A well defined cloud strategy will deliver enduring value to a company, says PwC
27 November 2012
Posted by: SAIT Technical
Organisations need to carry out a due diligence in terms of business and IT risk management principles before moving to a cloud environment, warns professional services firm PwC. "Careful consideration needs to be given to the security arrangements of cloud service providers, privacy arrangements and compliance requirements,” says Charl du Toit, PwC Associate Director, Advisory Department.
Data security threats have increased significantly with companies moving more into the digital realm, and businesses conducting more of their activities online. Companies that use cloud computing will be exposed to new risks that need to be managed. These may include security challenges previously not encountered, the availability of services, IT governance, privacy, compliance and operational risks.
Du Toit was speaking at PwC's 6th Corporate Audit Forum, held in Johannesburg recently. The aim of the Forum is to provide a platform for heads of internal audit, the C-suite (CEOs, CFOs and so forth), audit committee members and company directors to share leading-edge corporate governance practices and develop insightful debate on contemporary issues.
'Cloud computing' is the storing, processing and use of data on remotely located computers accessed over remote networks. Cloud users usually make use of an internet-based service provided by a third-party to perform information system processing activities on its behalf.
Cloud computing has gained prominence due to the benefits it has to offer. "It needs to be given consideration and placed on the CIO's board agenda,” says Du Toit. Results from the 2012 Global State of Information Security Survey disclosed that more than 42% of respondents used cloud computing in the form of software as a service, platform as a service or infrastructure as a service.Survey findings also revealed that 32% of respondents perceived the greatest risk to their cloud computing strategy as the inability of cloud service providers to enforce their security policies.
Despite the increase in use and popularity of cloud computing, CIOs have significant concerns about the risks, says Du Toit. IT directors' main concerns are about keeping data safe and accessible. The risks also include possibilities of the loss of data, leakage of data, breaches of regulation and theft of intellectual property. Organisations need to consider these security issues carefully before making a move to cloud computing, says Du Toit. "Any company considering a move to a cloud environment must carefully assess what applications and data it can migrate to because cloud computing may not necessarily be appropriate for all business processes.” It is also important to consider the financial viability of the service provider. "A business wants a reliable and credible provider.”
"The unique risks associated with cloud computing services require a more comprehensive solution to third-party assurance beyond the traditional assurance framework of reporting. Organisations will need to respond to their change in risk profile when adopting a cloud computing model.”
Cloud users often require third-party assurance over controls relevant to financial reporting, security, compliance, availability, privacy and operational risks. Widely accepted reporting mechanisms, such as ISAE (International Standards for Assurance Engagements 3402) a global assurance standard for reporting on controls at service organisations, provide assurance on controls relevant to financial reporting.
Contractual rights and obligations need to be clearly defined for both the service provider and the user of the cloud. Provision must be made for service continuity, ownership of the intellectual property in respect to the service, the right to carry out an audit, security monitoring and reporting, compliance to service level agreements, and legal jurisdiction issues particularly for services hosted outside of the country. "It is important to note at this point, that just because you procure a cloud service from a South African Service provider that the infrastructure for that service is based in South Africa. With cross-border data flows come legal implications that must be carefully reviewed,” says Kris Budnik, PwC's Security & Risk Lead.
Many organisations also have concerns about privacy. Data privacy is a complex issue because some industries have specific requirements that need to be addressed. Various countries also have specific laws and regulations in place governing a host of issues including privacy, data ownership and the export of data. Consideration also needs to be given to the relative ease with which data and applications can be switched between cloud providers. Furthermore, organisations need to be aware of the requirements of the Protection of Personal Information Bill (PoPI). The aim of the Bill is to regulate the processing of personal information by public and private bodies in a manner that gives effect to the rights of privacy.
Du Toit concludes: "A well defined cloud strategy will deliver enduring benefit and value by enabling organisations to address the key challenges they face when transacting in a cloud environment.”