Cloud Computing: The Risks Beyond the Metaphor
Cloud computing is big business. With a worldwide market forecast to reach nearly $241 billion by 2020, it’s no wonder chief information officers (CIOs) rank cloud computing in their top three technology priorities for 2012.
Cloud computing is the market’s metaphor for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service-provider interaction.
Cloud computing is most often:
- Software as a Service (SaaS) — software applications accessible through an interface, like a web browser. SaaS enables users essentially to rent software and data storage space from a provider (e.g., Gmail or Google docs).
- Platform as a Service (PaaS) — platforms to host, test or maintain developers’ code (e.g., Force.com).
- Infrastructure as a Service (IaaS) — outsourced infrastructure on which users may deploy their own operating systems and applications, (e.g., Amazon Web Services, Rackspace, IBM’s various IaaS cloud offerings).
If SaaS, PaaS, and IaaS are familiar concepts, then you may also be aware of some of their offspring: Development as a Service (DaaS), Application Platform as a Service (aPaaS), Software Infrastructure as a Service (SIaaS), Cloud Enabled Application Platform (CEAP), Business as a Service (BaaS) and Gaming as a Service (GaaS).
As the cloud market matures, multiple business models for cloud computing are emerging.
The public cloud is available and marketed to businesses and consumers at-large and employs a mega-scale infrastructure. Developers and non-IT business leaders especially, are rushing to embrace the public cloud.
The private cloud focuses on IaaS and is owned or leased by a single enterprise (diminishing the scalability benefits of cloud computing, but allowing users more control).
The community cloud serves, and is shared by, a defined, limited constituency of users.
The hybrid cloud is a creative blend of one or more of the previous options.
Advantages
So why the current fascination with cloud computing? Outsourcing one’s IT needs from a PC or internal server(s) to an offsite, more accessible and probably shared server with state-of-the-art IT support offers many benefits, including:
- Access to cloud-based data, apps, platforms, etc., from any computing device anywhere, anytime.
- Cost savings as hardware, software licenses, upgrades, etc., become unnecessary.
- Increased data storage capacity.
- Elimination of network maintenance and update disruptions.
- Enhanced data security.
- Flexibility to respond to changing resource demands and limitations (both electronic and human).
Perhaps most important, cloud computing offers scalability — the ability to do what you do in a bigger way. The cloud allows users to do more, faster and at a more complex level — without increasing the cost.
Risks
While cloud computing has advantages that PCs and internal corporate IT departments may be unable to match, the concentration of data, applications and systems on mega-servers maintained by remote personnel presents distinct risks. Some risks include: loss of service and data, invasion of privacy and other privacy issues, compliance issues, and other disputes.
Loss of Service. Loss-of-service headlines pepper the media as “news,” but the reported causes are often familiar: errors in upgrades, bugs in updates and heavy traffic. Service outages can extend beyond inconvenience to material business interruptions.
Loss of Data. Incidents of permanent data loss have been rare, but they do occur, as mega-vendors like Amazon have learned.
Invasion of Privacy. Despite cloud providers’ assurances of data security, hackers are an ingenious lot. Citigroup, Sony, the International Monetary Fund, Lockheed Martin, the U.S. Senate, Comodo (a too-big-to-fail entity providing certificates of site authenticity to web browsers), and countless others have all learned the hard way.
Privacy issues also arise from the voluntary production of cloud-stored information incident to litigation. Courts are split on whether the Stored Communications Act (a legacy from the 1980s) prevents disclosure of cloud-based information, so cloud providers and users must be prepared for the possibility that otherwise private data, once stored in the cloud, may no longer be deemed private.
Traditional Business Disputes. As in any hot market, the cloud is populated with competitors aggressively challenging each other’s intellectual property rights and sales practices, as well as theft of trade secrets and the employees who know them. The cloud also promises traditional contract disputes, as vendors and their customers fight to allocate losses due to service interruption, security shortcomings, and alleged poor performance.
Compliance Issues. Cloud users, not their providers, are responsible for compliance with state and federal laws related to data privacy like HIPAA, the Gramm-Leach-Bliley Act, and the Federal Information Security Management Act. Likewise, compliance with e-discovery requests in litigation falls to the parties to a lawsuit, not their cloud providers. Because there are currently no universally accepted standards for cloud computing providers to follow in storing and maintaining information (although various groups are looking to develop them), passing the risk of noncompliance onto providers may be impossible.
Cloud Best Practices
Outsourcing IT to the cloud is not the same as transferring data management risks.
Prudent users therefore should scrutinize cloud providers’ privacy policies, security measures, disaster recovery plans, and all aspects of the provider’s electronic infrastructure. For those new to the cloud, the National Institute of Standards and Technology’s (NIST) Guidelines on Security and Privacy may provide a useful starting point for that analysis.
Also, ensure the user’s own privacy policies, litigation holds and other data-driven protocols take its cloud activities into account.
Users should also consider the value of the “extras” such as data recovery services and redundant servers when purchasing cloud services.
Users should carefully evaluate contractual transfers of risk (warranties and indemnity provisions). Typical cloud service contracts will include an indemnity provision that favors the service-providers and provisions that limit damages to the cost of service, enhancing the cloud user’s need for contract negotiation.
For cloud providers, best practices will include making security measures and rigorous disaster recovery/business continuity plans a centerpiece of their design. Another best practice is to maintain favorable indemnity provisions and damage limitations.
As with any emerging technology, balancing risk tolerance with business benefit is key. And mitigating that risk with appropriate insurance coverage, such as a data protection and an errors or omissions insurance policy, is one way to strike the balance.