In the long run, the hype will prove to be well deserved. Cloud computing is likely to be the foundation of tomorrow’s computing. In a period of highly disruptive cloud technology and business models, Chief Information Security Officers (CISOs) have to be quick in developing a strategy to gain maximum benefit from a trusted cloud. There are different models of cloud computing that have emerged. There is the pure Softwareas- a-Service (SaaS) model, which is a complete business application delivered as a service, the Platform-as-a-Service (PaaS) play, which enables rapid application development in the cloud, and Infrastructure-as-a-Service (IaaS), which is simple operating system and storage capabilities delivered as a service. Sooner or later, cloud computing will become a norm. But CISOs need to question when it is the right time to migrate to the cloud, particularly for extremely sensitive information and mission-critical processes. Internal and external factors can drive the speed of adoption, but there is no doubt that at some point, software companies will recommend the cloud to their customers. New, innovative applications will exist only in the cloud. For these reasons, CISOs should strive to understand important issues, and their relevance, to business. Difficulties will arise through a lack of careful planning and rigorous management of a number of key issues. It is not sufficient to merely wait for the cloud to mature. In more sophisticated IT markets, many CISOs are already educating cloud providers on enterprise-class requirements, such as Service Level Agreements (SLAs), compliance issues, and location-specific regulatory issues. It is a lot easier for cloud providers to build enterprise capabilities now, rather than changing their offerings after enterprises have made the switch. Here are some of the key issues that enterprises, and CISOs, must take into account when examining their cloud strategy:
- Compliance – Affirmation that the cloud provider’s services enable the customer to be compliant with regulations and standards, such as PCI DSS, ISO 27001/27002, and breach notification laws, among others.
- Data Governance – Assuring that customer data has appropriate technical safeguards, is legally protected, and can be accessed and returned to the customer on demand.
- Portability and Interoperability – Assuring that the customer’s investment in any given cloud, including private clouds, can be ported to, and interoperable, with any other cloud to the greatest degree possible. This protects investments and assures availability of critical services.
- Identity and Access Management – Allowing the customer to leverage mature identity access management infrastructure within SaaS providers and other cloud services, in order to maintain wide-ranging system and application controls while maintaining compliance.