Skip to Main Content

Lightning strikes from a distant cloud.Cloud computing is “all the rage” right now. Does this sound nebulous to you? (Editor’s Note: Security expert Donald Hester peers into the cloud to assess the risks in this two-part opinion column.)


In a pure sense, cloud computing means taking a highly complex infrastructure such as the Internet and hiding all the complexity from the IT service being provided. Living near San Francisco, I guess a better metaphor would have been "fog" computing in that the fog hides everything from you and you only see what's right in front of you. That's what we are talking about when IT services are in the "cloud."


However, most people use the term to mean outsourcing an IT function, service, application, storage or hardware. While that technically is cloud computing, it is only a subset of what cloud computing really is. For this article, I am going to focus on the outsourcing aspect of cloud computing.

I have received a number of e-mails from readers and clients asking questions about cloud computing. Specifically they ask about the security issues related to cloud computing or outsourcing a function of IT. Yes, we need to think about outsourcing for our organization but we should also take into consideration when we use the same service for personal use.

One of the helps I often use when making an IT decision is the old pros vs. cons two-column brainstorming activity. All you need to do to get started is draw a simple line on a whiteboard or a piece of paper. In one column, list all of the pros and then list all of the cons in the other column and brainstorm different benefits and detriments of outsourcing that particular IT function. Once this exercise is complete, you will be able to make an informed decision.


There are a number reasons why you might want to outsource a portion of your IT function. Generally, it is either to save money by cutting costs or to increase your current IT capabilities. You can actually do both with outsourcing. You can cut costs and increase capabilities by leveraging your IT staff's core competencies and outsourcing any areas that are not in their core competencies. In this way you can save money by having them focus on what your IT staff does best and increase capabilities by outsourcing certain functions to organizations who specialize in that area.

There are many more pros that you can use for outsourcing a particular IT function. In fact, most of the articles you find on the Internet address those pros no matter what service you're looking at outsourcing. Of course, the salesperson will give you all the pros you need.


Dark storm clouds.As an IT security professional when I talk about Cons, I typically use the word risks. In other words, I ask myself this question, 'what is the risk of outsourcing this particular IT function?' I know it sounds really negative to always go around asking questions about all of the possible things that could go wrong. It makes you a real hit at all the staff parties. However, it's not a negative to find out what the risks are before you implement something new. The purpose of asking the questions is to determine what the risks are, whether the risks are acceptable and if there is anything that can be done to mitigate those risks. My legal-minded friends would call this due diligence.

Where is my data?

I want to revisit my metaphor of fog for cloud computing. Imagine yourself standing in Golden Gate Park on a really foggy day. It is so foggy that you can only see 10 feet in front of you. Now, imagine that you have a ball and take that ball and throw it as hard as you possibly can. What happens to the ball? It disappears into the fog. Now, you have a friend out in the fog that takes the ball and throws it back to you. Anytime you want the ball he throws it back to you. Because of the fog, you never really know where the ball is. However, when you want the ball, your friend throws it back to you. For all you know he can be throwing your ball to other people. The point is you really don't know where your ball is after it leaves your sight.

The same thing is true with cloud computing. Think of the ball as your data and your friend is the third party you outsource your IT function to. There are a number of questions you should ask any outsourcer before you place your data on their systems. Where do they store the data physically? Is it in the United States or in a different country? Do they encrypt it? Can their technicians look at your data? How do you know? Do they do background checks on their employees? Where do they back up your data?

One of the misconceptions people have with outsourcing IT functions is that they also outsource the risk; in reality they don't outsource the risk or the responsibilities for protecting the data.

The system is down again.

Lightning fork from a dark cloud.There is nothing more frustrating than going to your favorite restaurant to get your favorite food to find out that they are already sold out for the day. You want it but you can't have it because it's no longer available. Luckily, food is just a preference and you can always change your mind and get something else.

The same thing is true for IT functions. No one gives it a second thought when key services are just available. They become expected to be available one hundred percent of the time. Having worked as a network technician, I know all too well that you never hear anything when everything in IT is running fine. Then, when the e-mail server goes down for an hour, you never hear the end of it. The problem is that organizations have grown to depend upon the IT services and the more they depend upon the IT services, the more money is needed invest in the IT services to make sure that they're going to be available when needed. The same thing is true when outsourcing IT functions. We still have availability requirements so when we sign a contract with a third party we need to make sure we have service-level agreements included in the contract.

(Editor's Note: Part 2 of Risk In Clouds will be published as part of the TechEDge eNews Update on October 6.) <>

Some helpful resources regarding IT clouds and security:

  • "Above the Clouds: Managing Risk in the World of Cloud Computing," by Kevin T. McDonald.
  • "Cloud Computing Implementation, Management, and Security," by John W. Rittinghouse and James F. Ransome.
  • "Privacy in the Clouds: Risk to Privacy and Confidentiality from Cloud Computing," a report by Robert Gellman.
  • "Seven Cloud Computing Risks," a Gartner report.