By Brian J. Thomas
June 2, 2011
Cloud computing services offer numerous potential advantages. Customers pay for such services on a subscription or on-demand volume basis, thereby eliminating the fixed costs associated with purchasing, implementing and maintaining IT capabilities in-house.
The scalability of those services offers considerable appeal, too. At the Software as a Service (SaaS) level of cloud computing, customers may access an application via a standard Web browser and Internet connection. Platform as a Service (PaaS) allows customers to deploy their own applications within a cloud computing infrastructure, while Infrastructure as a Service (IaaS) offers provision processing, networking components, data storage and other functions.
Those available degrees of service enable customers to quickly expand IT capabilities and capacity to accommodate business growth.
While offering such benefits, though, fundamental IT control concerns, such as data integrity, system reliability, data security and system availability remain: A customer needs to know how such concerns are addressed by a cloud service provider (CSP).
As the recent partial outage by Amazon Web Service illustrated, companies especially need to be particularly aware of what plans a CSP has in place to address the risk of a service outage.
Impact of a Partial Outage: Lessons From Amazon’s Recent Cloud Failure
On Thursday, April 21, 2011, a partial service outage struck Amazon Web Services’ (AWS) Elastic Computer Cloud (EC2) center in Virginia. The outage affected the functionality of websites operated by AWS customers, including Foursquare, Reddit and Quarra.
Amazon later released a detailed statement stating the outage was caused by a configuration error that occurred during a network upgrade. Amid that upgrade, data traffic that should have been routed to a primary network was instead routed to a lower capacity network, a network that could not provide sufficient capacity to meet customer needs. Difficulties associated with the partial outage lingered through the weekend of April 23-24.
The partial outage illustrated that while cloud computing offers the promise of seamless service, a CSP must sufficiently plan for any potential disruptions that may occur due to internal upgrades, increased traffic volumes or other events.
Risk and Compliance with Information in the Cloud
Companies considering a migration to cloud computing need to be aware of how all crucial vulnerabilities are mitigated within the scope of internal controls. They also need to consider how specific compliance requirements will be met within a cloud computing environment.
In reviewing a potential contractual arrangement with a CSP, internal audit staff can define what IT functions and related internal controls remain within the company, and what capabilities and control requirements reside with the CSP. Such analysis identifies control gaps.
Various frameworks exist for addressing internal control concerns and related audit needs. For example, the COBIT framework, developed by the International Systems Audit and Control Association (ISACA) provides a means to evaluate IT control requirements and their relationship to business risks.
The Cloud Security Alliance (www.cloudsecurityalliance.org), a nonprofit organization that promotes best practices for cloud computing security assurance provides additional direction.
Prospective customers should also request and review attestation reports from independent audits of the CSP’s internal controls. Do those reports list any exceptions that raise concern? Do any subsequent events, such as security breeches or outages, require investigation?
Companies must consider specific compliance requirements, too. The Health Insurance Portability and Accountability Act (HIPAA), for example, requires protection for personal health information. How will that or other compliance requirements be met? Various requirements facing one customer, such as IT vulnerability scans, may also affect the CSP’s ability to deliver on-demand service to all of its customers.
Assessing such varied concerns requires time and other resources, but such careful assessments enable executives to make more informed decisions regarding the potential value and risks associated with migrating IT services to a CSP.
Brian J. Thomas, CISA, CISSP is a partner in Advisory Services for Weaver, the largest regional independent certified public accounting firm in the Southwest with offices throughout Texas. His 10 years experience in IT consulting services encompasses managing teams delivering IT-focused solutions at Fortune 500 clients, IT audits, project management services, information security assessments and implementation reviews focusing on enterprise systems. He can be reached at [email protected].