Choosing a CSP: Confidence in Risk

Maybe it’s just me, but I had this assumption that Cloud computing would be one of the most popular online search terms. When I found the list of top ten most searched items, I was slightly surprised to find celebrities that a) I had never heard of and b) turned out to have no involvement with the phenomenon that is cloud computing made the top of the list.

Okay, so perhaps I need a wider circle of friends and need to watch more television. However, within the technology industry, there is no doubt that the Cloud is the number one buzzword. The fundamental question though is whether the benefits will indeed be realized or whether like many of the previously heralded technologies it falls by the wayside.

A 2010 survey by Information Systems Audit and Control Association (ISACA) found that half of U.S. IT professionals who responded to the survey stated that the risks of cloud computing outweigh the benefits. Moreover, a bigger concern for many organizations will be the physical location of their data which of course may well be regulated.

Although such concerns are entirely valid, I would probably add that these concerns should be no different to hosting internal services, indeed such risks could even be managed easier with a third party such as a CSP. By ensuring that all requirements are clearly defined, and included within contracts the customer should be a in a position to ensure that risks are mitigated. Even new threats which may have not been initially considered should be fairly straightforward to mitigate, and this will invariably require an increase in the cost of the service. Compare this with the challenge of recruiting specialists, and getting them to go through the ‘Plan, Do, Check and Act’ cycle for the mitigating controls could not only prove time consuming but very costly.

So where to from here? Well, there are many concerns that are completely valid, such as the question of where data will be physically stored. Likewise, although we ASSUME that the CSP will implement the controls they are contractually obliged to, will they actually do it? The fundamental point to remember is that although you can transfer the work, you can never transfer the risk (certainly not in your customers eyes, if not in the eyes of the law). Whether your data is with a CSP or internally hosted, a data breach will still impact you and your business.

This is probably the biggest concern, whereby you are placing your customer confidence into the hands of a third party. The Cloud Security Alliance put forward their ‘quick method for evaluating your tolerance for moving an asset to various cloud computing models’, with the fourth point critical; Evaluate potential cloud service models and providers.

Here the role of certifications play a major part. Whilst cost becomes a crucial factor, it should not remain the sole requirement for determining the CSP. Indeed for the evaluation of potential providers cost should not even be in the equation. If you are unable to find a CSP that can satisfy your risk appetite for the budget you have allocated, then either increase your budget, or host internally. Both options are more attractive than using your media skills to answer difficult questions about why your customer details were made public.

-Raj Samani

Tags: Cloud computing, cloud security, CSP

Comments are temporarily suspended due to blog maintenance, comments will be available again from Monday 21st May.