(Sorry for the delay. Been busy lately. Here’s my article about cloud computing)
The increasing globalization has posed significant changes in the way we do business. As a result, process improvements led to automation, sophistication, and reduction of resources needed for business. One of these is the introduction of Cloud Computing.
The term cloud computing became the new buzzword when companies like Amazon.com, Google, HP, IBM, and Microsoft launched their cloud computing platforms that supports information processing and the delivery of services to their customers. It is defined by the National Institute of Science and Technology “as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. Simply put, it refers to a “server-less” environment either on premise or on-demand by utilizing the web.
Why utilize the cloud?
The main driver towards the buy-in of cloud computing services by CFOs and CEOs is cost savings. In a cloud computing environment, there are no new infrastructure, no personnel training, no license cost, and no periodic maintenance cost (since it is server-less). Usually, cloud computing is subscription-based and pay-per-use service. An additional advantages of committing into a cloud computing service are agility, device and location independence, reliability in case of disaster, scalability, performance, security and maintenance.
Is there really cost savings?
However, CFOs and CEOs must be aware that the perceived savings from these cloud computing environments may not be fully realized because of the “hidden gotchas”. Jeff Muscarella, executive vice president of IT division of NPI, a spend-management consultancy says “six months-in, the CFO might be wondering where all the savings are”. According to him, there are six potential pitfalls that can make cloud cost pile up higher than expected:
1. Not taking full account of financial commitments on existing hardware. IT departments that have much of the responsibility for technology decisions and purchases may underappreciate the financial impact of committing to a cloud provider before existing physical equipment is fully depreciated. If that equipment cannot be repurposed, the ROI of moving computing workloads to the cloud may suffer.
2. Not factoring in your unique requirements when signing up for a cloud service. Most cloud offerings are fairly generic, as they are designed for the masses. For specialized needs, such as a retailer's need to comply with payment-card industry regulations, a company is likely to face additional charges. Be sure you understand such charges before signing a contract, says Muscarella.
3. Signing an agreement that doesn't account for seasonal or variable demands. In the contract, don't tie usage only to your baseline demands or you'll pay for it. If high-demand periods are not stipulated up front, there are likely to be costly up-charges when such periods happen.
4. Assuming you can move your apps to the cloud for free. Many software licenses prohibit the transfer of applications to a multitenant environment, but the provider may let you do it for a price. If you think you may want the flexibility, ask for such permission to be written into licenses at the time you're negotiating them.
5. Assuming an incumbent vendor's new cloud offering is best for you. Many providers have added cloud-based infrastructure to their traditional outsourcing and hosting services, but they're not motivated to give existing customers the lower price point that the cloud typically offers. "They're struggling with how to develop these new offerings without cannibalizing their existing revenue stream," says Muscarella. If you want to switch to a vendor's cloud services, do it at the end of the current contract term, when you can get negotiating leverage by soliciting other vendors.
6. Getting locked in to a cloud solution. Some cloud-services providers, notably Amazon, have a proprietary application program interface as opposed to a standardized interface, meaning you have to customize your data-backup programs for it. That could mean trouble in the future. "Once you have written a bunch of applications to the interface and invested in all the necessary customizations, it will be difficult — and expensive — to switch vendors," says Muscarella.
How secure is the cloud?
Data security and confidentiality have been the two major criticisms of the cloud computing environment. Since cloud computing service providers essentially control and traffic a company’s data, a company usually cast doubts on the protection and privacy of its precious information. Most of the issues can be grouped into data access, data segregation, privacy, accountability, and account control. As we all know, the internet is a dangerous place where viruses, spam, and malicious sites exists. Not to mention the possibility of unscrupulous persons who might sell company information, including its employees information, to others.
IT experts have been arguing on the robustness of the security, accessibility, privacy and control of the cloud services. Others argue that on-premise cloud service is more vulnerable than the on-demand ones. Most of them claim they have built-in controls and has the capability to sustain it amidst the emerging challenges in the computing industry today.
How can we audit the cloud?
As an auditor, I personally experienced some difficulties in looking for procedures to audit the “cloud”. Unlike the typical and traditional ITGC audits, having a cloud service environment poses a disruption of linkage towards auditing the application level automated controls. Even Automated GRC Solutions is futile when it comes to monitoring the cloud as these solutions cannot connect and extract data from the cloud. What we can actually see is the input and output but not on how the processing is being performed. While cloud services argue that they only extract data residing in the ERPs, the auditors find it difficult to validate if the extracted data are really complete, accurate, and secure.
But since cloud computing falls on the category of a service provider, most resort to the procedures on auditing standards related to the audit of Service Organizations. Most providers obtain SAS 70 Type II certification by an independent auditor. But even this has been criticized on the premise of usually non-disclosure of standards used by the auditor and the auditee which may not be the same as the standards being looked upon by the user of the certification.
In summary, after all the arguments we raised, one this is for sure – cloud computing is making a significant change in the business landscape of this century. Companies, executives, stakeholders, auditors, consumers and clients and the general public must be alert on these kinds of development as it will surely affect their day-to-day activities as well as their precious information.
