First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Risk management in the cloud

Image: basketman |

Welcome back! With this post we’d like to hear what readers feel are some of the key issues and risk management considerations they’re facing with cloud computing service providers.

What I wonder is, how can we increasingly ensure quality and value are intrinsically and pervasively applied to all aspects of cloud computing, on the providers’ and clients’ parts?

Cloud computing may indeed be “one of the biggest revolutions to emerge in recent times,” but it also presents big risks. The global principles, frameworks and standards for risk management and accountability in the cloud itself are still very much playing catch-up. In the case of cloud computing, it seems we really don’t know what we don’t know, and a better balance is needed between innovation, relationship management and adequate related controls.

A recent opinion document from the European Data Protection Working Party analyzes relevant issues for cloud computing service providers who operate in the European Economic Area (EEA) and their clients. Adopted July 1, 2012, the opinion describes applicable principles from the European Union’s data protection and e-privacy directives. It also discusses “the acknowledged benefits of cloud computing in both economic and societal terms,” and “how the wide scale deployment of cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.”

Do you think cloud computing enables organizations to “Rethink IT. Reinvent business.” as IBM suggests? How about promises of “greater agility in how [organizations] provision computing resources by drawing upon them on demand from third parties,” from Bell?

Have you used a search engine to identify, research and visit cloud computing vendors? Online search engines themselves are cloud services. Have you attended conferences or events devoted to cloud computing? Are you actively educating staff on cloud computing?

What cloud services are you considering or have you used? Why did you choose it? How does your organization use cloud services and what have they done for you?

Do you know the risks associated with storing personal or corporate information in the cloud? Do you think cloud service providers offer existing and potential clients sufficient information to understand the risks and responsibilities associated with using their services and storing data with them? What about the service providers themselves? Are they taking appropriate caution with the data they store? Do they know all the relevant laws and regulations?

The Working Party recommends that:

All cloud providers offering services in the EEA should provide the cloud client with all the information necessary to rightly assess the pros and cons of adopting such a service. Security, transparency and legal certainty for the clients should be key drivers behind the offer of cloud computing services.

Do your service providers follow these principles? Should they? Is Europe ahead of North America on these issues?

It’s clear that more needs to be done, despite the Working Party’s detailed opinion on the issues of lack of control, availability, integrity, confidentiality, intervenability and transparency, and other cloud-related topics.

Nonetheless, it is good to see that the working party attempted to highlight some issues that need to be tackled in the short to medium term to enhance the safeguards.

Of the issues highlighted, better balancing of responsibilities is certainly a good one, which again leads us to think about the need for cloud computing policies.

In any case, we hope this post got you thinking and, as always, we welcome your comments.

Ron Richard
Quality management specialist

Follow me

Ron Richard

Quality, Information Technology and Enterprise Risk Management specialist at Ron Richard Consulting
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist has held positions at most any level of an organization, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series. Read more
Follow me

, , , , , , , , , ,

Comments are currently closed.