Having said that, API keys--which developers use to access the API services -- have been compared to passwords. Know what happens if you lose your passwords? CISOs using cloud service APIs need a solid security plan for protecting API keys.
3. Not keeping sufficient independence from cloud providers
As cloud services evolve and new vendors and approaches pop up, the cloud's old guard such as Amazon and Facebook are turning best practices into standards and products available on a smaller scale, according to Thielens.
"This is revolutionizing approaches to the cloud all the way to on-premise infrastructure," says Thielens.
With everything still changing and evolving, the best cloud approach today may not be the best choice down the road. "Applications can even reach the point where it is economically more sound to move them back out of the cloud and into the enterprise again," says Thielens. New standards efforts such as TOSCA and CAMP (both from OASIS, the Organization for the Advancement of Structured Information Standards) are offering tools so that companies can move to cloud like architectures without inescapably locking themselves in with a given cloud provider.
Companies should use these tools to maintain their independence just enough so they can switch to new cloud approaches as these become better suited to the organization's needs. On the operational risk management front, business resiliency is also better if you have flexibility to move quickly to another vendor (see next point).
4. Thinking you are outsourcing risk and accountability
The company can outsource some of its infrastructure to the cloud, but it cannot completely outsource its risk, accountability and compliance obligations. Enterprises require a certain amount of transparency into the cloud provider so they can own the risk models and mitigate enterprise strategies.
These needs suggest the cloud provider that may or may not be suitable for the company since some are more accessible for assessing and managing risk. "You don't want to sign off on the cloud provider taking on all of the risk," says Thielens. The cloud provider certainly cannot own or care about your risks like you can.
In an example from last spring, those who had all their services in the cloud in a single Amazon E2C Availability Zone had severe downtime issues. Those who shouldered some of the risk by proactively splitting their data across multiple availability zones were able to recover more quickly.
5. Signing up cloud solutions without IT and security involvement
It is easy to sign up and get into the cloud with various providers and applications large and small without any technical knowledge. Dropbox, SharePoint, a little extra computing oomph from Amazon -- your organization may already be using cloud-based services without IT's knowledge or involvement. It is as easy as entering a credit card number!
"The thinking is that they can bypass the long queue of IT projects and requirements and become productive," says Jerry Irvine, Chief Information Officer, Prescient Solutions and member of the National Cyber Security Task Force.