Unfortunately, this approach brings many new security, performance, and fault tolerance issues. By implementing corporate solutions with no IT involvement, users potentially create conflicts with existing systems, configurations, and applications. Unqualified personnel have little understanding of the regulatory and compliance requirements that they may be defeating.
"While these cloud applications may offer quick resolution to specific feature needs, the risks and vulnerabilities they introduce can lead to significant costs in damages, systems failures, breaches and fines for noncompliance," explains Irvine.
For these very reasons, all cloud adoption needs to be subject to risk assessments, contract review, compliance checks, and internal policy checks.
"Many organizations are finding that they have pockets of cloud services appearing throughout the organization despite not having a corporate policy on the adoption of cloud computing within the enterprise," says Steve Durbin, Global Executive Vice President, Information Security Forum.
When no one from IT, procurement or legal is involved in moving to the cloud, the organization can lose all of its governance of related data, applications, services, and infrastructure, says Talbot-Hubbard.
Overestimating cloud security
In the rush to adopt cloud services and realize the potential savings they may give, notes Durbin, companies are concentrating on the functionality of the cloud services and failing to ask questions about the way cloud providers deliver security across their services or how that security can be checked.
This happens when companies assume that because cloud service providers service multiple companies, they have a larger security department and stronger policies, processes, and procedures.
"That is often not the case," says Irvine.
Often cloud service providers will attend to the basic levels of security in-house and depend on automated security applications and platforms to fulfill the bulk of their security practices.
Other cloud providers may outsource higher levels of security that are outside their core expertise to third party providers. But the security services of these third party providers may not be included in the contractual requirements and SLAs that the cloud provider shares with the customer.
"You have to require the service provider to maintain specific security functions, document security tasks, and provide copies of all security policies and practices as well as security reports," says Irvine.
Failing to understand the costs.
When cloud providers put their wares on display, they often showcase basic offerings for the sake of cost comparisons by potential customers.
"Unfortunately, after engaging a service provider, companies frequently determine that additional services, software licenses and even hardware licenses are required to perform all the IT tasks to which the business has grown accustomed," says Irvine. Security costs and those related to compliance (and, significantly, the documentation of that compliance) can similarly rise.
Sign up for CIO Asia eNewsletters.