Page 136 - Cloud Essentials
P. 136

CERTIFICATION OBJECTIVE 6.01




               Identify Challenges in Integrating Cloud Computing into an
               Organization’s Existing Governance Framework

               With  or  without  cloud  solutions,  organization  must  adhere  to  regulations,
               data  privacy  laws,  data  retention  laws,  tax  laws,  and  so  on.  IT  services
               offered by the cloud must fit into these regulatory and legal structures, all

               while offering business value with acceptable risk.



               Risk Management
               As mentioned in Chapter 4, there are risks that must be considered when

               adopting a cloud solution. Risk management can be defined as the proactive
               identification, analysis, and control of those risks that can threaten the assets
               or earning capacity of an enterprise.


               Compliance
                 All organizations have to comply with legal rules, such as industry-specific

               regulations. This is especially true for large, publicly listed companies. For
               example, the Payment Card Industry Data Security Standard (PCI DSS) is a
               compliance  standard  stipulating  that  companies  involved  with  customer
               debit and credit card transactions maintain a secure environment. There are
               a number of requirements that must be met to achieve PCI compliance; for
               example,  merchants  storing  credit  card  information  must  pass  a  network

               vulnerability scan using an approved scanner.
                  Companies wanting to adhere to these strict compliance standards must
               use  independent  auditors,  usually  annually.  Cloud  computing  is  likely  to
               complicate these processes because external service providers control, to
               varying degrees, data storage and identity management. Identity management

               is  used  to  authorize  individuals  to  certain  IT  systems;  this  is  of  critical
               importance  to  PCI  DSS.  An  organization  must  know  who  has  access  to
               what,  they  must  be  able  to  ensure  only  authorized  persons  can  access
               required data, and auditing must be in place to track the use of this data.
                  Being in control of your assets also implies that the current state of these
               assets  is  well  known.  This  translates  to  having  appropriate  change
               management in place, as well as having accurate inventory and audit trails.

               Table  6-1  shows  cloud  computing  pros  and  cons  compared  to  in-house
               systems management.





                                                          136
   131   132   133   134   135   136   137   138   139   140   141