Having Confidence in

Cloud Computing
Addressing Enterprise Security Concerns
Although there is growing
recognition of cloud com-
puting’s benefits—and an
ever stronger business
case for achieving high
performance by moving
deeper into the cloud—
progress is snagged on
concerns about IT security.
Enterprise IT leaders now
must find the right bal-
ance between the risks
and rewards of computing
in the cloud. They can
benefit by revisiting
well-established IT secu-
rity and enterprise risk
management practices.

3
It is fair to say that cloud computing
has “arrived.” Not long ago, Citigroup
purchased 30,000 seats of Salesforce’s
customer-facing software-as-a-service
(SaaS) applications for its financial
advisors worldwide.1 NASDAQ relies
on Amazon Web Services’ S3 to store
historical data on stocks and funds and
uses a lightweight rich Internet appli-
cation to generate new revenues.2 And
contract manufacturer Flextronics says
it will use human capital management
solutions from SaaS provider Workday
to service its 200,000-plus employees
around the globe.3
These days, IT professionals can very
quickly help their organizations move
toward high performance by using
increasingly available compute cycles
not only to run applications off-premise
but also to test and develop software
applications in the cloud. Today, plat-
form providers such as Force.com and
Amazon Web Services give developers
access to real-time workflow, program-
mable user interfaces, real-time mobile
4
deployment, and real-time analytics
without the capital expenditures
associated with maintaining data
centers to enable these activities.
However, more than a few IT profes-
sionals, alarmed by news stories about
Internet security breaches and facing
a daunting array of complex regulations,
are taking a go-slow approach to cloud
computing. Even if they favor a faster
move into the cloud, they know they
face resistance from business execu-
tives who have legitimate concerns
about how cloud computing could
heighten the risks for the overall
organization.
The trouble is, IT leaders’ caution may
be limiting their organizations’ ability to
significantly reduce IT operating costs.
Of course, prudence is warranted with
any move to relinquish or share control
of key data assets, but fear and mis-
trust are not. Accenture believes it
is incumbent on IT professionals to
help lead the way here. They are best
positioned to present the increasingly
powerful business case for cloud
computing and balance it with a dis-
passionate analysis of the real threats
their organizations may be exposed
to and how these will be mitigated,
managed and measured over time.
In this paper, Accenture suggests ways
in which IT managers, chief operating
officers, chief information security
officers and enterprise risk manage-
ment professionals might plan to
establish the most appropriate balance,
applying a clear, straightforward and
practical approach that is rooted in
longstanding IT security principles.
Facing the key security concerns
Four major security concerns worry
IT leaders. First, they struggle to trust
relatively new and unfamiliar cloud
providers as part of their extended
enterprises. Can they be sure that
these providers will treat their data as
they do? Where exactly is their data
being stored, and how, if it is frag-
mented among many data centers,
is it re-integrated?
Second, IT professionals question
whether cloud providers have the
levels of infrastructure security to
be able to ward off cyber-attacks.
Third, do providers have the mechanisms
in place to be able to manage, measure
and report on industry regulations?
And can they be accountable if they
fail to comply?
The last concern is about availability. IT
managers are right to look for service-
level guarantees. But in the case of
the cloud, response times cannot be
guaranteed since data travels through
the Internet. (This challenge is even
greater for the infrastructure cloud,
since it supports the software code.)
They also need reassurance about
business continuity in the event of a
problem. IT professionals have to be
sure that their third-party providers
have the right recovery strategies in
place.
The fundamental response to these con-
cerns is that good security practices
are good everywhere. If a customer’s
cloud providers follow the same secu-
rity procedures and policies that it does,
adhering to the same regulations and
following the same data privacy laws,
then the customer’s risk posture should
be unchanged. If the providers fall
short of those practices, then the cus-
tomer’s risks will have increased, which
can result in fines or even legal action.
But if—as is increasingly the case—the
providers’ security practices are more
rigorous than the customer’s, then the
customer will not only have cut IT
operating costs, but it will have reduced
its overall IT security risks.
5
Figure 1. Identifying cloud opportunities

