How to assess risk when considering cloud computing

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Cloud computing has transformed the way IT resources are utilized, but the externalization of infrastructures and applications has brought with it the perception of increased risk, which seem to swirl around visibility and control.
This perception of increased risk has prevented the adoption of cloud solutions in a number of industries, so the key question is how to make decisions about moving your organization’s IT solutions to the cloud while considering the risks involved.  
Let’s review the key advantages of cloud computing:
* Economies of Scale: Traditional IT and IT outsourcing runs on infrastructure that is costly to create and maintain. In contrast, the cornerstone of cloud is cost efficiency, as the cloud does not require a capital investment to set up the infrastructure, or an in-house team of IT experts. Moreover, an organization pays only for the storage capacity it consumes, meaning enterprises can readily scale up and down processing and storage needs without spending a lot on overhead. Organizations end up saving time and critical resources, and can transform IT into a strategic team that focuses on more innovative initiatives.
* Agility: Most CIOs actually adopt cloud solutions because they can be up and running quickly, not because they are cheaper. A faster realization of business benefits, while reducing costs around internal IT project management, procurement, integration and change management are also key drivers. Organizations also don’t have to worry about the ongoing operations, updates and fixes, as these are handled by cloud vendors.
* Flexibility: Cloud paves the way for innovation in several areas, and quickly adapts to business changes. For instance, online retailers can leverage cloud services to effectively implement web-based, point-of-sale and online purchasing applications. Organizations can give their employees and key stakeholders access to corporate resources on the cloud which can drive improved productivity, irrespective of where employees are located or what devices they use. Cloud also supports big data, as many organizations migrate more and more of their business applications to the cloud.
Understanding the Risk Factors
The biggest fear for IT managers is the thought of losing control – “The infrastructure is no longer within my control and someone else is responsible for it. What happens if they fail?”  Risks can be viewed through an infrastructure, software capability and data perspective.
* Data Security: Ambiguity surrounding certainty and visibility into security elements used by cloud providers is a big cause of worry. With business data residing offsite, as well as increased travel, the risks of possible data theft and hacking are evident.
* Service Reliability: The increased chances of loosing Internet connectivity and the cloud provider being subject to outages raises questions about reliability and network dependency.
* Software Management: Without control over the software, the process for making edits or updates to the software or bug fixing can get very complex.
Organizations that hesitate to entrust their business information and applications to cloud service providers fail to realize that external cloud providers can actually do a better job of managing these risks when compared to internal IT teams.  After all, they develop best practices by working with multiple customers; they have a higher incentive to avoid breaches because the reputational cost is much higher for them (and, bluntly speaking, more jobs are on the line); and there are fewer single points of failure because service providers deploy more redundant resources.Recommendations
While debating the need to move to the cloud, organizations must carefully navigate through the risk-reward maze, gain a thorough insight into how the cloud can enhance their business value, and thereby realize their IT objectives without putting their business in peril.  Here’s what we recommend:
• IT management and departments need to realize that cloud providers are an extension of their internal IT department. All of the risks apply equally to the provider as well. The key difference is that with internal departments, it can be easier to validate, enforce and administer controls to manage risk.
• Choosing a cloud provider who can demonstrate validation of controls. Some of these controls include SSAE audit, data, accessibility, data center security controls and data encryption.
• Opt for a private cloud, or a virtual private cloud, where systems are virtually separated from each other through an encrypted environment inside a public cloud.
• Analyze which legacy applications are appropriate for the cloud.
• Ask the cloud provider for a definitive disaster recovery plan. An internal revert strategy will also help to quickly move to an alternate IT service model.
• Maintain regular backups of critical cloud-based assets, and protect data through strong encryption.
• Ask for regular security-event alerts from cloud vendors, and ask them to flag specific mission-critical assets.
• Seek independent audit reports from service providers for greater transparency, and check industry certifications of cloud service providers such as ISO 27001 and 27002, ISO 31000, and Payment Card Industry Data Security Standard (PCI DSS) compliance certification.
• Add additional security measures to the cloud such as single sign-on access to multiple cloud applications, and also leverage a security framework such as ITIL or ITSM.
By strengthening IT governance processes and establishing reliable controls, businesses can derive real competitive advantages from cloud solutions. The focus of any decision should be a checklist driven analysis of controls as opposed to a general feeling of risk, which is likely to deprive the organization of competitive advantages and the benefits of being able to rapidly incorporate best of breed capabilities into the business. CIOs and key IT decision makers should view the core issue from the perspective of a controls analysis rather than risk analysis when considering the risk/reward tradeoff.
Piyush Pant is Vice President of Strategic Markets, MetricStream