this, suggesting that it undermines the cloud model, where everything can be fixed virtually.That's a bit of a simplification and doesn't take into account events such as floods, physical theft or earthquakes.
There is also the issue of who has physical access to servers and other equipment and what security provisions are in place. An occasional visit to a cloud facility can put to rest nagging concerns about physical security and orderliness.
While cloud computing presents new and complex challenges for risk managers and small business leaders, those issues can be controlled. A loss of control does not have to mean a breakdown in security and accountability. More than ever, however, risk managers and others charged with safe cloud computing must embrace a team approach and be vigilant and proactive. Cloud computing will continue to grow; risk management must stay a step ahead.
April 1, 2011
Copyright 2011© LRP Publications