Thursday, May 5, 2011

Cloud Services Call for Security and Assurance

Ever since companies have been making use of cloud services, they have recognized the risk involved in outsourcing critical applications to a cloud provider. They know that the safety of their data depends on the adequacy of the controls in place by the provider. Many of the companies therefore have placed an emphasis on the wording of their contracts, seeking out terms that limit their exposure and shift as much liability as possible to the provider.

The problem is this does not really address the problem. Once a breach takes place, the damage is done in terms of the impact on customers. The real damage is often felt in future business and reputation. While some of this can be compensated with large legal settlements, that is really an ineffective and expensive way to do it.

The best approach is to take preventive steps. This means making sure that the very best controls are in place by the provider before a breach happens. This can only be done by hiring an auditor to provide an assurance report on the provider's system - a service organization report. All of the big accounting firms have IT security experts who are very good at providing these reports.

Companies are remiss if they outsource important applications and do not obtain such reports. The money spent on them is a cost that can be much less than the business costs of a breach later on.

For another take on the issue, check out this article.

No comments: