Companies need to assess risk within the SaaS model
Wednesday, March 16, 2011
Posted by: Carolyn Duffy
Cloud computing is a new platform but like anything else, buyer beware
By Carolyn Duffy
Cloud computing is drawing tremendous interest as a game-changing technology that can deliver lower cost of ownership, higher return on investment and increased efficiency. Legendary venture investor Marc Andreessen recently called it a "new architecture” for the Internet and said that all new consumer web investment opportunities that he sees are built upon the cloud.
Cloud computing – defined broadly as any computing accomplished over the Internet – draws crowds to seminars and produces many questions from company officials pondering whether to adopt it for their business. No new technology comes without risks, nor should any new technology be adapted without significant investigation. When I speak to these groups, the first thing I tell managers to do is a cloud computing risk evaluation.
First you need to lay out the general areas of risk. Based on my experience aiding clients in their decision on whether to use cloud computing and guiding them through the implementation, we’ve found that cloud computing risk assessments produce common pros and cons. First, let’s look at the pros.
1. Security, both physical and logical, is outsourced. Security controls for a typical company are much less effective than those offered by a competent, qualified cloud computing provider. I ask company officials at seminars, "How many of you have done an intrusion detection test?” Usually, none have. Although many people feel that their data is safer stored onsite than at a remote storage facility, that is not the reality. Your typical company cannot afford the world-class security that these cloud companies can provide. Every day there are new attacks on computer systems; security is the No. 1 concern of cloud computing providers. They know that if their security is breached, it will affect their business. The other reality is that most hacking and theft is within your company, not from outside threats.
2. Staying current. With an on-premise system where you bought and installed software on your own servers, it’s up to you to upgrade new software releases on your system. Many times companies will choose not to upgrade their systems, citing the cost of upgrades and potential compatibility problems between the upgrades and other company systems. However, non-upgraders run the risk of being "de-supported” by the software vendor. This means that what you’ve got is what you’ve got and you no longer will be supported by vendor service and help.
The cloud doesn’t work that way. The vendor applies software patches and upgrades and, with the collective help of its clients, does "sandbox” regression testing – running new software through a series of transactions to ensure they process accurately. This ensures clients are always current on the new release. If there’s a bug, it will show up on the systems of the entire community of clients and be fixed quickly. Because upgrades are mandatory, it also lessens the risk of erroneous patching. There is only one code set and it’s kept current by the cloud provider, validated through the power of the group. Finally, hard infrastructure maintenance costs are lower. You don’t have the servers, T-1 lines, wires and boxes to maintain. All you have to worry about are the browsers.
3. SAS 70/SSAE 16 reports. If you operate your own on-premise system, you are responsible for the IT General controls that may be required by regulatory agencies. In contrast, a cloud service provider bears the expense of having a SAS70/SSAE16 report on the operating effectiveness of its controls. That SAS70/SSAE16 report transfers the IT general controls in place at the service provider to the users. They offer assurance that your internal control objectives over relevant systems, services and the underlying information technology are being met.
4. Built-in disaster recovery. Recovery of data after a disaster is a key to any system, on-premise or cloud. Cloud providers are usually better prepared. But before hiring a cloud provider, you should require details on their disaster recovery and data backup procedures. Avoid any provider that can’t provide a back-up plan that satisfies you. Routine back-ups are in the same category. Read the SAS 70/SSAE16 report and if you don’t think routine back-ups or disaster recovery procedures are sufficient, look elsewhere.
Here are some cons that can concern people when they evaluate risks of cloud computing:
1. Data ownership. People worry about who owns the data, and that anyone can come in the data center and just grab it. Cloud computing is like having a safety deposit box; it’s supposed to be safe, but it’s still somewhere else. Although your data is probably safer on the cloud server, this risk needs to be explored and you need to be comfortable with it. I’ve seen people from Canada worried about the U.S. Patriot Act, which allows the government to access your data. Also, what happens if the IRS audits someone else whose data is on the same server as my company? Does that give the IRS the right to grab my data as well? No it doesn’t, but there are some gray areas that the courts will have to decide.
A cousin to the data ownership risk is what happens if a cloud provider fails, goes bankrupt or is bought out? What if their servers become obsolete and need to be replaced? Customers have to demand a well-defined exit strategy that confirms that your data files will be sent to you or another cloud provider in these events.
2. Outages. This includes your internet service which may fail at a critical time; you need to be confident that your provider is reliable. It also includes the risk that your provider will shut down. NetSuite, for example, has a 99.97 percent average uptime. Review the provider’s reliability guarantee to avoid productivity losses. Lastly, Geopolitical risk is not a major one, but it exists. In Egypt, the government shut down the Internet after the opposition used Facebook to rally together. This is mostly a risk for companies operating internationally.
3. Loss of customizations or legacy integration. Mandatory upgrades in the cloud code set can result in a loss of customized functionality or integration to a legacy system. Make sure that the cloud provider informs you of the details and dates for all upgrades, and provides a sandbox to test the software. Although most companies use only about 20 percent of a system’s capability, your company may feel that your unique processes offer you a competitive advantage in your market. You have to be sure you won’t lose your competitive edge.
Cloud computing is on the rise, being embraced by industries – including health care, broker services, government and even financial transaction processing – that are confident that the systems are secure. Still, it doesn’t mean you shouldn’t be a smart shopper. Look at and weigh all the risks prior to making your own decision.
About the author:
Carolyn Duffy, CPA, is a director of business advisory services for Hein & Associates, a full-service accounting and advisory firm with offices in Denver, Houston, Dallas, and Southern California. She specializes in cloud computing software implementation, as well as designing and implementing methodologies for SOX 404 and IT service lines. Carolyn can be reached at firstname.lastname@example.org or 303-298-9600.