Building Trust in the Cloud: Managing the Risk

The consensus is that the risk associated with going to Cloud is still at a state where most companies are tentative about moving to the Cloud. There is a willingness to look at leveraging Cloud-based applications and placing data in the Cloud, but it is a risk-based decision. The general feeling is that placing certain things in the Cloud, such as a brochure, will enable an organization to use the Cloud at some level, but not take huge amounts of risk. Alternatively, there are context-type cloud services, such as HR. Rather than building an HR environment within the organization, organizations are taking advantage of specific cloud services to obtain significant cost savings.

As a way to create an almost riskless environment, some companies are building private clouds and then sourcing that cloud out to provide cloud services to other companies within a small community.

Organizations still have a general lack of willingness to let go of data. For eDiscovery purposes especially, letting go of the data and allowing it to get into the cloud is problematic.

Security organizations continue to find a lack of willingness to be transparent on behalf of cloud providers. Are cloud providers willing to let a client run vulnerability scanners on their environment? Will cloud providers provide weekly vulnerability assessments on a regular basis for the organization’s compliance purposes? Security organizations are still asking these – and other - questions.

The government is addressing cloud security challenges with the Federal Risk and Authorization Management Program (FedRAMP) project. This is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services (http://www.gsa.gov/portal/category/102371).