Strada Dr. Felix Iacob, Nr. 63-69
Cladirea Premium Plaza, Etaj 15 011033 Bucuresti, Sector 1
Managing risks in the cloud
Many organizations are looking to cloud computing to increase the effectiveness of IT initiatives, reduce cost of in-house operations, increase operational flexibility, and generate a competitive advantage. Through an effective strategy, cloud computing can enable many companies to do much more with IT by becoming strategy focused and not operations focused. Cloud-based services are nimble and adaptive, increasing capability to read and react to changing marketplace conditions by responding to customer needs and competitors’ actions.
Savvy business professionals recognize the speed and efficiencies that embracing cloud technology can bring. Organizations that are disinclined to focus on IT recognize the tremendous value of being able to concentrate on their core business competencies. This is attained by shifting to a user of IT services, as they no longer need to build and maintain complex internal IT infrastructures. Cloud computing is evolving at a fast pace, giving companies a variety of choices when looking to restructure their IT organization.
However, like most technology changes, cloud computing presents its share of risks and challenges, which are too often overlooked or not fully understood by businesses that are quick to embrace it. Implementing cloud computing requires a considerable shift from traditional computing methods and business processes. Organizations considering cloud computing should conduct due diligence based on the needs of the business and the capability of IT in order to determine readiness for adoption of the platform. A clear and attainable strategy for migrating to the cloud is then required, taking into consideration the associated risks and challenges while providing robust internal capabilities to address such matters.
In this paper we will discuss the cloud risk universe or — in other words — the most important risk areas that need to be addressed while moving into the cloud. As part of this discussion we will provide a framework to conduct a cloud risk assessment.
According to MarketsandMarkets.com, Cloud Computing Market — Global Forecast (2010 — 2015), the global cloud computing market is expected to grow from US$37.8 billion in 2010 to US$121.1 billion in 2015 at a CAGR of 26.2% from 2010 to 2015.
Cloud computing services are available across the entire computing spectrum. The US National Institute of Standards and Technology (NIST) published a definition of cloud computing as ‘a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.’ While the US NIST definition1 includes three primary service models, the market has evolved so that you can buy as a service just about any slice of the computing “stack” within the three, which are as follows:
1. Infrastructure as a service (IaaS): The capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components (e.g., host firewalls).
1 The definitions of cloud computing and its essential characteristics, service models and deployment models are excerpted from the US National Standards and Technology’s widely referenced definition, NIST Definitions of Cloud Computing v15. The full text is available at the NIST website at: http://nist.gov/itl/cloud/upload/coulddef- v15.pdf
2. Platform as a service (PaaS): The capabilities provided to the consumer is to deploy onto the cloud infrastructure, consumer-created applications or applications created using programming languages supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment configurations.
3. Software as a service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
In addition, a fourth service model is evolving called Business Process as a Service (BPaaS), albeit more slowly at present than the primary three. BPaaS combines multiple components of each of the three to deliver an entire business process. Today, services such as payroll and billing already are outsourced using traditional methods. Looking ahead, we expect higher-value business process services to evolve, differentiated from traditional business process outsourcing because they will be enabled by multiple underlying cloud services.
These primary service models can be implemented via private, public, hybrid or community cloud platforms.
• Private cloud: The cloud infrastructure is provisioned by a single organization. It may be owned, managed and operated by the organization, a third party or some combination of them, and it may exist on or off premises.
• Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
• Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be managed by the organization or a third party and may exist on premise or off premise.
• Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). The NIST also defines five essential cloud computing characteristics, which we have included in its entirety (see Appendix, page 17).
Lift off for cloud adoption
The operations shift from physical to virtual has allowed businesses to capitalize on deploying new technologies, driven by a need to reduce costs while increasing business agility. According to our publication Into the cloud, out of the fog: Ernst & Young 2011 Global Information Security Survey (GISS 2011), the number of organizations using cloud-based services in 2011 increased by 50% from the previous year.
To embrace highly configurable, rapidly deployable, externally managed applications, an ever-increasing number of companies are moving from the more traditional outsourcing contracts to cloud service providers (CSPs). In fact, our survey revealed that 61% of respondents are currently using, evaluating or planning to implement cloud-based services within the next 12 months.
As organizations realize the benefits of bringing their business into the cloud and confidence in the cloud business model increases, they will have the assurance that critical services and, in some cases, their entire IT infrastructure footprint can exist in the cloud. By moving into the cloud, organizations now have the potential to greatly reduce or even eliminate their IT operations, thereby forever altering their business model (GISS 2011).
Simona Cocos, general manager of drug producer Zentiva, part of the Sanofi group, explains how the clawback tax should be changed to limit its negative effects in the market, and shows her interest in partnerships with local companies that want to produce their medicines in Zentiva's factory in Bucharest