10/14/2010

Cloud Trust – Are you keeping up with your organization’s plans for monetizing the cloud?

Many enterprises are now embracing cloud computing – especially as a model to quickly launch new products and services. As GRC professionals, we are not always privy to these plans until they are well underway and can find ourselves in the position where we are trying to assure governance and security controls are in place in hosted environments – after the fact.

Gartner estimates that cloud computing services market will grow to over $150b by 2013. Your own organization may be part of this growth - leveraging private cloud, public cloud or hybrid models.  To provide value to your organization on issues of cloud trust, you will need to distinguish among cloud types and their respective trust characteristics. For example in the public cloud, you are less likely to be able to maintain traditional control over your organizations’ information assets, and in the private cloud, you can do much more. In fact, properly implemented, a private cloud deployment can prove more trustworthy than what you have internally in place today.

Most importantly, you will need to evaluate specifically what business processes and information, applications, and other assets would be moving to the cloud. This will require a pretty thorough evaluation that will lead to what type of cloud deployment model is the best destination for what you are trying to achieve. At EMC, we have been doing work on this by looking at each asset and its potential migration to the cloud through three “filters” – economic, functional, and trust. The real danger lies in moving assets to the cloud without applying all three.  More about that work coming in a later post.

In the interim, you might start having conversations with your business colleagues and management to understand more about how they are trying to improve customer experience, business processes and services – and how cloud computing may be leveraged to improve agility and lower costs through better resource utilization. Become familiar with what public cloud providers really offer in terms of security and assurance. Understand what communication service providers (that you may be using now or in the future) are planning to launch as cloud service offerings to support their very diverse and growing customer base – consumers as well as enterprises. (For a quick review of how CSPs can/are exploiting cloud opportunities - read this EMC Consulting Perspective here). 

The cloud computing market is evolving rapidly with new capabilities being offered almost daily that many organizations can’t afford to ignore. It is our responsibility as GRC professionals to stay ahead of this curve and keep our organizations and IT groups moving safely along the journey to the cloud.   

Here’s a brief review of cloud types – more coming next week on how to evaluate the trust profiles of each.

Public Cloud: Resources are owned and managed by the provider and shared across customers. Scale economies can be high and costs low, but for the enterprise customer both transparency and control can be low. A variation is the community cloud, a multi-company members-only version of a public cloud, usually centered on a common business process (e.g., for use by a purchasing consortium).

Private Cloud: Resources are owned and managed by the enterprise and shared across it. The enterprise has scale economies and cost advantages (though not on a par with the public cloud) together with more transparency and control. Private cloud resources are usually on premise; however, an external private cloud can be operated by an outside service and still offer the level of transparency and control (including over asset location and segregation) needed by the enterprise.

Hybrid Cloud: A mix of public and private clouds. Each application and its data may reside in isolation in one cloud or the other. In more complex configurations, selected data moves back and forth, for example when a public cloud CRM application shares data with financial applications in a private cloud. Sometimes a public cloud service is an on-demand extension of computing and storage infrastructure to handle peak loads. Hybrid cloud is the more complex configuration, but can offer greater flexibility and benefit.

 

Oct 14, 2010 12:28:58 PM | Cloud Computing, Governance, Risk and Compliance, governance, risk, compliance, security, controls, infrastructure, GRC, GRC, Information Governance, Information Security Risk Management, Risk Manangement

The comments to this entry are closed.

NEXT POST
Cloud Security -Certification of Cloud Security Knowledge Cloud Security -Certification of Cloud Security Knowledge - there is a good certification now available online (for $195 through Dec 2010) at the Cloud Security Alliance. Launched in July, it is a 50 question, multiple choice test that must be completed in 60 minutes - but don't worry - there is a study guide available at CCSK Study Guide.
PREVIOUS POST
Cloud Assessments – Try the Cloud Security Alliance Consensus Questionnaire Check out the of CSA’s main accomplishments has been advancing the adoption of the Cloud Controls Matrix into international standards communities. An important new development is the Consensus Assessments Initiative (CAI) Questionnaire – a spreadsheet that cloud consumers and assessors can use to understand what security controls Cloud Service Providers (CSPs) have implemented in their exist in IaaS, PaaS, and SaaS offerings. The Questionnaire is a companion to the CSA Guidance and the CSA Cloud Controls Matrix. Use it with CSPs you are considering – test it and give feedback to on what works and what doesn’t to the CSA working groups.

Yo Delmar

A MetricStream exec with a passion for Governance, Risk and Compliance

The Typepad Team

Search

My Other Accounts

Recent Comments