McKinsey on Protecting Info in the Cloud

The rise of cloud computing is well documented by many sources. Enterprises can gain both risks and rewards by taking this step. Mc Kinsey recently released a useful report, Protecting information in the cloud, on the topic. They report that the rewards include both decreased IT costs and increased agility. Their research found examples of 60 to 70 percent savings by moving from custom-developed internal applications to SaaS alternatives sourced from the public cloud. They also found that 63% of business leaders felt the cloud makes their organizations more business agile and responsive.

To mitigate risk, large organizations are often building and managing private-cloud environments for basic infrastructure services, development platforms, and whole applications. Smaller businesses are generally using public-cloud services such as Amazon, as they lack the scale to implement their own private clouds.

The risks include concerns over the security of sensitive data and exposure to regulatory infractions. Even those who are building private clouds are concerned with putting sensitive data into a single space.  However, there is also a risk to not taking advantage of the cloud as competitors may gain cost and agility advantages. McKinsey writes that avoiding the cloud is a not a viable business option in today’s environment.

The cloud is now big business. IDC estimates that spending on third-party-managed and public-cloud environments will grow from $28 billion in 2011 to more than $70 billion in 2015. Total spending is much larger as these figures do not include spending by large organizations on their private clouds. McKinsey reports that their research indicates that 80% of North American institutions are planning or implementing cloud environments to host critical application. Most are doing this by building private-cloud environments.

Because of the nature of purchasing cloud services, business units can bypass IT departments and go directly to SaaS vendors. In fact, attempts by IT to block usage may encourage business users to go to less secure options. We have found that attempts to prohibit desired goods and services of all types, including alcohol, have led to bad side effects. Regulation by IT, in this case, is a better answer.

In addition, software developers are using IaaS and PaaS solutions for testing code and sometimes for hosting applications. We have been running a related Wednesday series on the use of git for hosting software in progress. See for example, CVCS vs DVCS and the Pros and Cons of DVCS git.

So how do you benefit from the cloud and reduce your risks? McKinsey offers several service models. They note that “Public cloud” and “private cloud” can be useful simplifications, but there are other models. One option is on-premises managed private-cloud services. Here third-party vendors provide a service, working like an external cloud offering, but located inside the organization’s fire wall and dedicated to its use. Another option includes different flavors of private cloud use.  A third choice is the use of community clouds that are shared by several organizations.

McKinsey recommends implementing a mixed cloud strategy. For example, a public cloud is useful for developing and testing software, since these efforts often do not involve sensitive data. In contrast, any application content that contains personally identifiable customer information requires careful consideration before it is be hosted in a public-cloud environment.

Risk management needs to become more sophisticated and nuanced. There needs to me more analytics and monitoring. Controls can be implemented by the cloud platform itself. For example, sensitive data can be blocked from exposure until regulatory concerns have passed. The cloud will not go away. It is now a matter of getting control over its use and matching an organization’s multiple requirements to its multiple options.


What do you think? Please share...