Ease of
Implementation
Easy
Business Continuity
(Storage)
• Extensive storage
• Backup and recovery Batch and Data Intensive Applications
• One-off applications that do not rely on real-time response
• Data and high-performance intensive applications (financial risk
Software Development and Testing modeling, simulation, data compression, graphics rendering...)
• Software development and testing environment • New back-office applications
• Performance testing
• Nonproduction projects
• R&D activities
• Reduced time to market

Desktop Productivity Peak Load Demands

• Web 2.0 applications • New business activities
• Workgroup applications • Applications with peak-loads
• Office suites • Seasonal websites
• E-mail and calendaring • Applications with scalability needs

Sensitivity
• Mission critical applications
• Regulation-protected data (HIPAA,

Legacy SOX, PCI...)

• Specific existing infrastructure
• Complex legacy systems

Hard
Value to the Enterprise High Value

Tracking the cloud’s rapid rise
Cloud computing adoption is increasing
as more and more senior managers rec-
ognize its potential for achieving high
performance; 30 percent of IT decision
makers polled in late 2008 by CIO
magazine said they were already using
or implementing the cloud in some form,
and another 17 percent were actively
planning or researching.4 Cloud services
will make up a significant part of the
increase in IT spending growth by
2012, according to research firm IDC.
Interestingly, it is one of the very few
technology sectors where industry
analysts have revised their forecasts
to account for stronger growth than
originally anticipated.
The economics of the cloud are com-
pelling for large enterprises as well as
small- to mid-sized organizations. At
Dell, for instance, the cloud is credited
with providing the computer maker with
a 10 percent lift in sales productivity
and a unified global CRM approach.5
In the case of one large UK-based
insurer, going to the cloud for develop-
ment and implementation of the firm’s
new corporate intranet produced 50
percent savings, reduced operational
costs and deferred capital expenditure.
The intranet initiative came online in
half the time it would have taken for
an on-premise solution.
A key selling point of the cloud is
substantially reduced or no capital
spending for a given application in
favor of flexible on-demand computing
that is accounted for as operating
expenses. In one project under devel-
opment, a US government agency was
looking at how to manage predictable
peak load demand for a nonsensitive
application. The on-premise solution
would have cost about $4 million for
equipment, $1 million for the software
licenses and $70,000 per year in
energy costs. A comparable cloud
solution cost $131,000 a year for
round-the-clock service, with no
additional power costs.
IT leaders are becoming familiar with
different opportunities to use cloud
computing, extending their horizon
beyond the concepts of running or
storing applications off-premise.
(See Figure 1.) More and more com-
panies are actively exploring cloud
services as potential software test
beds; some are looking to the cloud
to help resolve peak-load challenges
or to help support IT infrastructure
needs. Accenture believes that it is
unrealistic to expect that the cloud will
become a proxy for enterprise IT oper-
ations in the foreseeable future, given
the dependence of the typical large
enterprise on quirky legacy systems. It
will, though, become a permanent and
increasingly important aspect of any
CIO’s IT landscape and toolkit.

