Although still in its infancy, cloud computing is dramatically changing the way companies perform tasks and manage data. But with the convenience of accessing software services and applications over the Internet inevitably comes additional risks that need to be managed.

The buzzword Cloud Computing seems to be everywhere these days. But while there’s certainly a great deal of hype about “the cloud,” it truly is a computing phenomenon that is rapidly and dramatically changing the manner in which many businesses perform essential functions, access vast amounts of data and utilize information technology (IT) resources.

In fact, a 2011 international study by IBM revealed that more than 60 percent of the 3,000 CIOs surveyed had plans to adopt cloud computing initiatives — an increase of 30 percent from 2009. So, what accounts for such a rapid and widespread embrace of cloud computing? While the benefits are numerous, the main drivers are economic efficiencies and cost savings.

Traditional IT systems require significant capital expenditures for, among other things, the installation, maintenance, servicing and upgrading of software and equipment. By obtaining these resources through a cloud provider, a company can avoid substantial up-front and ongoing capital costs and may even achieve additional tax savings by treating the cloud service as an operating expense. And since the burden of hardware and software maintenance is passed to the cloud services vendor, a user organization may also find that it is able to achieve further cost savings by reducing the size of its IT support staff as well as the costs for administering diverse software licenses.

Cloud computing also offers a significant benefit in terms of the ease and timing for implementation and scalability. Near-immediate access can be provided to sophisticated hardware and software resources, with far less up-front time required by the user organization compared with traditional on-premises software deployments.

Although populating applications with existing volumes of user data can be time consuming for any deployment of critical new IT resources, many implementations of cloud technologies can be achieved with little more than access to a Web browser. Moreover, cloud-based resources can be scaled up or down to respond to a business’s changing needs almost instantaneously.

Protecting Data and Business Continuity

In addition to the risks that are common to any externally provided service, issues of security, data privacy and provider continuity are of particular concern with the cloud form of using IT resources. Because the service is externally sourced, the physical, logical and personnel controls that IT managers normally provide for on-site applications are bypassed, thereby increasing the risk that unauthorized persons might access sensitive information. Furthermore, companies generally are responsible for the security and integrity of their corporate and customer data, irrespective of whether they actually control such data themselves or outsource its handling to a third party. It is important to remember that, in many cloud environments, most data is stored in a shared or multi-tenant environment and might be commingled on a given server or storage device with the data of another third-party user.

Business-continuity risks are also of concern. Dependable access by a user to its data is tied to the security and operational procedures followed by the cloud provider in ensuring that its own system is regularly available and properly functioning. These are similar to the risks a user organization would have if it were itself hosting an application and storing data, but the problem is more acute because control by the user is either diluted or non-existent, so the risk of service outages, with the possibility of outages with extended durations, is more severe.

Reports of notable cloud service outages have been frequently highlighted in the business press. In September 2011, both Google and Microsoft suffered outages that affected several of their cloud-based messaging and collaboration applications. These are only some of the most recent instances — with downtimes ranging from a fairly brief 15 minutes to a number of days — that have plagued major cloud vendors, including Rackspace, Amazon, Salesforce and Intuit.

Managing Cloud Computing Risks

While cloud computing brings heightened risks in several key areas, there are many ways to manage those risks. As with many outsourced services, the increased risks principally derive from the inherent dependence on the service provider and the client organization’s relative lack of control over key matters that affect the provision of the cloud service. Because of this lack of control, engaging in thorough due diligence before selecting a cloud services provider is a natural starting point for risk management.

Particular attention should be given to the operational and security controls maintained by the provider for the computing environment through which the service is offered. A client organization will want to know the general procedures the provider follows to ensure a secure computing environment. Copies of reviews of such matters by independent third parties should be requested, particularly audit reports formerly issued under AICPA SAS 70 guidelines and the fairly new SSAE 16 guidelines. Specifically, an SSAE 16 SOC 2 report should be requested. Any deficiencies noted in such reports, along with anticipated remedial measures, should be satisfactorily explained. Cloud providers should also expect inquiries to be made about the history of data breaches over the past several years.

The provider’s data center should also be examined for operational reliability. Data centers are rated by the Uptime Institute on a four-tier scale, with a Tier IV data center considered to be the most reliable and a Tier I data center being the least reliable. If a truly mission-critical application will be accessed through a cloud service approach, users should insist that the data center upon which the service is ultimately dependent has been rated as either Tier III or Tier IV.

Many implementations of cloud technologies can be achieved with little more than access to a Web browser, while resources can be scaled up or down to respond to a business’s changing needs.

