Cloud computing 101: The risks of Cloud computing (Part 1)

Awash with cloudy concepts

As the most hyped concept in IT today, Cloud Computing has taken spin to a whole new level. Vendor marketing is awash with the benefits of Cloud computing with little mention of the pitfalls.

In this three part series Computerworld examines some of the very real risks and shortfalls associated with Cloud Computing and also identifies which areas have the most potential to completely transform the enterprise.

Part One deals with the need for greater Cloud transparency and warns users to be wary of vendor certification claims.

It also examines the rise of DevOps, which is starting to generate a lot of interest. But beware: DevOps isn't the right fit for every enterprise and is better suited to an IT organisation with a high level of maturity. Finally, Part One delves into the concept of Cloudbursting.

Lack of transparency

The first and most obvious area where Cloud services is lacking is in the area of standards. There is very little transparency when it comes to the thorny question of risk assessment processes.

Without standards users cannot effectively evaluate Cloud providers. But this year is the beginning of a multiyear effort to reach a degree of consensus. For example, the Cloud Security Alliance (CSA), which is partnering with the International Organization for Standardization (ISO), is currently working on its first version of the Consensus Assessments Initiative Questionnaire.

There is also the Standardized Information Gathering (SIG) questionnaire which can be downloaded and used at no cost. The US Government is releasing its own Cloud framework for federal agencies at the end of this year and a European initiative is also being developed. Dubbed the Common Assurance Maturity Model (CAMM) it will provide buyers with actual ratings.

Gartner analyst, Jay Heiser, says one of the most commonly expressed buyer frustrations for Cloud services is the lack of a checklist. Heiser says organisations want to assess a service provider's ability to maintain information confidentiality, integrity, service reliability and the likelihood that a provider can restore data and service after a disaster or any kind of data loss.

He also says users should be wary of vendor claims that their products are fit for purpose because they have undergone a Statement on Auditing Standards (SAS) 70 or Statement on Standards for Attestation Engagements (SSAE) 16.

"Such a claim is meaningless without a review of the detailed auditor's report to ensure that the scope of the assessment was complete, and that the set of controls evaluated is adequate in meeting the organization's business requirements for security, continuity and recoverability," he says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computing

More about CSAGartnerISOSAS

Show Comments