6
The drivers of the cloud’s uptake are
plain to see. Consumption-based “on
demand” compute cycles are inherently
low-cost. Capital expenditure is hardly
an issue since cloud computing is, de
facto, an exercise in outsourcing. On
top of that, the cloud offers agility—
achieving value more quickly—as well
as unprecedented scalability. Each is
a sweet spot for companies that prize
rapid business change and speedy
introductions of products and services.
In fact, scalability on demand and
flexibility for the business were the
primary rationales for going to the
cloud among the IT managers surveyed
by CIO.6
Over the last decade, the core technolo-
gies have converged to make the cloud
a reality: virtualization, grid computing,
Web services, and massively parallel
computation frameworks are maturing
rapidly. In tandem, a cadre of capable,
credible vendors has emerged—names
such as Salesforce.com, Workday, Ama-
zon Web Services, Google, ServerVault,
Microsoft BPOS, Microsoft Azure, and
AppNexus among them. In their wake
has come a growing roster of cloud
success stories. We see the layers of
the cloud along the following lines.
7
IT leaders need to develop and practice
the means to understand the threats
and levels of assurance that affect a
given application or capability so they
can establish a ”risk baseline“ for their
adoption of cloud computing.
Letting down their guard
Accenture has observed that for some
companies, the allure of cloud comput-
ing has proved so compelling that they
have not applied the same risk manage-
ment disciplines to their on-demand
initiatives as they have with other IT
programs.
A case in point: One large industrial
company decided to outsource the
hosting and development of its busi-
ness-to-business e-commerce sites.
The company had launched and was
using the sites before several of its
managers realized that with two-thirds
of the organization’s revenue coming
through these channels, the sites had
suddenly introduced unusual levels of
vulnerability. With other IT implemen-
tations and programs, the company
would typically apply “five nines” lev-
els of service requirements—that is,
99.999 percent availability—but in this
8
case, the benefits of off-premises solu-
tions had been appealing enough, and
the development teams inexperienced
enough in quality control protocols,
that the usual standards were not
enforced.
Part of the challenge in such cases is
that cloud computing is so new that
it is not widely understood. Certainly,
procurement teams have not become
familiar with it from a sourcing stand-
point; few corporate processes are set up
to support pay-as-you-go computing.
Nor can IT leaders lean on their tradi-
tional enterprise IT risk-management
professionals and auditors to help
ensure good data security in the cloud.
The auditors are new to the cloud too;
for the most part, they have yet to
think through how compliance regula-
tions apply to data that is managed
virtually.
Putting security concerns in
perspective
As a rule, though, IT professionals
are still erring on the side of caution.
Nearly 60 percent of CIO magazine
survey respondents said vendors have
not adequately addressed IT security
concerns related to on-demand offer-
ings.7 Speaking after the recent RSA
2009 Security Conference, an executive
from Microsoft’s Trustworthy Comput-
ing group conceded that there is still
a sense that the Internet is not secure
enough.8
IT leaders’ concerns are easy to
understand. The threats include the
very real dangers of data theft and
compromise, loss of service, phishing
incursions. Recently, at the Black Hat
USA security conference in Las Vegas,
a presenter showed how users of a
well-known cloud service were fooled
into using virtual machines that could
have included ”back doors“ that could
have been used for snooping.9 And
there have been many alarming reports
of Internet security breaches—such as
the theft of Twitter corporate docu-
ments from Google’s cloud—and alleged
uses of malware by foreign governments.
Accenture argues that what is needed
is a rebuilding of trust as well as a
renewed sense of perspective—a
realization that as with any other
technology development, cloud com-
puting initiatives come with their own
unique sets of risks and rewards, cou-
pled with an understanding that the
core risk-management challenges
have been addressed.
As they have done in previous situa-
tions, IT leaders need to develop and
practice the means to understand the
threats and levels of assurance that
affect a given application or capability
so they can establish a ”risk baseline“
for their adoption of cloud computing.
Not only do they have to revisit their
processes for tracking employees’
handling of data, but they must learn
which cloud services providers they
can trust most—for example, which
ones go through frequent and detailed
customer security audits in accord
with standards such as ISO 27001 and
27002, SAS 70 Type II, etc. At a mini-
mum, it is necessary to know what