The evaluation of a provider’s ability to provide services in an acceptable manner also extends to its financial stability and business reputation. For this reason, more established cloud services companies can possess an inherent advantage in the market. Obtaining financial information from a proposed privately held service provider may require signing a confidentiality agreement, but so long as the agreement is reasonable in scope this should not be regarded as an obstacle.

Assuming the diligence undertaken concerning a service provider’s computing environment satisfies
a client, another consideration for managing cloud-related risks is insurance. Since the insurance industry has not quite caught up with the user and provider community, procuring such insurance may be difficult. The same is generally also true with data breach insurance, but the market is starting to develop for such policies.

Contractual Checks and Balances

While the diligence and other measures undertaken to minimize the risk of using cloud services are critical, both user and provider should expect their contractual arrangement for the services to reflect the continued need for related assurances. The ability to obtain contract protections that are specific to the needs and concerns of the user is a genuine challenge in many situations given the shared, multi-tenant nature of many cloud offerings and the fact that cloud providers — especially with SaaS offerings — may themselves be obtaining underlying computing resources from third-party providers on a cloud basis and, therefore, may have limited ability to address certain matters themselves.

However, while the actual cloud service itself might be standardized, it does not follow that the underlying contract should similarly be standardized in all respects. This concern can sometimes be overcome by use of an overriding contract addendum that doesn’t require extensive revision to the provider’s main contract form while still allowing the user to have its principal concerns addressed. Unfortunately, the reality is that much of the ability to obtain contract concessions is a function of the relative negotiating leverage of the contracting parties.

For many turnkey cloud services, such as Google Apps, for which the fees paid are not significant, the opportunity for the user to negotiate terms is almost nonexistent. However, where the ability exists to negotiate and optimize contract terms, the basic provisions that a user organization should consider seeking (and that a provider should expect to see requested) revolve around appropriate representations, warranties and covenants from the provider, as well as the scope of the service level agreement offered by the provider.

Suggested representations, warranties and covenants that a cloud provider should give include:

• Assurances about the relevant physical and system security procedures used by the provider.
• Whether data is encrypted while stored or transmitted.
• How data is disposed of after termination of the service.
• The timing and manner of data backups.
• Whether a disaster recovery plan is in place.
• Representations about the data center type (Tier I — IV) and an obligation to maintain that status.
• An obligation to promptly notify the user of any data breaches involving the cloud system.
• An obligation to obtain and provide copies of SSAE 16 SOC 2 reports dealing with system reliability, security, confidentiality and processing integrity matters.
• Agreement by the service provider to store and process data only within geographic boundaries with which the user is comfortable, which will avoid potential extraterritorial obligations and complications associated with data that is handled abroad.

Service level agreements (SLAs) are more challenging because the current state of the market for service level models is decidedly pro-service provider. So, the issue to focus on is what’s reasonable to expect for an SLA in a given situation. In terms of uptime and application availability, many providers have evolved toward SLA assurances of in excess of 99.8 percent availability. The difficult part is ensuring that the manner in which downtime is calculated is appropriate for the circumstances and seeking some remedy beyond the relatively small service credits offered for outages that trigger
credits because the availability threshold was missed. Key items to pay attention to in this regard are the ability to terminate the service agreement on shorter notice than would normally be allowed for other breaches in the event there is a reasonable basis for asserting that there are repeated outages or clear systemic problems.

Finally, there are two additional important contractual considerations to highlight with cloud services. First, and most critically, the user organization should ensure it has access to and the ability to retrieve its stored data at all times and certainly at service and contract termination. The failure of a user to pay for the service is frequently an exception to this general rule, but even that is sometimes negotiable. Second, be wary of terms that are incorporated by reference, usually by links to external documents hosted on a provider’s Web site. This process has its conveniences, but whatever terms are applicable should actually be reviewed. Don’t let out-of-sight terms fool you, since some of the most problematic terms are actually buried in those cross-referenced clauses.

In Summary

Because the technologies that underpin cloud computing are not new, cloud computing can best be regarded as a logical extension of existing technologies and related methodologies. however, cloud computing represents a major shift in the way businesses and consumers obtain and use it resources, and that shift is due primarily to the economics of using cloud-based service delivery versus employing it resources in the more “traditional” manner of the user purchasing, owning and maintaining hardware and software on a stand-alone basis.

Although issues with service provider trust and security remain, these can be expected to be short term in nature. In reality, a company’s internal it facilities are as vulnerable to a data breach as the data center of a cloud provider. As the market for cloud service continues to evolve, it is likely that many of the current concerns among cloud service providers and users will be resolved.