Meet your evolving needs with three integrated business lines in one professional services firm.

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

Businessman On Computer Outside

Many cloud provider options are available to you, each with unique risks.


The Benefits and Risks of Cloud Computing

  • 5/8/2013

Cloud computing is here and virtually every organization is using it in some way, shape, or form. Educating yourself and your people on the opportunities and risks associated with this technology is of the utmost importance. Let's look at the opportunities presented by cloud computing, managing the risks associated with housing your sensitive data offsite, using virtual computing environments, and vendor management considerations as you explore your cloud options.

What is "The Cloud?"

“The Cloud” is an all-encompassing term for a virtualized information technology (IT) computing environment in which individuals and businesses work with applications and data stored and maintained on shared machines in a web-based environment, rather than physically located in a user’s location. Google's popular email system, Gmail, is an example of the cloud, but this is just one model. There are actually three cloud service models — infrastructure as a service, platform as a service, and software as a service — deployed in four types of settings — private, community, public, and hybrid clouds.

Service models

  • Infrastructure as a service (IaaS) provides access to server hardware, storage, network capacity, and other fundamental computing resources.
  • Platform as a service (PaaS) provides access to basic operating software and services to develop and use customer-created software applications.
  • Software as a service (SaaS) provides integrated access to a provider’s software applications.

Deployment models

  • Private cloud is accessible from an intranet, internally hosted, and used by a single organization.
  • Community cloud has infrastructure accessible to a specific community.
  • Public cloud is accessible from the internet, externally hosted, and used by the general public.
  • Hybrid cloud is a combination of two or more clouds.

Cloud benefits

Cloud computing provides a scalable online environment that makes it possible to handle an increased volume of work without impacting system performance. Cloud computing also offers significant computing capability and economy of scale that might not otherwise be affordable, particularly for small and medium-sized organizations, without the IT infrastructure investment. Cloud computing advantages include:

  • Lower capital costs — Organizations can provide unique services using large-scale computing resources from cloud service providers, and then nimbly add or remove IT capacity to meet peak and fluctuating service demands while only paying for actual capacity used.
  • Lower IT operating costs — Organizations can rent added server space for a few hours at a time rather than maintain proprietary servers without worrying about upgrading their resources whenever a new application version is available. They also have the flexibility to host their virtual IT infrastructure in locations offering the lowest cost.
  • No hardware or software installation or maintenance
  • Optimized IT infrastructure provides quick access to needed computing services

The risks

  • Environmental security — The concentration of computing resources and users in a cloud computing environment also represents a concentration of security threats. Because of their size and significance, cloud environments are often targeted by virtual machines and bot malware, brute force attacks, and other attacks. Ask your cloud provider about access controls, vulnerability assessment practices, and patch and configuration management controls to see that they are adequately protecting your data.
  • Data privacy and security — Hosting confidential data with cloud service providers involves the transfer of a considerable amount of an organization's control over data security to the provider. Make sure your vendor understands your organization’s data privacy and security needs. Also, make sure your cloud provider is aware of particular data security and privacy rules and regulations that apply to your entity, such as HIPAA, the Payment Card Industry Data Security Standard (DCI DSS), the Federal Information Security Management Act of 2002 (FISMA), or the privacy considerations of Gramm-Leach-Bliley Act.
  • Data availability and business continuity — A major risk to business continuity in the cloud computing environment is loss of internet connectivity. Ask your cloud provider what controls are in place to ensure internet connectivity. If a vulnerability is identified, you may have to terminate all access to the cloud provider until the vulnerability is rectified. Finally, the seizure of a data-hosting server by law enforcement agencies may result in the interruption of unrelated services stored on the same machine.
  • Record retention requirements — If your business is subject to record retention requirements, make sure your cloud provider understands what they are and so they can meet them.
  • Disaster recovery — Hosting your computing resources and data at a cloud provider makes the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider if they been tested.

Evaluating your options

Many cloud provider options are available, each with unique benefits and risks. As you evaluate your choices and the associated risks, consider the following

  • Cloud providers are sometimes reluctant to produce third-party audit reports unless an audit clause is included in the contract. Some hosts require clients to pay for reports
  • Some internal audit departments are performing control reviews of cloud providers, in addition to receiving and analyzing third party audit reports. This is driven by certain controls not being tested, exclusion of pertinent systems, or other factor that require on-site testing.
  • Standard cloud provider audit reports typically do not include vulnerability/penetration testing results. Providers are hesitant to allow scanning, as they believe this may compromise their infrastructure.

Cloud computing is a widely used format and we don't see this changing anytime soon. Knowing that you are managing the risks associated with housing your sensitive data offsite will give you confidence with the platform, so you can take advantage of the opportunities presented by the cloud.