Cloud Computing: Vendor Selection and Asset Protection
Cloud computing represents a significant evolution in information technology (IT) service offerings, creating a powerful and flexible way to access the latest technology services while still managing IT costs. Cloud computing service types have different advantages and constraints consistent with their architecture. The optimal cloud computing architecture depends on specific business needs, which can be met by different services capabilities, technology, and vendors. Selecting the right vendor to move data applications to the cloud is an important step. While there are a number of providers available, not all of them offer viable choices to meet your business and technology needs.
Several varieties of cloud computing have emerged: vendor-provided services accessible via the Internet or a private network; internal enterprise computing architectures modeled after vendor clouds; and hybrid models that mix vendor cloud services, internal cloud architectures, and classic IT infrastructure. Vendor-based and hybrid clouds introduce new risks, as well as increased complexity in managing existing risks. How well do you understand the risk implications of moving your IT platforms to the cloud? How effectively is your chosen vendor managing risks and protecting your information?
- Numerous choices. There are many vendors offering cloud computing services. Some of the emerging vendors may appear to have the ability to meet your needs, but lack credentials and qualifications that can be verified. There are also major technology vendors that offer unlimited service capabilities. Comparing current and future technology needs with cloud computing offers can be challenging.
- Ubiquitous risk. Clouds are designed to be both dynamic and on-demand, so data may reside anywhere within the cloud -- possibly in multiple locations on shared devices. This ubiquity enables efficient use of the cloud's underlying assets, but it may present significant risks to the owners of the data depending upon the requirements of a wide variety of laws, regulations, and industry standards. A vendor without proper internal controls and regulatory standards may not be able to adequately secure your data. As a result, there may be a variety of IT and operational risks to consider.
- Vendor reliance. Your data and systems will likely be under the control of your vendor, but you may still be responsible and accountable for your information system and for compliance with your software license agreements. However, your vendor can take on significant risks associated with managing and protecting your data. Any organization choosing to move to the cloud should understand how inherent risks are being addressed versus those which are created. Your organization may need to request audit reports from the cloud vendor to manage your risk on more than `vendor trust' alone.
A fresh approach
Whether you're just getting started with your cloud computing strategy or looking for smart ways to expand current initiatives, we can help in your efforts. Deloitte can provide information to help you create a secure delivery framework for your cloud computing initiatives from inception to ongoing operation. We can help you address the proper risk balance between control and efficiency, focusing on a wide range of critical issues.