Cloud computing continues to grow. According to an IDG survey published in November, 70% of all businesses have at least one app in the cloud today. Of the 925 organizations surveyed, U.S.-based companies planned to spend an average of US$1.8 million on cloud computing during 2017 compared with US$1.3 million for non-U.S. companies. Despite the mass adoptance of cloud computing, security concerns surrounding this new platform are growing just as fast.
A study from the Cloud Security Alliance (CSA) published in March 2015 and entitled How Cloud is Being Used in the Financial Services Sector: Survey Report, concluded that that most businesses don't have a concerted migration strategy. Furthermore, protection remains a pre-eminent concern for survey participants from the financial services sector, for whom compliance with relevant legal and regulatory requirements remains a top priority.
To help you get a fuller understanding of what cloud computing means, here are the three primary cloud service models that companies are currently adopting:
- Software as a Service (SaaS): This most popular model, in which your firm pays a software provider for you to access the application(s) that this company hosts and manages.
- Platform as a Service (PaaS): Under this model, the provider provides infrastructure access and a platform through which you can deploy applications.
- Infrastructure as a Service (IaaS): This is the Cadillac of cloud computing. Think of this as outsourcing your IT infrastructure. The provider supplies processing, storage, networks and other fundamental computing resources.
Once your company has decided which service you'll need, it'll have to decide how the service will be delivered. Does the service need it to be public (the most common and made available to the general public)?; private (only you can use it, either onsite or offsite)?; or a hybrid deployment model? Each option will have different security implications.
As you can see, it's a little more complicated than just signing up for a new Gmail or Outlook account.
The CSA report identified three key reasons why advisors and their firms chose to leverage cloud-computing technology. These included: added infrastructure capacity flexibility; reduced provisioning time; and lower total cost of ownership. Despite these clear advantages, the cloud continues to face resistance.
Specifically, survey participants cited concerns about confidentiality, data breach and loss of control over data, as well as regulatory restrictions, as reasons why they were holding back from adopting or expanding cloud technologies.
The security implications of using cloud technology will vary depending on the type of services your company is planning on using. Particularly challenging is the fact many organizations use multiple public, private and hybrid cloud solutions to meet their needs.
Choosing a trustworthy provider is crucial because your firm is only transferring custody — and sometimes only in part — of your data, not actual ownership. As such, your firm can then work to define a baseline agreement to build upon. Your company needs to start by making sure it has strong contractual clauses spelled out, appropriate service level agreements and audit rights so it can oversee the provider's work. That said, be forewarned that because of the large number of clients cloud providers have, chances are they will refuse your firm the right to personally audit their environment. If that's the case, ask for third-party audits.
Keep in mind that cloud computing is still in its growth stage and there are many unanswered questions. Right now, industry standards about roles and responsibilities are still being defined as it relates to various aspects of data ownership, security and compliance requirements. Your company needs to make sure your needs are properly spelled out in the contract.
Sadly, the market has also not yet agreed upon common criteria by which to measure cloud-provider security. You can generally rely on independent audits and certifications to assess if a provider complies with a given set of security controls. Look at the Cloud Controls Matrix from the CSA. Reputable organizations have also published a variety of studies about various cloud services and providers. Although there's no agreed upon methodology, these too are worth a look.
Although it pays to get ahead of this key issue, the CSA study found that most organizations don't have a concerted cloud migration strategy. The time to adopt one is now because the security challenges associated with this key move will be on our radar screens for a long time to come.