SaaS/Cloud Audit Demands Could be Costly

"Cloud computing providers require strong audits," according to SC Magazine's Angela Moscaritolo, who focuses on security in the world of SaaS and cloud computing. However, in reading through this article I kept returning to the fact that the cost of security, together with audits, could make cloud computing, including SaaS, cost prohibitive. The value proposition of cloud computing is about saving money, after all.

The recommendations are clear:"With respect to data security, organizations must review the vendor's data protection techniques to ensure appropriate cryptography is used for both data in rest and in motion, and make sure the appropriate documentation is available for auditors. In addition, the provider's access control and authentication procedures should be reviewed, and companies should find out if third parties have access to the information."

And, "Also, to ensure data security, companies should review the service provider's architecture to make sure proper data segregation is available and review their data leak prevention (DLP) deployment to prevent insider attacks, the report recommended."

And, "Before utilizing a cloud computing provider's services, organizations also must conduct a feasibility study that engages legal, risk, and compliance officers to determine if cloud computing is appropriate with respect to laws and regulations the business is subject to. Next, organizations should determine which security, legal, and compliance needs are most important and find a vendor that meets those requirements, the report recommended."

The list goes on.

Auditors, lawyers, security specialists, etc.? The cost of placing some of IT outside of your firewall seems to be getting expensive quickly, not to mention complex.

There are two core drivers here: One is the cost reduction that cloud computing, including SaaS, promises. Two is the fact that cloud computing is now "way cool," and popular, and that's been driving much of the recent push. However, you need to consider both issues together. In other words, how much does it really costs to be cool?

Perhaps applications that require a great deal of security, and thus require many audits and legal protections as describe above, don't belong in the clouds in the first place. I suspect the cost of insuring and maintaining high-end security on the cloud computing platforms will be cost prohibitive, in many instances. Thus, without the cost benefit, cloud computing including SaaS loses its luster for business.

Having said that, I'm seeing a lot of enterprises move toward cloud computing anyway. They are thinking they can bring their security requirements along for the ride, attempting to treat cloud computing providers as owned and controlled assets. They are not. Therefore, they will have to introduce the rigor associated with ensuring security, and, thus, they will face the added costs.

It's politically incorrect to push back on cloud computing these days, but even the cloud computing providers will tell you that if you have excessive security requirements, perhaps you're not right for us. The larger corporations will expect cloud computing providers to work like their existing hardware and software vendors, bending over backwards to accommodate special needs. Unfortunately, for now, it does not work like that."Cloud computing providers require strong audits," according to SC Magazine's Angela Moscaritolo, who focuses on security in the world of SaaS and cloud computing. In reading through this article I kept returning to the fact that the cost of security, together with audits, could make cloud computing, including SaaS, cost prohibitive.