An article in Computerworld UK reports that the latest advice from the Information Security Forum (ISF) is that information security professionals should treat cloud computing as they would any other external supplier. “Cloud is just outsourcing” according to Adrian Davis, a principal research analyst at ISF, speaking at an (ISC)2 Conference in London.
It’s a shame they didn’t quote from my talk at that conference, as I take the opposite view. Cloud computing is light years apart from the dedicated, specified, audited environment associated with a well managed outsourcing exercise. Cloud computing involves a much higher degree of sharing, coupled with a considerably smaller degree of control. You can’t specify or audit a commercial cloud service, though you could of course implement your own private cloud service (and thereby forego most of the economic and operational benefits).
Suggesting that cloud computing demands specified SLAs and audit rights is equivalent to advising that public cloud services should be avoided. I suggest Adrian reads my book “Managing Security in Outsourced and Offshored Environments” to better understand the differences between the various and varying models of externalization.