Cloud computing can be a great cost-saving alternative, providing improved information and processing capabilities without the effort required to build and manage sophisticated internal IT systems. However, if your organization is planning a move into the cloud, have you considered the risks? Given that cloud computing offers computing and storage capabilities outside your organizational boundaries, there are six important risk factors to consider:
- Access to your sensitive data. The physical, logical, and personnel controls put in place when your data was stored in-house are no longer valid when you move your organization's information to the cloud. The cloud provider maintains its own hiring practices, rotation of individuals, and access control procedures. Ask and understand the data management and hiring practices of the cloud provider before you choose.
- Regulatory compliance. Just because your data now resides on a provider's cloud, your organization is not off the hook; you are still accountable to your customers for any security and integrity issues that may affect your data. You need to carefully weigh the risks to your organization's information and ensure the cloud provider has standards and procedures to mitigate them.
- Geographical spread of your data. You may be surprised to learn your data may not be residing in the same city, state, or even country as your organization. While your provider may be contractually obligated to ensure the privacy of your data, it may be even more obligated to abide by the laws of the state and/or country in which your data resides. Your organization's rights may be trumped by those of the provider’s jurisdiction.
- Data loss and recovery. Data in the cloud is almost always encrypted to ensure security. However, this practice comes with a price—corrupted encrypted data is always harder to recover than unencrypted data. Know how your provider plans to recover your data in a disaster scenario and, more importantly, how long the recovery will take.
- Acquisition of your provider. A seamless merger or acquisition involving your cloud provider is not always business as usual for you, the client. Your provider should clearly acknowledge and address this as one of the possible scenarios in its contract with you. In short, what is your exit strategy in the event that your provider is acquired?
- Availability of data. Cloud providers rely on a combination of network, equipment, application, and storage components to provide service. If one component goes down, you may not be able to access your information. Understand the cloud’s back-up systems. Also, identify how critical a certain type of information is and how long you can live without it before you make a decision to put it in the cloud.
Cloud computing is relatively new in its current form. Do not hesitate to ask questions during your due diligence process and, if necessary, engage an independent advisory firm to guide you through the process. Choosing a cloud provider requires far more due diligence than routine IT procurement. However, if the risks are well-managed, the rewards for your organization can be tremendous.
Sassan S. Hejazi can be reached at Email or 215.441.4600.