Who Is Managing Risks in the Clouds?

Jake Marcinko — Fri, 01 May 2009 19:03:00 GMT

There's no mistaking the buzz that cloud computing has created. From board rooms to break rooms, everyone these days is taking about "the Cloud". Let's face it, cloud services--whether they be software-as-a-service (SaaS), infrastructure as a service (IaaS), or platform-as-a-service (PaaS) offerings--are a compelling alternative to traditional IT functions. Cloud services offer increased collaboration, agility, scale, availability and cost reductions. They can simplify and accelerate compliance initiatives and provide for greater security. However, simply outsourcing traditional business and IT functions to cloud service providers is no guarantee that these benefits will be realized. Organizations must continue to take active participation in managing the risks associated with outsourcing such services, particularly those that involve highly-regulated information such as constituent data. Otherwise, those organizations might actually be increasing their business risks by outsourcing rather than transferring or mitigating them.

Outsourcing the processing and storage of constituent information doesn't make it inherently more secure. The nature of cloud services, by definition, lacks boundaries and therefore raises concerns with respect to privacy legislation. Regardless of what contractual obligations you may have negotiated with the provider, the requirement to protect your constituent information remains your responsibility regardless of where the data is located, including the cloud. Does your service provider outsource any data processing or storage functions to third-parties? Do those third-parties have adequate security programs? How do you know whether or not your service provider (and their service providers) have adequate security programs? While better than nothing at all, independent security assessments (such as those performed as part of a SAS70 or PCI audit) are point-in-time evaluations. Additionally, the scope of such assessments can be directed at the provider's discretion and may not provide accurate insight into the provider's ongoing security activities.

The bottom line is that many questions still remain with respect to Cloud Governance and Enterprise Risk. Non-profit organizations considering migrating their fundraising activities and solutions to cloud services should first evaluate its own practices, needs and restrictions in order to identify legal barriers and compliance requirements. The security of the cloud computing environment isn't mutually exclusive of your organization's internal policies, procedures, standards, guidelines, and processes. Security is a process, not a product and therefore the technical security of your constituent data is only as strong as your organization's weakest process. Comprehensive initial and ongoing due diligence audits of both your business practices as well as your provider's practices is required when making the decision to push sensitive constituent information to the cloud.

PCI Compliance Blog : compliance

Who Is Managing Risks in the Clouds?