Research: Cloud Governance, Risk and Compliance
Navigating the Storm: Governance, Risk and Compliance in the Cloud
Q: What’s more fashionable than government bailouts, Twitter, hybrids and pimping your greenness?
A: Cloud computing, that sexy new IT concept that everyone is talking about, but no one seems able to clearly define.
Besides buzzwords like SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service), cloud computing provides IT groups with extra potential layers of abstraction, extremely complex interdependency models—and an unsettling level of uncertainty about where our data goes, how it gets there and how protected it will be over time. If you’ve got a nagging feeling that much of the current discussion seems new, yet somehow strangely familiar, you aren’t losing your mind. We struggled through similar issues a few years ago when application service providers were all the rage. This time around, when it comes to defining the scope of the phenomenon, the only thing all parties seem to agree on is that cloud computing represents something that is not local—not at your site. This oversimplification is understandable given that, for network engineers, the generic cloud icon has for decades represented everything from foreign networks and remote sites to the rats’ nests we really don’t want anyone asking about.
Oddly enough, those examples do a decent job summarizing the cloud computing vendor landscape, too. Joking aside, we recognize that oversimplification doesn’t help risk managers who must sign off—or not—on IT and business leaders’ proposals to outsource some part of the “technology stack” to a third party.
Prudent teams will approach the decision not with a binary mindset, but rather with a focus on evaluating the true performance, cost and risk implications of embracing a new model to achieve a specific goal, often cost savings. In this InformationWeek Analytics report we provide a guide to doing just that, along with analysis of how the nearly 550 business technology professionals who responded to our survey perceive cloud computing risks. Parts of the cloud governance, risk management and compliance picture remain a bit hazy, but fortunately, we have a guide to achieving clarity. (560609)
Survey Name: InformationWeek Analytics Cloud Computing Survey
Survey Date: February 2009
Region: North America
Number of Respondents: 547
Table of Contents
4 Author's Bio
5 Executive Summary
7 Research Synopsis
8 We Have One Question for You
12 More to Worry About
14 Window to Security
17 Business Viability Concerns
19 Performance and Availability Risks
22 Legal, Contractual and Compliance Risks
24 The Skies Ahead
26 Appendix
About the Author
Greg Shipley is the chief technology officer for the information security and risk management firm Neohapsis. Since the beginning of his career, Greg has been active as an information security practitioner, starting out in IT operations, later moving into penetration testing, and eventually working his way up to in-depth product evaluation and security program management.
Greg is well known in the industry for his insight into technology and product trends. He is a contributing editor for InformationWeek and a frequent speaker for industry organizations such as IANS and ISSA. In 2001, Greg received the prestigious Neal Award from the American Business Media for Best Single Article, and he continues to be a prolific author today. Over the past 10 years, Greg has been responsible for evaluating, testing and writing about the evolution of information protection technology and has earned a reputation for in-depth and candid analysis.