and how sensitive the data in ques-
tion is, how it should be moved and
stored, and what specific assurances
the cloud computing provider makes
in the service level agreement.
9
Taking action tomorrow
So what actions make sense for IT
leaders right now? Accenture’s empir-
ical IT security work over many years
with a wide range of organizations
shows that the following fundamentals
apply to cloud computing initiatives:
Carry out a detailed cloud risk
assessment
With the collaboration of the relevant
business colleagues, IT leaders must
weigh the criticality of applications and
data and decide what is “cloud appro-
priate.” They must gauge what risks
they are willing to take—for example,
whether to move new product data or
customer data to the cloud—in context
of the benefits of doing so and the
regulations that apply to where the
data must reside.
Get to know key cloud
providers
As with any outsourcing arrangement,
it is essential to carry out detailed due
diligence on providers’ performance—
including their financial performance.
Cloud computing providers vary in
market position and approach; differ-
ent vendors have different levels of IT
security and data management. It is
also necessary to help confirm that
they meet key standards—for example,
regulations, standards, guidelines and
codes of practice such as ISO 27001.
Also important: reviews of a provider’s
previous audits and compliance reports,
looking for gaps in service compared
to your on-premise solution.
Contracts should be clear
It is vital to put in writing the standards
to which you require adherence.
10
Analyze the data flow
This calls for charting the lifecycle of
the relevant data assets, from develop-
ment to their destruction. IT managers
must know where data is at all times
so they can help confirm that it is being
stored and shared in compliance with
local laws and industry regulations at
appropriate levels of IT security.
Build a cloud security strategy
Leveraging well-proven IT security
principles, IT leaders must define the
key security elements, knowing where
encryption is needed, for example, and
understanding which transport layers
are important. Accenture’s High Per-
formance Business research initiative
also underscores the need to under-
stand how such a strategy relates to
implementation of the technology as
well as to its ongoing effectiveness.
Manage compliance
The regulatory complexities are enor-
mous when doing business in multiple
nations: some governments regulate the
physical locations of the servers where
organizations keep their data. Well-
known mandates include the European
Union’s Data Privacy Directive, the
U.S. Health Insurance Portability and
Accountability Act (HIPAA) and the
U.S. Sarbanes-Oxley Act. The financial
services sector is the target of a host
of emerging regulations, and many
new rules are in development that will
affect critical infrastructure. IT leaders
cannot expect their cloud providers
to “be compliant” for them. But they
must expect them to provide what is
needed to help achieve compliance.
Help strengthen continuity
What happens if something ”breaks“
while in the cloud? How is the data
owner notified, and how quickly? How
is the data recovered? These are the
basics of best practices in business
continuity, and they apply just as much
to cloud computing as to any IT out-
sourcing arrangement. They must,
of course, align with regulatory man-
dates—particularly in tightly regulated
industries such as financial services.
Educate, communicate
It is the IT leader’s responsibility
to educate employees on IT security
policies and procedures and to be
very clear about how those policies
and procedures relate to the cloud.
For example, employees must adhere
to corporate IT security policies when
exploring cloud services for any work-
related activities, such as testing a new
IT service or storing data on the cloud.
Top questions to ask about cloud security
The conversation about cloud
security and the associated
policies are matters for discus-
sion at the highest levels of the
organization. There must be
particular emphasis on the
questions of data privacy and
governance, on service-level
agreements and on the ins and
outs of contracting with cloud
providers. Here is a sampling
of the kinds of questions that
should be on the table:
• Who is accountable for the
security of our data and to
whom do they report? Who
are the stewards of our data
and how do they ensure that
the data is tracked and secured
appropriately?
• Do we have a defined and
explicit stance on the risks and
rewards of cloud computing—
one that has been or is being
shared with all relevant IT staff
and business users?
• Might the provider lose our
data—through misuse, or theft
or fraud, for example? If so,
what recovery plans do we
have? And how are we
protected contractually?
• What are our obligations
regarding data protection
versus those of a cloud
services provider?
• Do we know how some of
our intellectual property might
become visible when reassem-
