From the April 2011 issue of Treasury & Risk magazine

Cloud Containment

Security improves, but don't forget to read the fine print.

As cloud vendors mature, Web-based delivery of applications, storage and infrastructure is getting more secure and trustworthy. That doesn't mean that the risks are gone--they've just migrated to a more difficult-to-manage form. Today, big-name cloud providers like offer top-notch security, auditability and compliance. Even Google provides a compliant e-mail hosting solution for regulated industries such as healthcare and finance. Providers can now meet corporate needs, experts say, as long as companies do their security due diligence and pay attention to contract fine print.

In 2005, Atlanta-based Cox Communications began using BlackLine Systems' hosted services to replace its manual financial close process based on spreadsheets. Now, the $9 billion cable operator is moving to a cloud-based version of the same system, BlackLine's OnDemand offering.

What worried Cox about moving from dedicated, hosted servers to the cloud environment? "We have a security team that specifically deals with these reviews, and it's a long and rigorous process," says Tammie Coley, executive director of enterprise accounting and financial systems at Cox. "The BlackLine application meets our specifications." Coley adds that she was further reassured by BlackLine's SAS 70 Type II security audit.

"We don't have to have hardware or software, so our technology team can focus on things that are more core to our business," she says. Getting upgrades in a timely fashion and not having to schedule them is a big plus, Coley says. "We also like the idea of our employees being able to access the tools from home," she adds, noting the huge snowstorm that hit Atlanta in January. "We were all locked in our homes for a week," she says. "It was extremely convenient to have BlackLine available to us at the time."

Coley has an iPad, and since BlackLine's cloud product is Web-based, it's accessible from an iPad.

"I was out of town and in the middle of the monthly close," she says. "I was monitoring the monthly close through BlackLine on my iPad. I could see everything, just as if I was there in my office."

BlackLine's cloud-based application, like others, is accessed through an encrypted connection. It's a secure access mechanism, used for online shopping and banking. Some cloud providers augment that with one-time passwords delivered by cell phone text messages or key fob devices.

For access to cloud applications that aren't browser-based, companies can use virtual private networks, which create an encrypted tunnel through the Internet, says Ralph Presciutti, a technology expert at consulting firm Tatum in Atlanta.

Presciutti recommends asking for a cloud vendor's security review, a SAS 70 or the tougher SAS 70 Type II audit.

But not every application needs the highest grade of security. ClubDrive Systems, an Atlanta company that hosts applications for corporates, will put systems in a SAS 70 environment if clients request it. "If they don't need it, they prefer not to pay for it," says John Alston, ClubDrive's CEO.

In fact, clouds can offer a security advantage over traditional software, since cloud providers specialize in making their application as secure as possible, spreading the costs of that effort among many customers. On their own, companies might not be able to afford the same level of security.

Just keeping software patched and up to date can be a daunting task for businesses. "Typically, IT shops struggle with that because they're underfunded and don't always have the resources," says Adam Rice, chief security officer at Tata Communications, an Internet service provider that offers cloud-based security services. "Cloud-based computing is something that, over time, will actually change the paradigm of things."

But Rice warns that customers need to do due diligence. At Tata Communications, he says, clients regularly come in to do their own security audits, and some insist that the right to do surprise inspections be included in their contracts.

Cloud providers' service agreements can be very complex, says Mark Gilmore, president of San Jose, Calif., technology consulting firm Wired Integrations, and many are biased in favor of the provider.

"One larger provider that I know of does not allow clients to back up their own data from the cloud," Gilmore says, "virtually locking them into a permanent contract. CFOs need to pay attention to the details and the fine print or regret it down the road."

One group recently hit hard by a provision in a cloud vendor's contract was WikiLeaks, whose hosting provider, Amazon, cut it off, says Robert Scott, a lawyer specializing in technology issues at Texas-based Scott & Scott.

"When WikiLeaks was in the news, Amazon turned off their services, citing that they had the right to terminate," Scott says. "When you're dealing with cloud contracts, the termination provisions in the contract could make the difference between being up and being completely unable to operate."

Companies should also take a look at intellectual property rights, he adds, and who owns what if the contract is severed or the cloud provider goes out of business. Finally, companies can talk to their vendors about network security and data privacy, and ask the vendor to take out an insurance policy in case of a breach or data loss, Scott says.

Cloud computing empowers employees, letting them set up online groups, meetings, e-mail systems, blogs, document repositories and project management sites quickly and cheaply.

There's no way to stop it. Even if a company shut off access to every Web site offering cloud services--DropBox, Gmail, Yammer, WebEx, LinkedIn and thousands more--employees could simply take out their iPads and carry on.

And the potential risks are large, says Michel Janssen, chief research officer at the Hackett Group. Most consumer-oriented platforms don't offer built-in compliance or heavy-duty security.

And there's the provisioning issue: If an employee sets up, say, an online document repository, fills it with sensitive corporate documents and invites colleagues to share it, when those colleagues leave the company, they might retain access, since user account management isn't centralized with HR. Similarly, fired employees still might continue to access work-related social networks, project management sites, meeting rooms and blogs.

Enterprise-focused cloud providers like allow corporate clients to centrally manage users, Janssen says.

"It's the democratization of information," he says. "There are attempts at trying to lock it down, but I think the attempts are going to be very difficult to enforce--in particular, with mobile devices."

For a previous look at corporate adoption of the cloud, see Cloud Computing Rolls In.

Page 1 of 2

Advertisement. Closing in 15 seconds.