Organizations are moving to the cloud, some faster than others. However, moving to the cloud presents the enterprise with a number of risks to assess. Depending upon an organization's risk appetite, these risks may be significant. At the core of these risks is the inability of many cloud/Web 2.0 vendors to meet regulatory and legal requirements that are commonly encountered by many enterprise customers.
At the top of the list of risks for many organizations is security of information. This may be driven by a need to protect intellectual property, trade secrets, personally identifiable information, or other sensitive information. Putting that information into the hands of a third party is certainly not uncommon. Having the third party place that information into a shared storage environment is somewhat less common. Having that information available on the Internet requires a significant investment in security controls and monitoring. Of concern is that many of the Web 2.0 applications contain no provision for monitoring content or traffic to ensure that sensitive information is not being transmitted inappropriately.
Use of Web 2.0 tools also requires assurance that the pathway to the data is adequately secured. With information theoretically accessible from any point on the Internet, the provider must be assured that the computer/user accessing the data or application is properly authorized. This requires a very high degree of coordination between the enterprise and what may be multiple service providers. The information being stored by the third party needs to be secured from the third party's access as well. This need will likely be met by increased use of file and message encryption and public key infrastructure. Increased encryption, however, will likely mean loss of information when decryption keys are lost or a file becomes corrupted. Nonetheless, ensuring security of information outside the enterprise will be a growth opportunity both for the enterprise and the supplier community.
Today's buzzword for what we knew as "disaster recovery," resiliency refers not only to uptime and availability, but it also has a focus on not allowing critical information to be corrupted or lost.
A challenge for many providers is ensuring that customer information is protected, but with shared data centers and storage devices, information from multiple customers may end up in the same backup media, creating issues when the media is restored and potentially exposing confidential customer information to third parties.
The enterprise will need to pay special attention to the means by which the provider will ensure uptime and access to information, as well as where and how the information will be stored and backed up. Some Web 2.0 suppliers will be unable to customize their offerings to meet these requirements and will be unwilling to make fundamental changes to their business model to meet enterprise resiliency requirements. Free services will typically offer no enterprise-level resiliency. A significant concern is enterprise data managed on consumer-grade systems. While, statistically, Web 2.0 applications "simply don't have downtime," the reality is that an interruption in service by the provider can seriously affect numerous customers.
The current climate for e-discovery assumes, for the most part, that an enterprise knows specifically where its information is being stored, how it is being backed up, and how it is secured. The rules also assume that an enterprise will be able to physically examine storage devices and, when required, examine storage media for evidence of erased and/or deleted files. In the cloud/Web 2.0 environment, the enterprise may have little or no visibility to storage and backup processes and little or no physical access to storage devices. As noted above, the data from multiple customers may be stored in a single repository. …