bled in collaboration clouds?
• What is our policy for which
staff are authorized to deposit
and store data with a cloud
provider?
• What do our e-discovery
policies and processes look
like and how do they compare
to those of a cloud provider?
• Do we know how a cloud
service provider might change
its terms of service?
• What formal standards—
international or regional or
industry-based—are used in
the development and operation
of the cloud service?
• What are we obligated to
disclose to our customers
regarding where and how
their data is being stored?
• How do we stay up-to-date
with where our cloud providers’
data centers are located—and
with what local laws govern
their activities and security
protocols?
• How do cloud providers assist
customers with their compliance
requirements?
• What round-the-clock incident
response can cloud providers
offer? What about intrusion
protection? What about sepa-
rating noise from relevant
data?
• What kinds of physical segre-
gation of virtual machines are
available for customers?
11
A community of support on
cloud security
IT leaders are not alone when it
comes to determining the appropriate
approach to secure cloud computing.
Accenture has deep experience and
combined decades of specialization in
addressing the complex challenges of
IT security and enterprise risk man-
agement. And cross-industry groups
are actively working to identify and
promote best practices.
In May 2009, two of the leading
cross-industry groups joined forces
to promote industry-leading practices
for secure collaboration in the cloud.
The Jericho Forum, an independent IT
security expert group, and the Cloud
Security Alliance (CSA), a not-for-
profit group of information security
and cloud computing security leaders,
share the goals of encouraging common
and secure cloud practices and helping
businesses understand the opportunity
posed by cloud computing.
12
Jericho Forum is an international IT
security thought-leadership associa-
tion dedicated to advancing secure
business in a global open-network
environment. Members include IT
security officers from Fortune 500
multinationals as well as from entre-
preneurial companies, major security
vendors, government and academia. The
Forum has been working to develop
and demonstrate secure collaborative
architectures. Last year it published a
Collaboration Oriented Architectures
framework presenting a set of design
principles that will allow businesses to
protect themselves against “the secu-
rity challenges posed by increased
collaboration and the business poten-
tial offered by Web 2.0.” Its most
recent position paper describes a
”cloud cube model“ in some detail.10
The mission of the CSA is not dissimilar:
It is to promote the use of best prac-
tices for providing security assurance
within cloud computing, and to pro-
vide education on the uses of cloud
computing to help secure all other
forms of computing.11 The CSA has
engaged specialists in crucial areas
such as governance, law, network
security, audit, application security,
storage, cryptography, virtualization
and risk management to provide author-
itative guidance on how to adopt cloud
computing solutions securely.
The CSA has recently published a
useful set of guidelines for business
and IT leaders.12 The guidelines empha-
size the fundamentals of IT security:
“While we do see cloud computing as
being a major change coming to every
business, as information security prac-
titioners, we recognize that there are
verities which must not change: good
governance, managing risks and com-
mon sense,” says Dave Cullinane, chief
information security officer and vice
president at eBay, in the report’s
foreword.
At the same time, leading vendors
are going to some lengths to persuade
the IT community and business users
that they are not wide open to attack.
The majors—Amazon Web Services,
Microsoft, IBM, Salesforce.com and
Google—point out that they apply at
least the same level of rigor to defend-
ing their cloud offerings as they do
their own computing environments.
Indeed, some say that their IT security
execution levels are far higher than
those found at many of the companies
that are questioning their security.
Arguably, the big cloud providers are
now setting the standards for IT security.
The Amazons and Googles have the
scale and the resources to be able
to invest in the most sophisticated
monitoring and data security tools
and processes—and to hire and train
top IT security talent. Observers agree
that Microsoft is one of the most
attacked organizations, but that its
high levels of redundancy ensure robust
protection. Vendors also point out that Further, there are growing bodies of
they adhere to well-known guidelines knowledge about enterprise security
at the data center level—guidelines that risk that map to COBIT guidelines; others
look at logical and physical security align with the draft risk-management
along with the processes and overall guidelines outlined in the ISO 31100
