Cloud computing is not outsourcing

An article in Computerworld UK reports that the latest advice from the Information Security Forum (ISF) is that information security professionals should treat cloud computing as they would any other external supplier. “Cloud is just outsourcing” according to Adrian Davis, a principal research analyst at ISF, speaking at an (ISC)2 Conference in London.

It’s a shame they didn’t quote from my talk at that conference, as I take the opposite view. Cloud computing is light years apart from the dedicated, specified, audited environment associated with a well managed outsourcing exercise. Cloud computing involves a much higher degree of sharing, coupled with a considerably smaller degree of control. You can’t specify or audit a commercial cloud service, though you could of course implement your own private cloud service (and thereby forego most of the economic and operational benefits).   

Suggesting that cloud computing demands specified SLAs and audit rights is equivalent to advising that public cloud services should be avoided. I suggest Adrian reads my book “Managing Security in Outsourced and Offshored Environments” to better understand the differences between the various and varying models of externalization. 

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Of course cloud computing is a form of sourcing. If it wasn't we wouldn't refer to its models as services. The banking industry outsourced for years to a handful of service providers - if or when they change from ASP or hosted models to SaaS it won't change the fact that their customers outsource to them. And, the regulations will only slightly adjust the expectations for controls and service assurance. The list of examples in payroll, health care, eRecruiting, and many other sectors and business functions that use sourcing providers exists. If a cloud provider can't offer an SLA it's probably time to find a better choice.