Cloud computing – Impact on governance, risk and compliance

Increasing internationalisation, constantly growing IT requirements and increased cost pressure force companies to review their IT strategy with respect to integrating cloud computing. In addition, cloud computing promises high agility, flexibility, reliability, security, availability and effi-ciency.

For companies, there is a potential to map IT requirements on demand and to thereby concurrently lower the IT costs considerably. High one-time investment costs can be reduced, or even avoided completely, through usage-oriented cloud billing models. Fixed costs become variable costs.

In its Cloud Computing Guideline, BITKOM speaks of a „Revolution in providing and using IT“. Forrester Research pointedly summarises the fact that cloud computing is going to become an integral component of their IT strategy for many companies by stating: „The cloud is here to stay“. Various groups of experts (BITKOM, IDC, Forrester Research) expect growth in the double-digit percentage range. The European Network and Information Security Agency (ENISA) expects the cloud computing market to exceed 100 billion euro by 2014.

At the same time, Cloud Computing providers such as Amazon, IBM, Google, Microsoft and Salesforce.com promise to provide flexibly scalable complex services within the shortest period of time.

A key question, derived from the developments described, is: What impact does cloud computing have on the IT governance, risk und compliance requirements and therefore on the internal control system?*

We are very sorry – the hardware failed

On April 24, 2011, the largest outage in cloud computing history occurred with a world-wide impact on Amazon EC2 customers. Outages at an Amazon computing centre lead to permanent data loss. In an e-mail that Amazon addressed to its customers, they state:

“We are very sorry but ultimately our efforts to manually recover your volume were unsuccessful. The hardware failed in such a way that we could not forensically restore the data…  We apologize for this volume loss and any impact to your business.

Sincerely,

Amazon Web Services, EBS Support“

 

Sample Cloud Risks

The incident at Amazon illustrated the risks associated with cloud computing and the negative consequences resulting from them. In this article, additional examples of risks are introduced, followed by the relevant governance, risk and compliance questions you should ask as a potential cloud customer.

Loss of IT-governance

By using cloud services, the customer transfers a series of IT governance tasks to the cloud provider. This has several advantages but at the same time also harbours governance and compliance risks.

Questions relevant to governance & compliance:

• Are the roles, responsibilities and interfaces relevant to governance sufficiently defined and agreed upon?
• Has cloud computing been integrated into the company‘s own IT Service Continuity Management?
• How are the communication and escalation rules for emergencies defined and coordinated?
• How is the cloud provider integrated into the provider management?
• Do your requirements (for example: availability, backup & restore) match the cloud provider‘s SLA?
• How has change management been defined?

Impact on data protection

The integration of cloud services creates various data protection risks. For cloud customers, it poses a challenge to review the effectively controlled handling of data and to ensure that the data is processed in a legally permissible form and fashion because the outsourcing of data to a cloud provider is tied to data protection requirements.

In the Cloud Computing Guideline, BITKOM states with respect to this:

„If the data to be transmitted to the cloud provider contains personally identifiable information, such data may only be transmitted to an external cloud provider if the affected parties have given their consent to this or if statutory limited authorisations apply.“

Exempt from this are so-called commissioned data processors. Taking into consideration legal requirements, cloud providers may be considered to be commissioned data processors. One requirement, for instance, is that the cloud provider only assess, process or use the outsourced data within the EU and/or the EEA (European Economic Area).

Another challenge is the requirement regarding secure deletion of the data which potentially can not be assured at the required scope.

For this, there are two essential obstacles:

• The storage media used in the cloud are also used by other companies and can therefore not be securely deleted.
• The data is stored in different locations.

Questions relevant to governance & compliance:

• Which guidelines and processes have been established to ensure secure deletion of data?
• Within what time frame (SLA) is the cloud provider required to securely delete and/or destroy data?
• Is the data outsourced to the cloud provider assessed exclusively, processed or used within the EU and/or the EEA?

Compliance Risks

Cloud providers may be distributing their computing centres world-wide and may themselves in turn outsource areas to third party providers. This can have far-reaching consequences for cloud customers‘ adherence to compliance requirements. This applies in particular, if:

• The cloud provider can not provide proof of fulfilment of the relevant compliance requirements (for example through SAS 70 Type II certification with disclosed internal control system).
• The cloud provider does not allow audits ordered by the cloud customer.
• The cloud provider‘s outsourcing strategy to third parties is non-transparent.

Questions relevant to governance & compliance:

• Which options for auditing are available?
• Do the compliance requirements match those of the cloud provider‘s jurisdiction?
• What are the contractual provisions regarding the further outsourcing of outsourced areas by the cloud provider to a third party provider?

Lock-in to the cloud provider

At present, there are only limited processes that allow for a trouble-free move between cloud providers or backsourcing to the company‘s own IT. This can lead to a dependency on the selected cloud provider, especially if a data migration is not possible at all or only with difficulty.

Questions relevant to governance & compliance:

• Have strategies that would allow for switching providers and/or for backsourcing of the outsourced services been discussed?
• Which exit agreements (for instance guaranteed file formats) does the provider offer?

Conclusion

In some cases it is possible and makes sense to transfer defined risks to the cloud provider. However, not all risks can be transferred. If a risk manifests itself and leads to a situation where the company suffers a serious economic loss or loss of reputation, it is questionable whether the cloud provider can and will provide reasonable compensation for the damage(s) incurred. The principle applies that contrary to responsibility, accountability cannot be outsourced. The integration of cloud computing requires an early review of the changed IT risks and the setup of effective and efficient IT controls.

Here, the utilisation of standards and frameworks (such as COBIT, ITIL 27001, ISO 27002 und COSO) plays an important role and makes auditing easier at a later date. Before you decide on a cloud provider, make sure that you assess different cloud providers and have established transparency. Choose the provider which best matches your IT strategy – taking into consideration the issues relevant to governance, risk and compliance. Outsource your services into the cloud gradually – so that you first gain the necessary experience.