Cloud computing is all about cutting costs, but some organisations that are going down that road are reporting increased cost instead. How is this possible?
According to Marc Noble, director of government affairs for (ISC)2, he knows of at least one cloud implementation where the chief information security officers (CISO) involved reported he had not seen the advertised cost benefits.
This should not really come as a surprise, he told Computer Weekly. "No move of systems and data has ever been painless or without cost," he said.
Some providers of cloud services claim up to 85% cost savings, but Noble said he has yet to see any organisation achieving savings anywhere near that level.
Before rushing to cloud computing, organisations should check if there are any migration costs and evaluate whether employees will need additional training once the change is made.
There may also be additional costs involved in deploying new monitoring systems. "It may not be possible to hand over everything without staying 'wired in' which may require new skills and systems," said Noble.
However, John Howie, chief operating officer (COO) of the Cloud Security Alliance (CSA) said he can think of only one instance in which cloud computing could cost more than traditional IT.
Read more about cloud costs
Cloud computing can be more costly when organisations simply use infrastructure-as-a-service (IaaS) to create a virtualised version of their existing IT environment.
"This approach requires replicating everything for use in a virtual environment and then moving it over to the cloud, which all adds to the cost," said Howie.
Rather than recreating what exists in the traditional IT work, organisations should look at their requirements as they are likely to find that a service to meet those requirements already exists
Using existing, standard software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings will deliver immediate cost savings to most organisations, according to Howie.
For most applications, such as email, the client does not change and the process is completely invisible to the user, he said.
For some collaboration applications, such as Microsoft's SharePoint, some work may be required that will incur some cost, but Howie is confident these will be offset in the longer term.
"Anyone comparing IaaS with PaaS, where you write your own application and then run it on a cloud platform, will be pleasantly surprised by the savings that can achieved," he said.
Using PaaS is much more efficient and scalable, which is largely where the cost savings come from. "Unified communications is also much more efficient and less costly in the cloud," he added.
Cost savings are great, but what about security?
Organisations of all sizes are attracted by the cost savings and the speed of deployment enabled by the cloud, but still cite security concerns as their main reason for not moving to the cloud.
However, the reality is that just about every organisation is already using cloud services of one form or another, whether they realise it or not, according to Howie.
"Even if organisations are adamant they are not using the cloud, someone somewhere in the organisation usually using a cloud-based service, possibly without knowing it," he said.
Howie believes the swing to cloud-based computing is inevitable, especially considering the host of free services such as Dropbox that enable people to get things done quicker.
Unified communications is also much more efficient and less costly in the cloud
Marc Noble, director, (ISC)2
"When it takes 16 weeks on average to get a new server up and running from date of request and costs $20,000 up front in capital expenditure, business units are more likely to opt for a cloud-based service that will be available almost instantly at around only $200 a month," he said.
Given this reality, Howie believes it is important for every organisation to be aware of cloud computing, and more particularly for their information security professionals to be up to speed with the technology and how they need to adapt or change to continue to do their jobs.
The good news is that cloud service providers have near unlimited resources compared with most enterprises to secure their environments, he said.
The challenge for most organisations is how do they demonstrate compliance to security standards like PCI DSS or ISO 27001?
This is where the cloud security alliance (CSA) comes in, said Howie. "Cloud service providers are generally transparent about their processes and information security but most prospective cloud customers either do not know where to find that information or it is not in a format that is easy to understand."
For this reason, the CSA has worked to make that information easier to consume to help organisations make informed decisions when choosing cloud service providers, as well as make easier for them to understand how to remain compliant.
Through its security, trust and assurance registry (STAR) based on self-attestation by cloud service providers, the CSA provides unbiased information free of charge about the security controls provided by various cloud computing offerings to help organisations to assess the security of cloud providers and choose the one best-suited to their needs.
STAR uses a Cloud Controls Matrix to provide a controls framework for understanding security, privacy and reliability concepts and principles that are aligned with the CSA guidance in 13 areas, which include governance and risk management, compliance and audit, disaster recovery, application security, encryption, and incident response, notification and remediation.
By providing guidance and helping organisation understand what questions they should be asking about cloud service providers, the CSA can help eliminate the fear of the unknown and reduce anxieties about giving up control over applications and data, and show organisations how they can get the most out of cloud computing while keeping their organisation's data safe at the same time, said Howie.
The cloud may be inevitable, but the CSA is working to ensure that the cloud does not remain a mystery by providing a decision-making framework in the short term, with plans to enable third-party certification by making that framework available for use in international standards.
Ultimately, the CSA aims to give cloud consumers ultimate confidence in their cloud service providers by enabling continuous remote monitoring of their operations.
The guidance produced by the CSA is aimed at educating cloud consumers to ensure they get the best value out of cloud computing and the best security of their data at the same time.