Moving Services to the Cloud? Take an Umbrella
by Chris Kradjan, National Chair, IT Auditing & Consulting Group
Cloud computing is here to stay. And the reason is clear: Working in the cloud is a viable and flexible method of service delivery for software, storage, and shared resources that’s gaining broad adoption at a time when enterprises are shifting from the client-server model.
In practical terms this technology transition offers many advantages. It gives users easy, instant, and individualized access to the tools and information they need—wherever they are and from any networked device—and it doesn’t require a hardware purchase or software installation.
This is why an increasing number of organizations are hard at work embracing cloud-based applications, why service providers are migrating to the cloud, and why the frenzied build-out of data centers is one of the few bright spots in the real estate market these days. What’s more, a host of large and middle-market enterprises will soon start deploying a mix of public cloud services (such as software as a service, infrastructure as a service, and platform as a service), private cloud services, and traditional computing arrangements.
However, while seamlessly managing this digital combination can be done, it will pose a challenge. And that’s not the only challenge for businesses seeking to adopt a cloud computing strategy. Other major issues include a fairly expensive and complex start-up period, questions about data security and privacy, and uncertainty when it comes to quality of service delivery.
Fortunately, there are things you can do to help overcome these challenges. Let’s take a look at three of them.
Develop a Plan Beforehand
Companies frequently make large and inefficient up-front investments in cloud technology, especially to build out a platform that will support a different infrastructure. Big players such as Microsoft, Google, and Amazon have the scale and resources to recoup these costs, but it’s a different story for smaller firms.
The net takeaway here is that a tremendous amount of thoughtful and strategic enterprise-wide planning must precede any move to the cloud, particularly with the fast-changing market we’re now experiencing. Once you’re operating in the cloud, it’s hugely beneficial; getting there, however, requires caution and counsel.
Pay Close Attention to Security and Privacy
Organizations are slowly coming to terms with their exposure, and possible loss of control, when enterprise data is sitting in the cloud. These fears have been accentuated because, in many cases, it’s difficult to put robust back-office monitoring tools in place. To compensate, and gain a greater measure of assurance, businesses are increasing their demand for due diligence. In addition, corporate compliance officers are making it clear that employees need to be trained and educated about the cloud’s potential vulnerability.
There’s a real-world urgency here. Large cloud-driven companies such as Amazon must confront the potential threat to their investment and customer base if their technology platform goes down. And offsetting this financial and reputational risk requires solid backup plans capable of withstanding an emergency.
We’ve already seen what this looks like. Online shoe retailer Zappos, which is owned by Amazon, was victimized in January by a cyberattack that affected more than 24 million customer accounts in its database. Zappos said that customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, partial credit card numbers, and scrambled passwords were
stolen. Fortunately the hackers weren’t able to access servers that held customers’ critical payment data.
Scrutinize Your Service Providers
Each contract you enter into with a cloud service provider requires thorough review. For one thing, the terms and conditions haven’t been normalized or standardized across the industry yet. And for another, the payment and licensing models are, to some degree, still in flux.
In extreme instances companies have signed one-sided cloud computing contracts that impose responsibility for security and data protection on the customer, disclaim all liability, offer no warranties, and give the vendor the right to suspend service at will.
To make sure cloud service providers meet your company’s governance and customer requirements, ask these questions before signing a service contract:
- What are the services being offered?
- What are the payment provisions?
- What are the security provisions?
- What are the insurance, liability, and warranty provisions?
- What happens if the service goes down? Who gets back online first—large companies or small ones?
- What happens if the service provider is forced to shut its doors? Where does the company data go?
- What happens if a venture capital–backed service provider is sold? Where does the company data go?
Stay Vigilant
Despite these risks, cloud computing will continue to play a major role in enterprise IT. All the more reason, then, for organizations in the cloud—or those moving to the cloud—to proactively manage the serious issues that accompany this important technology breakthrough.
Chris Kradjan provides SSAE 16 audits, internal control reviews, security and penetration audits, Sarbanes-Oxley compliance services, and independent technology audits to public and private companies nationwide.
The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, or tax advice or opinion provided by Moss Adams LLP. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services and should seek advice from an independent advisor before acting on any information presented. Moss Adams LLP assumes no obligation to provide notification of changes in tax laws or other factors that could affect the information provided.