Cloud computing has become a popular solution for organizations to house technology operations, software and data. It is perceived as more cost-effective than in-house solutions, reducing expenditures related to infrastructure, staff and software, while also being safer than traditional internal solutions. While management is responsible for making decisions about technology and its related costs, the board must be involved in the development of a cloud strategy, as potentially significant risks exist that could have dangerous consequences for the company.
Cloud solutions are an excellent option for many organizations, but some business processes simply may not be appropriate for the cloud due to risk and regulatory concerns. Some companies have suffered by migrating to the cloud too quickly, without fully understanding the risks involved. For those organizations that could benefit from cloud solutions, there is no one-size-fits-all answer, with a wide variety of options available in the marketplace. Therefore, the board should play an integral part in determining the most beneficial strategy for the security, privacy and regulatory needs of the company and avoiding unplanned costs.
Depending on the demands of the company, there are two distinct categories of cloud solutions: public and private. In the public cloud, applications and data are hosted for a wide variety of customers at once. This is the more cost-effective option, but it may not meet the needs of companies with complex security or regulatory responsibilities.
Larger organizations with more significant storage and compliance demands are prime candidates for private clouds. These dedicated storage solutions offer more control over data, access, auditing and reporting in a closed environment, but are significantly less cost-efficient. Another issue is that these solutions are sometimes tied to legacy systems and can inherit existing security concerns.
If cost were the sole consideration, the public cloud would be the optimal choice. However, management must be cognizant of regulatory, security and privacy concerns along with the financial aspect of cloud solutions. As widespread as cloud computing has become, there still may be situations where a company’s unique needs simply are not a fit for its inherent limitations. In their oversight role, board members must ensure that management is evaluating the potentially substantial risks that could be introduced to the company.
Security and Privacy
A critical factor for boards to understand when developing a cloud strategy is that the cloud is not always safer than an in-house system. The cloud comes with its own unique risks, and it may not be in the company’s best interest to trade one type of risk for another. While systems are technically more secure in a cloud environment, moving applications could create new regulatory and legal concerns. While clouds likely come with a higher level of security than legacy servers, as they become more popular they also become a more attractive target for hackers. The probability of an attack is relatively low, but even if only one is successful, the impact could be significant.
A host of IT compliance issues arise when a company decides to migrate to the cloud. These are often industry-specific regulatory issues, such as Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA) and Financial Industry Regulatory Authority (FINRA). Regulations that could impact cloud solutions are constantly changing, so it is advised that a company consult with qualified legal counsel and its internal audit functions prior to deploying a cloud strategy.
Normally, the board would not be concerned with budgeting, as this falls under the purview of management. However, board directors should exercise risk oversight to ask management about possible hidden costs, such as whether business processes will be disrupted by a potential cloud solution, and whether special audits or regulatory reviews could disturb normal operations. The board must ensure that these risks are being managed properly to avoid potential financial damage to the company resulting from a reduction in productivity or regulatory sanctions.
With the increasing popularity of cloud computing and the significant cost savings that can be realized, the risks that come along with these solutions are sometimes ignored. With the board’s role of due diligence and risk overseer, it is critical to ensure that management has taken these risk factors into account when evaluating which, if any, cloud solution is suitable for the organization.
Daimon Geopfert is the national leader for security and privacy consulting at McGladrey & Pullen, LLP. Contact him at firstname.lastname@example.org.