Will auditors allow your data to reside in the cloud?

Do you fear the auditor more or the attacker? A lot of companies fear the auditor more. If you hold data internally, you can show the auditor your controls, but the cloud makes such demonstrations more difficult.

"Do you fear the auditor more or the attacker?" asks Peter Bassill, chief information security officer at gambling giant Gala Coral Group.

It is a key question for IT leaders thinking of dabbling in on-demand computing provision through the cloud. For Bassill, there is only one answer, particularly for firms operating in highly regulated sectors: "A lot of companies fear the auditor more. If you hold data internally, you can show the auditor your controls, but the cloud makes such demonstrations more difficult."

The resulting complications mean many businesses still shy away from on-demand IT. About 40% of UK companies use cloud computing systems, according to the Information Systems Audit and Control Association. This represents a significant proportion of British organisations, but implementation levels - certainly with regards to large-scale enterprise systems - are nowhere near matching the cacophonous intensity of supplier hype.

While suppliers often portray the cloud as ground-breaking, most independent commentators agree there is nothing inherently new about on-demand IT. Mainframe computing and hosted technology have been around for many years. Application service provision (ASP), for example, represents an often forgotten stage of hosted computing that might be more usefully viewed as the early stages of software-as-a-service (SaaS).

The on-demand marketing push - which started from about 2008 - means anything hosted suddenly represents "the cloud". So, why is the current phase of hosted services different? Most CIOs appear unsure, especially while suppliers continue to hype services and swerve security concerns.

Exploring the cloud

"We are not an early adopter; we were not an adopter at all until recently," says Bassill, speaking recently at a BT roundtable in London. The Gala CISO has run a trial of cloud-based provision to help capture error data relating to the failure of systems. The approach involved using the cloud as a virtual datacentre, renting processing power and disc space on-demand to aggregate error logs.

Success here allowed Bassill and his team to explore the applicability of cloud for other business areas. But results have been inconclusive, particularly with regards to the persistence and recoverability of data. The studies leave Bassill to conclude that the potential wider use of cloud is complicated.

While the on-demand provision of computing resources can help drive down costs, it can also increase risk - especially for a UK business operating in a heavily regulated sector, such as gambling. Bassill needs to provide a complete audit trail, and providing such visibility to a supplier's infrastructure is an inherently complicated task.

"We need to know where our information is at any point in time," he says. "We need UK data to be kept in a UK cloud. Finding a supplier to meet that demand is a significant challenge. The cloud supplier must prove that the datacentre is secure and that information will not be moved between locations."

Less regulated industries are more likely to make an early move towards the cloud, says Ian Cohen, CIO at insurance broker Jardine Lloyd Thompson Group: "As good as the technology could be, heavily regulated firms will have concerns until suppliers are able to answer the question, 'where is the data being held?'. The market needs to think more carefully about regulated businesses."

A supplier might be able to confirm that data will be held in a particular location for the majority of time, for example, but the potential for a change in location, and a lack of visibility to supplier records, will not satisfy the auditor.

Growth drivers

The likely growth in cloud computing means a new approach is required. The sudden growth in on-demand computing could lead to suggestions that the technology is now moving faster than legislation, and that auditors need to take a more sophisticated approach. But for now, responsibility once again lies with the suppliers.

"What are the cloud suppliers doing?" asks Cohen. "What is the latest piece of technology that will help me to implement the cloud?" Both are key questions for Cohen, who says he is looking at doing some "cool stuff" with the cloud in the near future (see box).

Gala's Bassill also expects use of on-demand computing to increase, especially as the cost of silicon is now so low that power and air-conditioning are by far the biggest costs associated with running a datacentre. Analyst firm Gartner confirms the inevitable emergence of on-demand provision, with cloud computing leading its recent list of top 10 strategic technologies for 2010.

 Advice from a CIO: Ian Cohen's top tips for dealing with the cloud

Technology chiefs looking at the confusing concept of the cloud will need clear advice. A sense of order comes in the thoughts of Ian Cohen, CIO at insurance broker Jardine Lloyd Thompson Group.

A former head of IT at media organisations Associated Newspapers and the Financial Times, Cohen suggests confusion surrounding the cloud is indicative of a wider problem - the growing schism between corporate and social IT.

He suggests that traditional corporate IT is far more concerned by security and data protection than new models of technology provision that are emerging through social IT. Cloud is one such model that is evolving at the interplay between corporate and social technology.

The evolution leaves Cohen to suggest CIOs must consider three areas when investigating the cloud:

Understand your business - Think about what your company does, where it produces value and what you have to do to protect the information that is critical to your organisation.

Learn what segmentation means - What bits of your IT can you carve out without affecting the business and incurring the wrath of the auditor? One size definitely does not fit all when it comes to the cloud. But careful segmentation will allow you to exploit on-demand computing.

Trust in experience - From virtualisation to the public cloud, find experts that will help you understand the core issues. The key concerns you will grapple with, such as information security, will not necessarily be understood by less experienced in-house staff.

So, what conditions will help push the growth in on-demand technology? Richard Mahony, director of telecoms research and analysis at Ovum, points to a series of converging factors, including the reduced cost of broadband bandwidth, the potential for increased network capacity, and the possibility for suppliers to work together to offer secure and reliable services.

"Cloud is everywhere; it is the trend of the moment," he says. "You can centralise and standardise your operations within the cloud and this has caught CIOs' imagination. Blue-chip businesses and large public sector organisations are now looking seriously at the cloud. But software providers, as they move into the cloud, have to develop new areas of business; it is not just about software and boxes."

Virtualisation is one area of provision often associated with cloud computing, and some experts see the approach as a platform for launching on-demand IT. But such thinking is dismissed by many IT leaders, with just 24% of technology chiefs responding to a recent CIO Connect survey suggesting they have implemented virtualisation as a first step towards cloud computing.

Cost and complexity

The most obvious conclusion, despite the hype surrounding on-demand IT, is that we are still at the beginning of the journey towards true cloud computing. That is a theory that resonates with John Robinson, group IT director at technology company Morse. When it comes to implementing cloud in his own business, Robinson says he investigated some of the easier targets first, such as messaging and spam filters.

"You need to understand the service you are offering and the cost," he says. "Then you can start looking at your own business, and talk about what fits and what does not fit. You can use the cloud to deliver a commodity service to the business. Here, you can measure the impact easily and see how provision might compare in more complicated areas that are related to business process, which is still an area of development in most businesses."

The same complications ring true in the public sector, as confirmed by a recent Siemens Enterprise Communications roundtable in London, attended by Westminster City Council CIO David Wilde. He says financial constraints are creating a shifting mindset among senior leaders, but perception of the cloud still remains a concern.

"You need to put together a defensible business case," says Wilde. "The challenge for CIOs is how do you get your chief executive to understand the complexity? The answer is to put a figure on your project; show how much something will cost if you do not press ahead."

More than anything, prove that the hype surrounding on-demand IT is nothing to be scared of: "We are not edgy about the cloud, it is just not that new," says Wilde. "I mean, what is all the fuss about?"



Read more on Business applications