Controlling the Cloud
Gerald Trites, FCA, CA*IT/CISA
Cloud computing has been growing continually for the past couple of years. Although outsourced computing is nothing new, the growth of the cloud is because of the increased viability of the Internet as a business computing platform combined with the advent of new Cloud Platform providers, including notably Amazon, Google, IBM and Microsoft.
The term Cloud computing refers to the use of the Internet as a computing platform, together with open source and freeware applications that are used on a pay-as-you-go basis. As a result, cloud computing offers the enterprise greater scalability and flexibility than conventional solutions. This enables the enterprise to respond more quickly to changing environmental issues and business opportunities.
From a management viewpoint, the cloud presents issues of control. The internet itself, of course, always presents control issues, although many of these have been addressed by most companies over the past few years. In the Cloud, however, these issues become more serious, because the use of the internet is more pervasive. Also, cloud solutions have had to introduce high level security solutions in order to meet the standards expected of most major companies. Accenture has issued a white paper on cloud computing that addresses many management and control opportunities and issues.
One of the issues that continues to exist, however, is a lack of independent auditor opinions or other certifications of the control systems in place over cloud solutions. While some vendors are trying to step up to the plate, others have been slow, and this has slowed the pace of cloud systems development. Internet based vendors, like Amazon and Google have been slow to formalize their processes to the point that such opinions and certifications can be given. This will change, but in the meantime it represents a challenge and an opportunity for IS auditors.