Cloud service providers believe their customers are responsible for security, and license accordingly. That is the message cited by David Rosenbaum in his article on security risk and liability in the cloud.
“Cloud,” says Bruce Lynne, managing partner of Financial Executives Consulting Group, “is just a fancy word for outsourcing.” And, as smart CFOs know, when a company outsources, it sheds work, not responsibility.
Anyone contemplating cloud computing should read this article to get at key licensing issues which tech industry hype glosses over. Rosenbaum identifies a key point about cloud – it is a financial decision and requires intense effort by the CFO and company lawyers to be successfully implemented. The big issue is security, the related liability from security failures, and what can be done about managing the business and financial risks of the cloud.
But while the policy may be familiar, the ramifications could be huge. That’s because the cloud — which enables companies to outsource everything from e-mail to ERP and then access it all through a browser — is inherently insecure. The same ease of access that makes it appealing also makes it vulnerable. Yet many non-tech-savvy buyers of cloud services are not adequately aware of the security issues, says James Reavis, director of the nonprofit Cloud Security Alliance.
The recommendations include negotiations advice, things to learn about your vendor, and encouragement to be bold about getting the security your firm needs. Security needs may trump some common cloud architectures. For example the need to “find out who’s in the cloud with you. If the provider has an insecure customer, that makes you less secure” argues against common multi-tenant approaches to cloud applications. This advise also applies to “private cloud” offerings (anything delivered via a browser even if it is implemented on premises). In short, by selecting a vendor that you can reliably partner with, you gain an opportunity to manage cloud security risks.