Cloud computing - A paradigm shift and associated risks

CA Amrita Chattopadhyaypro badge , Last updated: 03 October 2017  
  Share


Cloud computing is one of the most talked about topic in the industry today. Basically cloud computing is internet computing where the cloud is metaphor for internet.

The cloud part, dates back to the 1990s when the term was used to refer to ATM networks. Network diagrams use a cloud symbol to represent the internet. It is a paradigm shift from mainframe, client server computing to internet computing. Cloud computing provides an alternative to investing in one's infrastructure and software.

Cloud computing is basically server based programs which uses server based programs for remote storage of documents / data and other perform computing for you. It is the ability to use software and data on the internet instead on your hard drive without the need to buy software and install it. It can help in the deployment of new services more quickly, be more responsive to customer need, and move the cost incurred in IT from capital to operating expenses. Through cloud computing, companies can subscribe to an online service using a per use model, thus reducing capital investments and making computing a variable version.

The basic cloud computing foundation is comprised of data centre (servers, network switches, Internet connectivity etc), virtualization software (used to segment physical resources between users), operating system (Windows, Linux etc) and applications (Apache, MySQL, etc). Together, these components “Power the Cloud” for millions of users. Amazon and Google along with Microsoft, IBM, Dell, Yahoo and other small players have just started rolling out cloud computing services. With applications automatically allocated on server, clients are only charged for the space and services they use by passing the need to buy pricey in house hardware and softwares.

Various cloud computing models includes:

a) Private cloud - Enterprise owned or leased model
b) Community cloud - Shared infrastructure for specific community
c) Public cloud - Sold to the public, mega - scale infrastructure
d) Hybrid cloud - Composition of two or more clouds.

Various services offered by cloud computing models are:

Software as service (SaaS)- which includes delivering applications over the Internet. The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure and accessible from various client devices through thin client interface such as web browser. The consumer however does not manage or control the underlying cloud infrastructure with the possible exception of limited user - specific application configuration settings.

Hardware as service (HaaS) - which includes infrastructure, platform as a service.

Infrastructure, platform as a service (IaaS, PaaS) - which include deployment customer - created applications to a cloud, rent processing, storage, network capacity, and other fundamental computing resources. The consumer only has control over the deployed application and possibly application hosting environment configurations.

Cloud computing has many benefits like it reduces the cost of ownership, helps to take the business decision faster, accessible anytime, anywhere and on any device faster, it is eco friendly, provides pay per use service. Driving this leap forward is the proliferation of high speed internet connections, cheaper and more powerful chips and drives and construction of data centers' that house thousands of computers. Every day more users move their computing lives from the desktop to the cloud and rely on hosted web applications to store and access emails, photos and other documents. But this new frontier involves serious risks that aren't obvious to most of the users.

However, before heading for the cloud, organizations should do two things. First, they should ensure they have a secure network infrastructure in place to support cloud integration. And second, they need to make sure any prospective service provider will help them meet their security and data compliance responsibilities.

So, for organizations to fully harness the benefits of cloud computing they need to first ensure they have a robust, high-performance, standards - based network infrastructure in place. All the cloud share the same enablers, pay - per - use software, virtualization and automation, broadband networks, large and robust data centers'. The network is therefore the key to efficiently connecting and supporting these enablers.

Though there are many benefits for cloud computing, the risks associated with the cloud computing should also be taken into consideration.

a) Privileged user access management - Confidential data of a company may be used / viewed by unauthorized person.

b) Server unavailability and account lockout - Possibility of internet connection going down or the web server not functioning during an important presentation.

c) Lesser privacy protection under the law - There is no law against the hackers or the government agencies which can use the private data of a person which is online.

d) Location of stored data and Regulatory compliance - Possibility of this scenario occurs since the data may be stored in a different geographical location or a different country.

e) Data segregation - The data of various users may be stored in a single server. The data encryption accidents may lead to non-availability of data in time.

f) Data recovery / continuity plan - Since the data is stored across various DCs, at various locations, it is unknown to the user regarding any loss. In the event of data loss, the user is not aware when the data would be restored.

g) Investigative support - Cloud services are difficult to investigate because logs and data of multiple co-located and may spread across ever changing hosts and data centers.

h) Long term viability - In case of merger and acquisition, the fate of the data becomes important. The service providers should provide details of how they would get the data back and if it would be in a format that could import to replacement application.

Using cloud for storage or application, user needs to take responsibility for complying with regulations and ensuring that the data is secured.

Things to be kept in mind while using cloud computing:

• National laws and regulations
• State laws - if any
• Red flag rules
• Breach notification
• Industry standard

The person who takes the service of cloud computing should keep the following issues in mind:

• If it is an established company, how good is its security track record?

• Can it offer an assurance that the data will only be processed in accordance with instructions i.e. data won't be retained for longer than required.

• What assurances can it give that data protection standards will be maintained, even if the data is stored in a country with weak or no data protection law?

• Can the vendor provide guarantees as to the reliability and training of its staff, wherever they are based? Do they have any form of professional accreditation?

• Can it send copies of your information regularly, in a standard office software format so that you hold useable copies of vital information at all times?

• What capacity does it have for recovering from a serious technological or procedural failure?

• What are its arrangements and record regarding complaints and redress - does it offer compensation for the loss or corruption of data entrusted to it?

Steps to be taken by the service provider to provide assurance and mitigation for the risk associated:

• Assure your service receiver about your technical security arrangements

• Guarantee your customers that the staff employed by you are trained and vetted to suitable standards, wherever they are based.

• Guarantee your customers that the data will not be retained for longer than instructed.

• Ensure that the data would be processed as per the instruction of the user.

• Explain your capacity to deal with serious technological or procedural failure.

• Explain your facilities you offer to maintain high data protection standards, even if the data is stored in a country with weak, or no, data protection law, or where governmental data interception powers are strong and lacking safeguards.

• Provide your customers with copies of their information regularly, in s standard office software format, so that they hold useable copies of vital information at all times.

Join CCI Pro

Published by

CA Amrita Chattopadhyay
(Audit & Assurance)
Category Info Technology   Report

2 Likes   3859 Views

Comments


Related Articles


Loading