Listening to cloud providers, analysts and experts go on and on about the benefits of the cloud, it’s hard for me to believe more companies are not all-in when it comes to the cloud. Who wouldn’t want to lower costs, roll out new projects faster, scale up on demand to meet new growth, lower maintenance cost and provide resiliency and redundancy to the business? If that isn’t a formula for an IT director or CIO to get noticed, I don’t know what is. But like all good arguments there are two sides, and the flip side of all the benefits are some lingering concerns around privacy and security — and these are not to be taken lightly.
Most organizations immediately duck and cover behind these two concerns as soon as the discussion about the cloud comes up, and they are not alone. Earlier this year 140 auditors got together at KPMG’s Audit Committee Issues Conference. At the conference they identified “IT Risk and Emerging Technologies” as the second-highest concern for them; this is behind “Governance Processes, Controls and Risk Management.” IT Risk and Emerging Technologies is up from the sixth position in 2011.
Their fourth most-important technology-related concern is “Information Privacy/Security and Cyber-security.” Their last concern is “Interaction with Auditors.” That would be my last concern as well if I had a handle on all the other ones.
I also found it interesting that many attendees said their committees would be more effective if they included expertise from IT. They definitely would be more effective because IT would probably scare them straight — straight out of the cloud, out of social media, they’d probably close the door on the consumerization of IT and anything else beyond their control (which is pretty much anything IT related).
New things are definitely discomforting and cause for concern; but if you wait long enough, it may come back full circle. I barely remember high school, but I recall pagers were the hot gadget to have. You could receive a message that displayed a phone number and then you were supposed to call that number. Then came the bag phone, the car phone, the brick phone and now the smartphone (I skipped a few years to save some time). We sure went through a lot of phones over the years and did a lot of talking on them.
Today some say our social interaction skills are diminishing because we don’t talk enough; we just send text messages. We’ve come full circle — we’re back to just receiving a message. Is the cloud going to take a similar route as it progresses through the hype cycle? Or should I say “Will in-house apps and in-house operations become fashionable in the future?”
If or when the cloud dominates IT operations, it just might be privacy and security that stand in its way and bring us back to where we started. When the business-critical applications and data are all in-house, IT is in control and they can use solutions similar to Quest’s Reporter, ChangeAuditor, InTrust and Access Manager to answer all the auditors’ questions about security and compliance. The quicker the audit committee can respond to their questions, the less they will have to interact with them.
Using solutions like these, they can easily tell the auditors who has access to what data, when they got it, who gave it to them, and what they have been doing since they received that access. They can also say when their users are logging in and if administrators are abusing their privileges.
When a company’s data enters the cloud, can these questions easily get answered? If I were on an audit committee, my number-one concern definitely would be emerging technologies and the risk IT presents to the organization. And if I couldn’t easily answer these questions when my intellectual property was in the cloud, I’d definitely have several sleepless nights. I’d either demand more oversight and auditing, or I’d never let someone else manage this data. At least when it’s in-house, I’d know who has access and what they have done.
Tom Crane is the product group manager for Quest Software’s Active Directory, Exchange, File Server, Windows and Unix auditing and management solutions. He is responsible for the technical direction and field execution of these solutions. Prior to this position he managed the architecture specialists for the compliance products at Quest. Prior to Quest, Tom worked for a division of News Corporation and financial institutions.