organization and which conform to standards. A growing number of
standards such as AICPA SAS 70 industry-specific regulations—HIPAA
Type II and ISO 27001 and 27002. and Payment Card Industry mandates
among them—are also coming to the
The CEO of one prominent cloud attention of CIOs and senior informa-
services provider noted that while tion security managers.
most companies undergo quarterly
or biannual security audits by a few
auditing firms, his organization goes
through such scrutiny at least weekly
as current and potential customers
examine the company’s IT security
systems. “What we’ve learned is that
there is no finish line when it comes
to security, and things are getting
more intense than ever before,” he
said. Providers like this also have well-
honed systems for reporting on their
security status.
13
For IT leaders everywhere, it is not a
matter of whether cloud resources
will be used, but how and when. As
more and more senior executives
understand what it takes to become
a high-performance business, cloud
computing becomes one more tool
they can use. But the cloud must not
be treated as an unknown to be wary
of. Implemented and managed prop-
erly, it should not add risk; ideally, it
should reduce data security risks.
14
The fundamental question is one of
balance—weighing, as accurately and
in as much detail as possible, the risks
of a data security breach against the
power of the cloud to directly address
many of today’s most pressing busi-
ness issues—and to help achieve high
performance.
Accenture contends that it is vital to
have dispassionate discussions with
cloud providers about the four key IT
security concerns. The sooner those
security questions are tackled, the
sooner the IT group can add signifi-
cantly more value for the business as
a whole.
Sources
1 “Citigroup signs 30,000 seat deal
with Salesforce.com,” Computer-
worldUK, November 16, 2007.
2 “Early experiments in cloud com-
puting,” InfoWorld, April 7, 2008.
3 “Workday: The Next Software Power?”
BusinessWeek, August 19, 2008.
4 “Cloud Computing Survey: IT Leaders
See Big Promise, Have Big Security
Questions,” CIO, October 21, 2008,
www.cio.com/article/455832/Cloud_
Computing_Survey_IT_Leaders_See_
Big_Promise_Have_Big_Security_
Questions.
5 “Welcome to the Real-time Cloud,”
presentation by Marc Benioff, chair-
man and CEO of Salesforce.com.
6 “Cloud Computing Survey: IT Leaders
See Big Promise, Have Big Security
Questions,” CIO, October 21, 2008,
www.cio.com/article/455832/Cloud_
Computing_Survey_IT_Leaders_See_
Big_Promise_Have_Big_Security_
Questions.
7 Ibid.
8 “Microsoft exec: Internet still not
safe enough,” CNET News, April 21,
2009, http://news.cnet.com/8301-
13860_3-10224542-56.html?tag=
mncol;txt.
9 “Data security services under a
cloud,” Financial Times, August 3,
2009.
10 ”Cloud Cube Model: Selecting Cloud
Formations for Secure Collaboration,“
Jericho Forum, April 2009, www.
opengroup.org/jericho/cloud_cube_
model_v1.0.pdf.
11 “Industry Leaders Form Cloud Secu-
rity Alliance; Will Unveil Inaugural
Findings at RSA Conference 2009,”
Cloud Security Alliance press release,
www.cloudsecurityalliance.org/
pr20090331.html.
12 ”Security Guidance for Critical Areas
of Focus in Cloud Computing,“ Cloud
Security Alliance, April 2009,
www.cloudsecurityalliance.org/
guidance/csaguide.pdf.
15
About Accenture
Technology Labs
Accenture Technology Labs, the
dedicated technology research and
development (R&D) organization within
Accenture, has been turning technology
innovation into business results for more
than 20 years. The Labs create the
Accenture Technology Vision, a view of
how technology will shape the future
and invent the next wave of cutting-
edge business solutions. Working closely
with Accenture’s global network of
specialists, Accenture Technology Labs
helps clients innovate to achieve high
performance. The Labs are located in
Chicago, Illinois; San Jose, California;
Sophia Antipolis, France; and Bangalore,
India. For more information, please visit
our website at www.accenture.com/
Global/Services/Accenture_Technology_
Labs.
Copyright © 2009 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered
are trademarks of Accenture.
Barcode Placement
About Accenture For more information, please contact:
Accenture is a global management
consulting, technology services and Alastair MacWillson
outsourcing company. Combining alastair.macwillson@accenture.com
unparalleled experience, comprehensive +44 20 7844 6131
capabilities across all industries and busi-
ness functions, and extensive research Joe Tobolski
on the world's most successful compa- joseph.f.tobolski@accenture.com
nies, Accenture collaborates with clients +1 312 693 6481
to help them become high-performance
businesses and governments. With Walid Negm
approximately 177,000 people serving walid.negm@accenture.com
clients in more than 120 countries, the +1 408 817 2778
company generated net revenues of
US $21.58 billion for the fiscal year
ended August 31, 2009. Its home page
is www.accenture.com.