In a soon-to-be-released survey of CFOs in Hong Kong, CFO Innovation found that 59% regard themselves as proactive partners of the CIO in jointly devising the company’s overall enterprise cloud strategy and offering advice to the board on its adoption.
But 60% of those same CFOs admit that they have only limited knowledge of the cloud, with another 16% saying they have heard of it, but have no knowledge of it.
They should talk to Peter Koo, Partner, Enterprise Risk Services, at Deloitte China. A certified public accountant, he is also a certified information systems auditor, a certified information security manager and certified in the governance of enterprise IT, among a string of certifications.
In this interview with CFO Innovation’s Carol Ko, he discusses the cloud computing risks that “remain less visible to the community,” lack of standards that amplify the dangers vendor lock-in and other issues that both CFOs and CIOs need to know. Excerpts:
How are different businesses responding to the risks associated with cloud computing?
Data security and privacy are especially the major concerns for businesses that deal with critical process and sensitive data in their daily operations. They include those from the financial services industry, government agencies and healthcare bodies, as they are regulated where industrial compliance is required.
The public and healthcare sectors are more concerned about data privacy, especially in a public cloud environment [that is, cloud services owned and operated by a third-party vendor and offered to many different companies], where sensitive data such as personal information and medical records are being stored or transferred.
It is important that authentication and authorization have been properly defined and structured to prevent unauthorized access. Imagine the serious consequence of leaking a medical record of a politician or celebrity to the public and it is easy to understand why both data encryption and Identity Access Management are essential elements for a secure cloud environment.
For the manufacturing sector, companies focus more on system integration and customization of the cloud solution. Because of high technological requirement, integrating a system with sophisticated manufacturing processes for a cloud solution is not an easy task.
Vendor lock-in is another high-risk area that needs to be addressed, as currently the interoperability among different cloud platforms has not yet been available. This would impose difficulties for establishing the initial communication channels among different cloud applications. Also, there will be no guarantee on data integrity when changing the cloud service provider.
What are the most neglected or ignored risks?
Many studies found that security and privacy issues are the top concerns when companies consider transferring their data to the cloud environment. The associated security risks and the reliability of cloud computing are constantly quoted and discussed.
While the major inherent cloud computing risks on access security, data confidentiality, legal and regulatory compliance are typically addressed, some of the following risks remain less visible to the community:
Lack of transparency of service provider standards and application programming interfaces (APIs). Proprietary standards and APIs can fail to provide portability, interoperability and federation, increasing the risk of vendor lock-in for organizations. It can also be difficult to set up a communication channel among different applications within the cloud environment; there will be no guarantee on data integrity when changing the cloud service provider due to the proprietary standards and APIs.
The second consideration is the rapid change of technology. When a certain standard changes, the organization may be required to invest even more to adopt [its service provider’s amended] proprietary standards and APIs.
Service level agreements between the cloud service provider and subscribers on:
- Ability of the cloud service provider to assure data privacy, integrity and confidentiality
- Location of the subscriber’s data, which may cause regulatory and compliance jurisdiction issues
- The service provider’s business continuity planning, including requirements on system redundancy and performance to support and maintain service levels
Business risks facing companies that adopt cloud computing. This includes negligence in the need to update [the organization’s] IT strategies and address questions such as how the adoption will affect the different stakeholders, how the IT department can address the concerns of the stakeholders, and what values the adoption will bring to the organization’s culture, daily operations and information security management.
The failure to address and manage the above questions can potentially lead to an ineffective transition from the existing platform(s) to the cloud, black-box operation of cloud computing; and a reduction in the possible return brought by the adoption.
What auditing and compliance standards are lacking that hinder cloud adoption by banking and financial institutions?
Primarily, banks are concerned about the location and security of the customer data, especially in a public cloud environment where customer’s data can be stored and moved among data centers in different parts of the world. Even if the data is stored locally, banks would face the inconsistency challenges, meaning that regulations for cloud computing will be interpreted, audited and enforced differently.
A comprehensive regulatory and compliance guidelines or standards can provide companies with some benchmarks to evaluate whether there is sufficient level of security controls of the cloud platform. With the absence of such guidelines at the moment, there is no doubt that enterprises would have certain fear of unknown which slows down the adoption of the cloud technology.
We suggest that the following components of the auditing and compliance standards of cloud computing should be included, but not limited to:
- data privacy
- identity and access management
- data governance and exchange
- service migration
Cloud computing technology is still under development. Currently, the existing standards can only fulfill part of the compliance requirements and no comprehensive cloud-specific standard has been released so far.
What are the applicable standards that aid governance and compliance?
While the Statement on Standards for Attestation Engagements 16 (SSAE16), the replacement of SAS70, is the most widely used form of third-party risk evaluation for service providers, other Service Organization Control standards are focusing on the financial reporting processes and controls related to security, compliance, and operations.
ISO 27001 is another popular certificate. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System.
These standards, which address different risk areas in terms of procedures and technical items, can help meet governance and compliance requirements of cloud computing.
However, some other specific industries such as healthcare and government agencies may need additional standards to comply with industrial regulations. Very often, these organizations are required to handle personal information and medical records. As a result, we need special cares in terms of physical/logical security and privacy.
As the concept of cloud computing is similar to that of IT outsourcing, some existing standards can cover most areas of cloud computing. However, there is also a need to enhance the existing standards to cover new dimensions, including cross-data jurisdiction and sharing of virtual space, ideas that are introduced by cloud computing.
Is it the case of the more standards adopted, the better?
Cloud computing standards are supposed to help an organization apply best practices while adopting the technology. In fact, many IT professionals see the lack of standards as the main barrier for a more timely adoption of the technology.
But we do not think having more standards is necessarily better. We see that more standards will translate into higher compliance and management cost. This will deflect from the original purpose of cost saving through adopting a cloud solution.
Do organizations in Hong Kong, China and Singapore approach enterprise risk management in their cloud environments differently?
Hong Kong, the Chinese Mainland and Singapore adopt different approaches to enterprise risk management.
As a global financial center and logistic powerhouse, Hong Kong is regarded as one of the best free-trading markets in the world. Despite endless opportunities demonstrated by this reputed free market structure, a number of financial crises have exposed the vulnerability of Hong Kong's economy in response to macro-economic changes.
In Hong Kong, business is typically regulatory driven. The motive and effort around ERM are mainly for satisfying relevant standards and regulatory requirements. Generally, companies are unlikely to invest in ERM proactively. Often, they wait and see if the technology is mature enough before considering making the investment.
On the Chinese Mainland, it is mainly the local provincial or city governments that are driving the agenda in terms of the strategic positioning and development of the city. The provincial cities, especially those far away from the major cities, are less likely to be impacted by the macro-economic environment. This is evident during the global economic downturn, when the country was still able to boost domestic consumption to support China’s robust economic growth.
Singapore is well-known for its stringent regulations and compliance requirements. That has translated into higher levels of awareness in cloud computing, and thus relatively more approaches for promoting and adopting the technology.
The Singapore government has already established a Central G-Cloud program aiming at establishing a G-Cloud connecting all government resources by 2015. The National Grid Office and Infocomm Development Authority have worked together to increase awareness and promote the adoption of cloud computing in Singapore through publishing and calling for proposals.
In addition, the adoption of the technology is driven by IT giants such as Microsoft, IBM and Hewlett-Packard, which have picked Singapore as the hubs for their regional cloud computing initiatives. Singapore’s cloud computing sector is experiencing tremendous growth.