According to a recent McKinsey article authored by James Kaplan, Chris Rezek, and Kara Sprague, for effective management of Cloud resources, IT and business executives need to apply a risk-management approach that balances economic value against risks.
The use of highly scaled, shared, and automated IT platforms—known as cloud computing—is growing rapidly. Adopters are driven by the prospects of increasing agility and gaining access to more computing resources for less money. Large institutions are building and managing private-cloud environments internally (and, in some cases, procuring access to external public clouds) for basic infrastructure services, development platforms, and whole applications. Smaller businesses are primarily buying public-cloud offerings, as they generally lack the scale to set up their own clouds.
As attractive as cloud environments can be, they also come with new types of risks. Executives are asking whether external providers can protect sensitive data and also ensure compliance with regulations about where certain data can be stored and who can access the data. CIOs and CROs are also asking whether building private clouds creates a single point of vulnerability by aggregating many different types of sensitive data onto a single platform.
Blanket refusals to make use of private- or public-cloud capabilities leave too much value on the table from savings and improved flexibility. Large institutions, which have many types of sensitive information to protect and many cloud solutions to choose from, must balance potential benefits against, for instance, risks of breaches of data confidentiality, identity and access integrity, and system availability.
The cloud is here to stay
Refusing to use cloud capabilities is not a viable option for most institutions. The combination of improved agility and a lower IT cost base is spurring large enterprises to launch concerted programs to use cloud environments. At the same time, departments, work groups, and individuals often take advantage of low-cost, easy-to-buy public-cloud services—even when corporate policies say they should not.
High growth and value expectations
Corporate spending on third-party-managed and public-cloud environments will grow from $28 billion in 2011 to more than $70 billion in 2015, according to IDC. However, total spending on the cloud is much larger than these estimates indicate because the figures do not reflect what enterprises spend on their private-cloud environments. Eighty percent of large North American institutions surveyed by McKinsey are planning or executing programs to make use of cloud environments to host critical applications—mostly by building private-cloud environments. At several of these institutions, executives predict that 70 to 75 percent of their applications will be hosted in cloud environments that will enable savings of 30 to 40 percent compared with current platforms.
Using external cloud offerings can yield even more pronounced savings. Some executives cite examples of 60 to 70 percent savings by replacing custom-developed internal applications with software-as-a-service alternatives sourced from the public cloud. In addition, according to recent McKinsey research, 63 percent of business leaders who responded agreed that the cloud can make their entire organization more business agile and responsive.
Risks and opportunities
Using the cloud creates data-protection challenges in public-cloud services as well as private-cloud environments. However, traditional platforms at most organizations have significant information risks that actually can be mitigated by moving to a more highly scaled and automated environment.
Risk of contracting for public cloud
Decades of experience matured the practice of writing contracts for telecommunications network services and traditional outsourcing arrangements. Terms and conditions exist for allocating liability for security breaches, downtime, and noncompliance events between providers and enterprises. They may be unwieldy, but they are well understood by providers, law firms, and—in many cases—CIOs and CROs.
Contracting for the cloud is different in many ways. Highly scaled, shared, and automated IT platforms, for example, can obscure the geographic location of data from both the provider and customer. This is a problem for institutions dealing in personally identifiable information because often they must keep some customer data in certain jurisdictions and face regulatory action if they do not. At this point, banking CIOs and CROs that we have interviewed largely do not believe that most public-cloud providers can give them the guarantees they require to protect their institutions from this type of regulatory action. Another novel challenge presented by the cloud is how to conform to regulatory and industry standards that have not yet been updated to reflect cloud architectures.
At some level, for the cloud, we are simply in the early days of contracting for enterprise-class services. How to draft the required terms and conditions will remain an open question until litigation has identified the critical issues and legal precedent has been established for resolving those issues.
Risk-management advantages of the public and private cloud
Both public- and private-cloud solutions can provide data-protection advantages compared with traditional, subscale technology environments. Cloud solutions improve transparency—for example, the centralized and virtualized nature of the cloud can simplify log and event management, allowing IT managers to see emerging security or resiliency problems earlier than might otherwise be possible. Likewise, in cloud environments, operators can solve problems once and apply the solutions universally by using robust automation tools.
Perhaps more important, technology organizations can focus investments in security capabilities on a small number of highly scaled environments.
A risk-management approach to exploiting the cloud
In many large institutions, information security traditionally has been a control function that used policies limiting what IT managers and end users could do in order to reduce the likelihood of data loss, privacy breaches, or noncompliance with regulations. We believe that IT organizations must now adopt a business-focused risk-management approach that engages business leaders in making trade-offs between the economic gains that cloud solutions promise and the risks they entail. It is still the early days of cloud computing, and risk-management decisions are highly dependent on the specifics of the situation, so there are no hard-and-fast rules. However, some rough principles for managing cloud-information risk are emerging.
Consider the full range of cloud contracting models
“Public cloud” and “private cloud” are useful simplifications, but there are other models that may provide attractive combinations of control and opportunities to tap vendor capabilities:
One option is on-premises managed private-cloud services, in which third-party vendors provide a service that operates like an external cloud offering but is located in an enterprise’s own facility and is dedicated to the organization.
Some flavors of virtual private clouds can be used; these are similar to public clouds in that the solution is externally managed, but like private clouds, they offer dedicated capacity, such as resource pools, that are reserved for each client.
Community clouds feature infrastructure that is shared by several organizations and meets the needs of a specific community of users. Community clouds may, for example, provide industry-specific solutions that ensure compliance with relevant regulations.
To complicate things further, the maturity of technological and organizational solutions varies by deployment type and by application, vendor, and specific configuration.
1. Pursue a mixed-cloud strategy
Different workloads and data sets have vastly different stakes when it comes to data protection, depending on the nature of the application and which phase of the software life cycle it supports—for instance, development and test versus live production. The public cloud can be a good option for developing and testing software, since this usually does not involve sensitive data. Any workload that includes personally identifiable customer information will require careful consideration before it could be hosted in a public-cloud environment. Control of data access is also important in order to protect confidential business information and intellectual property. Essentially, any data that has business value or is covered by regulation needs appropriate management and protection (for more on the types of information to manage, see Exhibit 2 in the PDF of this article).
In addition, benefits from cloud migration can vary widely by workload. For example, consumer-commerce sites, where capacity demand spikes during major promotions or at certain times of the year, will benefit from taking advantage of the variable pricing available through highly scalable public clouds.
Sophisticated IT shops are developing tools to map workloads to cloud-based hosting options using criteria like mission criticality, sensitivity of data, migration complexity, and peak processing requirements. This will make it possible for IT staff to pursue a mixed-cloud strategy and drive workloads to the hosting options that best balance risk and economic value
2. Implement a business-focused approach
Organizations that have mature risk-management functions—for example, large companies in heavily regulated industries such as banking—should establish a comprehensive risk-management approach for cloud computing that extends beyond technology solutions and the IT department. Design and implementation should cover the policies, skills, capabilities, and mind-sets required of the IT and risk-management organizations, as well as the operating units. The risk-management methodology should address several elements, including transparency, risk appetite and strategy, risk-enabled business processes and decisions, risk organization and governance, and risk culture.
For the full report please visit McKinsey