The cost-savings, the time-freeing transfer of responsibilities -- taking an application or function and moving it to the cloud can just sound so right. Unless you're Richard Dorough. The former chief information security officer (CISO) used to make it his mission to find out was wrong with moving to cloud. Now a managing director in the PricewaterhouseCoopers (PwC) U.S. advisory practice focused on cybersecurity, Dorough makes no bones about how he used to feel about cloud computing: If he had had his way, everything would have stayed on-premises.
"Back then, I felt like I had a mature state of security in that organization, so to move my environment into the cloud didn't make a lot of sense to me," Dorough said.
But Dorough didn't allow his skepticism to get in the way of progress. He didn't soften on moving to the cloud so much as he demanded it be given a harder look from the CISO perspective.
"We put a lot of time and effort into securing our organization, so I had to know what was the value of moving to the cloud? … Were we going to see savings?" he said. "If we got past that question and saw potential cost savings, then we'd be able to do a sufficient security evaluation of the host who'd be hosting our data."
As part of his cloud vetting, Dorough ranked each area -- data, risk and security -- on a scale of zero to three. A zero would indicate that a move to the cloud could do more harm than good; a three denoted that a move would most likely be beneficial. If all three of those points satisfied him, only then would moving to the cloud get his stamp of approval. Every IT situation, in every company, is different. But Dorough's mental checklist could serve as a helpful, commonsense tool for any CIO (or CISO) faced with the decision of whether to make that move to the cloud or keep a function in-house.
No. 1: Discuss the data
When the question arises about a product or service moving into the cloud, Dorough's first thought is "Let's talk about the data." It needs to be determined whether any of the data involved contains information that would be considered too sensitive to move out of the immediate grasp, so to speak, of your own IT organization.
I'm not suggesting they don't exist, I've just never seen a situation where a cloud provider fully owns the risk.
managing director of cybercrime incident and response, PricewaterhouseCoopers
"I use the example of moving the formula for a particular favorite soft drink to the cloud -- something you'd have to take out of a physical safe to put it in the cloud. That would be the highest-risk type of data that I wouldn't move to the cloud," Dorough said.
But the data doesn't have to be a decades-old proprietary secret to get the thumbs-down. In some cases, sensitive data may be more "everyday" types of information such as customer credit card or Social Security numbers. Like the secret soda solution, Dorough would score the value of moving that information to the cloud a zero -- data he would not condone releasing off-premises.
For Dorough, data that earns the highest scores contains information that is already public-facing. For example, something like a dictionary or encyclopedia, that perhaps you're selling as a service but is publicly available.
"You've got to assess the value of the data and see if it's something that you should or could move," Dorough said. "In some cases, the cost of doing business with high-risk data, it's equal, it's just as cost-effective to do it internally as it is to do externally; that's why I then suggest moving on to the contract."
No. 2: Review the risk
The need to assess cost-effectiveness leads to Dorough's next question -- who owns that risk? If the risk falls fully on your company, if it's written into the contract that you are the owner of the data and all risk associated with that data, score the cloud value at zero.
A contract in which risk is shared between your company and the cloud provider earns a slightly higher score. For example, if there's a penetration, any cost associated with the breach or the investigation -- the reporting requirements, for example -- would be shared. Dorough would value this arrangement at a one or two. If the cloud provider fully owns the risk associated with a move to the cloud, no matter what the data is, such an arrangement would score three or higher. But don't hold your breath.
"I'm not suggesting they don't exist, I've just never seen a situation where a cloud provider fully owns the risk," Dorough said. "But I do have a feeling they're moving in that direction or moving to a degree in that direction where they own part of the risk."
No. 3 Survey the security
No matter what type of data is involved -- including that public-facing dictionary -- a security assessment of the potential cloud provider is a must. It should be explicitly stated in the contract that your company be allowed to review the cloud provider's capabilities.
"If you go into the organization and you find there's no logical physical security around the assets and the data, that's obviously a zero," Dorough said. "At minimum, if their control requirements are in line with my requirements and the information standards I demand from a security perspective, I'd place a value somewhere between one and three."
More about making a move to the cloud
User-friendly data security measures for cloud and mobile
Cloud SLAs are more important than ever
Embracing cloud solutions based on business, economic sense
Zeroes across the board would obviously mean a solid "no" from Dorough, but even if a particular solution received top scores, he advised caution.
"If the cloud provider was responsible for all the risk associated with it, and I looked at their security and it was the best security I'd ever seen and I ended up with a nine, then it makes sense in my mind that there's something that should probably go into the cloud," Dorough said. "But that was the formula for my responsibilities as a security practitioner. It may have passed my test, but you still have to factor in the cost of it and the business value of moving it into the cloud."
Let us know what you think about the story; email Karen Goulart, Senior Features Writer.
This was first published in July 2013