IT experts, lawyers and insurers have joined forces to solve one of the most contentious questions in cloud computing – when is it safe to move critical data in the cloud?
A working group of experts from leading law firms, insurers, and IT specialists, have produced what they believe is the first systematic way to assess the risks of cloud computing.
The Cloud Risk Framework aims to help businesses compare the risks of moving to the cloud, with the risks of storing data in-house.
Fredrik Motzfeldt, leader of the communications, media, and technology practice at insurance broker, Marsh, said the framework will help businesses to make more rational decisions about cloud computing.
“A lot of the reasons people don’t invest in cloud is because they don’t fully understand the risk. They haven’t actually sat down to compare the risks of keeping data in house, against in the cloud. I think this will take some of the emotion out of the debate, “ he said.
Five steps to assessing cloud risk
- Identify key categories of risk
- Categorise potential loss and cost of IT service failure
- Quantify areas of financial impact
- Allocate the cost of a risk even between customer and cloud provider
- Determine the likelihood of a risk occurring
Source: The Cloud Risk Framework
Businesses, particularly in regulated industries, are reluctant to store business critical data in the cloud. A Computer weekly/TechTarget survey, earlier this year for example, found that security, reliability and protecting company data were major concerns.
But in many cases, external service providers are able to hold data more securely than an internal company data centre.
In one example considered by the group, a large business hosting email in the cloud, faced a potential maximum loss of £1.4 million for a failure when hosting in-house – three times the cost of the same failure in the cloud.
Companies that adopt the framework will be able to demonstrate to regulators, their compliance departments, and insurers, that they have systematically assessed the risks of cloud computing.
They are also likely to benefit from lower insurance premiums, said Motzfeldt.
Latest in-depth resources and articles on cloud:
“I hope it would at least make the decision more objective, showing that you have an auditable trail, and that you have considered the risks,” he said.
The Cloud Risk Forum, the cross-industry group behind framework, is looking to work with large businesses to test the framework as they make decisions on cloud computing.
“We need to engage with businesses to actually test it. We have had initial interest from financial institutions and we are planning to speak to people in the government,” said Motzfeldt.
The group believes the framework is will be of interest to larger companies with their own risk departments.
Smaller companies are likely to find the security services offered by cloud providers more sophisticated than anything they could build-in house, he said.
“If you are a small and medium sized company, you are not going be equipped with the quality of security solution as cloud companies like Amazon, or Dell, so their solutions are probably going to be better.”