Cloud computing provides an increasingly popular way ofprocuring IT services that offers many benefits including increasedflexibility as well as reduced cost. It extends the spectrum ofinformation technology service delivery models beyond managed andhosted services to a form that is packaged and commoditized.

However, many organizations are sleepwalking into the cloud.Moving to the cloud may outsource the provision of the IT service,but it does not outsource the organization's responsibilities.There are issues that may be forgotten or ignored when adoptingcloud computing strategies. In a recent survey by global nonprofitIT association ISACA, 30% of the 3,700 respondents said cloudcomputing is one of the top issues expected to impact theirenterprise's security in the next 12 months.

Most people are aware of the concept of the seven deadly vicesthat are said to explain human weaknesses. These are wrath,greed, sloth, pride, lust, envy and gluttony, and are sometimesreferred to as the seven deadly sins.

Of these vices one above all can lead to problems with cloudcomputing — sloth. Clearly, a good understanding of cloud iscritical, as is effective governance over the cloud.

Sloth affects cloud computing activities because it can lead toinattention to details such as:

• Not knowing you are using the cloud: This sounds irrational,but it happens more frequently than would be expected. It is easyto buy a cloud service using a credit card—and your organizationmay be using the cloud without the appropriate people knowing aboutit. When you buy the cloud service that way, it is likely that youhave agreed to the terms and conditions set by the provider andthese may not be appropriate for your needs. You should ensure thatthere is a proper process for obtaining a cloud service and that itis followed. For definitions of various cloud types, view a freeguide from ISACA at www.isaca.org/cloud.
• Not assuring legal and regulatory compliance: Manyorganizations have invested heavily to ensure that their internalIT systems comply with the legal and regulatory requirements fortheir type of business. You need to check that if you move thesesystems into the cloud that you will not lose this compliance.
• Not knowing which data are in the cloud: One of the key legalrequirements for many organizations is compliance with data privacylaws. These mandate where personally identifiable data can be heldand how it must be processed. If you don't know what data you aremoving to the cloud you could be in trouble. This problem hasbecome more acute because of the explosion in the amount ofunstructured data such as spread sheets, presentations anddocuments. It is essential that you identify and classify data youare moving to the cloud to manage risks and ensure compliance.
• Not managing identity and access to the cloud: Controlling whocan access what is even more important when data and applicationsare accessed via the Internet. Managing identity and access remainsthe responsibility of the customer when the data and applicationare moved to the cloud. The best way to achieve this is through theuse of identity federation based on standards such as SecurityAssertion Markup Language (SAML) and Active Directory FederationServices (ADFS).
• Not managing business continuity and the cloud: Organizationsadopting the cloud need to determine the business needs forcontinuity of any services and/or data being moved to the cloud. Tosupport this they should have policies, processes and procedures inplace to ensure that theses business requirements are met. Theseinvolve not only the cloud service provider, but also the customeras well as intermediate infrastructure such as telecommunicationsand power suppliers.
• Becoming locked in to one provider: It is often claimed thatthe cloud provides flexibility but how easy is it to change a cloudservice provider? A number of factors can make changing providersdifficult, for example, there may be contractual costs incurred ontermination of the service contract. The ownership of the data heldin the cloud may not be clear and return of the data on terminationof contract may be costly or slow. When data are returned they maynot be in a form that can easily be used or migrated. Cloudservices (built using cloud platforms, platform as a service (PaaS)in particular) may be based on a proprietary architecture andinterfaces making it very difficult to migrate to anotherprovider.
• Not managing your cloud provider: You need to manage your cloudprovider just like any other outsourced IT service provider. Thismeans defining and agreeing to metrics via service-level agreementsand then making sure that these are achieved. A customer maywish to perform an audit of the provider but it may not bepractical for the provider to allow every customer to perform theirown audit. Certification of providers by a trusted third party is away to satisfy this need. However it is important tounderstand what these service organization controls (SOC) reportscover. Taking a good governance approach, such as COBIT www.isaca.org/cobit, is the key tosafely embracing the cloud and the benefits that it provides.

Mike Small is ananalyst at KuppingerCole inLondon, England.

[email protected]