Assessing Risks in the Cloud

There is no denying that cloud computing is one of the most exciting alternatives to traditional IT functions, as cloud services—from Software-as-a-Service to Platform-as-a-Service—offer augmented collaboration, scale, availability, agility and cost reductions. Cloud services can both simplify and accelerate compliance initiatives and offer greater security, but some have pointed out that outsourcing traditional business and IT functions to cloud service providers doesn’t guarantee that these services will be realized.

The risks of outsourcing such services—especially those involving highly-regulated information like constituent data—must be actively managed by organizations or those organizations might increase their business risks rather than transferring or mitigating them. When the processing and storage of constituent information is outsourced, it is not inherently more secure, which brings to mind the boundaries of cloud computing as related to privacy legislation.

By definition, the nature of cloud services lacks clear boundaries and raises valid concerns with privacy legislation. The requirement to protect your constituent information remains your responsibility regardless of what contractual obligations were negotiated with the provider and where the data is located, the cloud included. Some important questions to ask include: Does your service provider outsource any storage functions or data processing to third-parties? Do such third-parties have adequate security programs? Do you know if your service provider—and their service providers—have adequate security programs?

Independent security assessments, such as those performed as part of a SAS70 or PCI audit, are point-in-time evaluations, which is better than nothing at all but still needs to be a consideration. Another thing to consider is that the scope of such assessments can be directed at the provider’s discretion, which does not mean that accurate insight into the provider’s ongoing security activities will be provided.

What all of this means is basically that many questions pertaining to Cloud Governance and Enterprise Risk still loom. For example, non-profit organizations looking to possibly migrate fundraising activities and solutions to cloud services need to first look at their own practices, needs and restrictions to identify possible compliance requirements and legal barriers. Because security is a process rather than a product, the technical security of your constituent data is only as strong as our organization’s weakest process. The security of the cloud computing environment is not mutually exclusive to your organization’s internal policies, standards, procedures, processes and guidelines.

When making the decision to put sensitive constituent information into the cloud, it is important to conduct comprehensive initial and ongoing due diligence audits of your business practices and your provider’s practices. For answers to your questions on Cloud Security visit

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: