Unfortunately, this approach brings many new security, performance, and fault tolerance issues. By implementing corporate solutions with no IT involvement, users potentially create conflicts with existing systems, configurations, and applications. Unqualified personnel have little understanding of the regulatory and compliance requirements that they may be defeating.
"While these cloud applications may offer quick resolution to specific feature needs, the risks and vulnerabilities they introduce can lead to significant costs in damages, systems failures, breaches and fines for noncompliance," explains Irvine.
For these very reasons, all cloud adoption needs to be subject to risk assessments, contract review, compliance checks, and internal policy checks.
"Many organizations are finding that they have pockets of cloud services appearing throughout the organization despite not having a corporate policy on the adoption of cloud computing within the enterprise," says Steve Durbin, Global Executive Vice President, Information Security Forum.
When no one from IT, procurement or legal is involved in moving to the cloud, the organization can lose all of its governance of related data, applications, services, and infrastructure, says Talbot-Hubbard.
6. Overestimating cloud security
In the rush to adopt cloud services and realize the potential savings they may give, notes Durbin, companies are concentrating on the functionality of the cloud services and failing to ask questions about the way cloud providers deliver security across their services or how that security can be checked.
This happens when companies assume that because cloud service providers service multiple companies, they have a larger security department and stronger policies, processes, and procedures.
"That is often not the case," says Irvine.
Often cloud service providers will attend to the basic levels of security in-house and depend on automated security applications and platforms to fulfill the bulk of their security practices.
Other cloud providers may outsource higher levels of security that are outside their core expertise to third party providers. But the security services of these third party providers may not be included in the contractual requirements and SLAs that the cloud provider shares with the customer.
"You have to require the service provider to maintain specific security functions, document security tasks, and provide copies of all security policies and practices as well as security reports," says Irvine.
7. Failing to understand the costs
When cloud providers put their wares on display, they often showcase basic offerings for the sake of cost comparisons by potential customers.
"Unfortunately, after engaging a service provider, companies frequently determine that additional services, software licenses and even hardware licenses are required to perform all the IT tasks to which the business has grown accustomed," says Irvine. Security costs and those related to compliance (and, significantly, the documentation of that compliance) can similarly rise.
Companies underestimate cloud costs even further due to an unrealistic expectation as to the number of internal IT resources that they will need after pushing applications to the cloud.
"Depending on the type of cloud service being offered (SaaS, IaaS, PaaS), the number of resources required internally may not change at all. In fact, many of our clients who engage in cloud computing have no decrease in the internal IT department at all," says Irvine.
In any case, the likelihood that a company will outsource 100 percent of its applications and systems into the cloud is minimal. Even businesses that push many of their systems to a cloud solution still have requirements for internal infrastructure and workstation engineers. "As a result, IT department costs are only minimally affected," says Irvine.
Read more about cloud security in CSOonline's Cloud Security section.