In the spotlight: new business models

Cloud computing: harnessing the opportunities and managing the risks

Cloud computing is an essential part of the ‘digital revolution’ driving sweeping changes through society and the way enterprises operate, and a huge opportunity for organisations of all sizes. To some the risks may appear daunting, but there’s plenty of good guidance available to successfully negotiate the path to the cloud.

Jan Schreuder

Jan Schreuder

Partner, Cybersecurity and Technology Risk

Cloud computing can seem very complex, so let’s first define what we mean. There are three main broad categories of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).

IaaS: When you use infrastructure as a service you dispense with your own IT infrastructure. Instead it’s made available on demand by a global or local provider. Essentially you’re renting rather than owning your own virtual infrastructure ‘in the cloud’ that you can use for anything you would have on your own servers. There’s no capital expenditure involved.

PaaS: Platform as a service involves using a cloud provider rather than your own system as a platform to develop, run and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application. There are a number of well-known global providers, but local players are also emerging – potentially interesting for organisations concerned about having their service hosted abroad.

SaaS: Software as a service will be familiar to most people from their use of social media: platforms such as Facebook and LinkedIn all run on this basis, with the software sitting in the cloud rather than on the user’s device. The same principle applies in the corporate context, where many organisations are using CRM (customer relationship management) or ERP (enterprise resource planning) software provided ‘as a service’. As a user you simply consume the software, without knowing where it’s located.

All three flavours of cloud computing can be delivered either completely by a third-party provider (‘public cloud’), internally by an organisation (‘private cloud’) or in combination (‘hybrid cloud’). Large global enterprises that are big enough to get the scale benefits themselves are investing in building their own private cloud infrastructure. However, most organisations are not large enough to justify this and tend to use either public or hybrid cloud services.

Cloud computing services have cost benefits − the potential to significantly reduce IT costs and move expenditure from capex to opex − and flexibility, with the ability to scale the service up or down as desired.

Compelling reasons for the cloud

Organisations will find compelling reasons for all three categories of cloud service, IaaS, PaaS and SaaS. What they have in common is cost benefits – the potential to significantly reduce IT costs and move expenditure from capex (capital expenditure) to opex (operational expenditure) − and flexibility, with the ability to scale the service up or down as desired.

Infrastructure as a service has the added advantage of enabling you to provision additional services a lot more quickly, which is especially beneficial, for example, for sporting or major entertainment events. It also frees up the IT department to concentrate on adding value to the business rather than getting bogged down in managing the various infrastructure ‘boxes’.

Software as a service removes the need to continually upgrade software or keep up with the latest releases and patches: because you are paying to use the software rather than owning it yourself, you’re always sure of having the latest version. Many SaaS packages are also very flexible and allow you to configure the software to meet your needs without having to customise it or develop additional functionality yourself.

SaaS is also a very powerful tool for a mobile workforce, because all your people need for access to software is internet access. Many organisations also find the associated services often bundled with the software very attractive. For example, accounting software combined with monthly accounting services provided by a reputable firm can be a great option for many small businesses, as they can dispense with their own software and hardware as well as the need to have an in-house accounting function. In general, the cloud makes a lot of sense for companies not big enough to have their own specialist departments (such as IT) and staff.

The benefits of PaaS are very similar to those of SaaS, and it also gives you a platform for developing additional functionality on top of it. In other words, you can customise the solution for your own organisation much more than is possible with SaaS.

The cloud in action

What kinds of organisations are taking advantage of the cloud?

A good example is companies that source analytics services. To cope with a heavy load in the run-up to Christmas, for example, you can now take out a temporary contract with an analytics provider to spin up an analytics database in the cloud. Go to the cloud provider’s website with a credit card, and you have the infrastructure available in only an hour or two. In many cases a remotely provided service is often the only way of solving the problem – an instance of a new approach that wasn’t even possible before the advent of the cloud.

The public sector is also embracing cloud computing in a big way. The UK government, for example, has had the G-Cloud (Government Cloud) in place for a number of years, a strategy that makes it almost compulsory for public bodies to procure services via the cloud. In Australia state governments also have strategies where procurers have to consider the cloud first and justify the business case1 if they decide against it. The Swiss government also has a cloud computing strategy in place, complementing its eGovernment policy, and aimed primarily at the Confederation, the cantons, municipalities and enterprises affiliated with the Confederation. The challenges here are essentially the same as for the private sector, but with a slightly different emphasis: the most important issues for government and the public sector are how cloud services are contracted, and how data privacy risks are managed.

Another group that is reaping huge benefits from the cloud is project-based organisations such as construction firms, consulting engineers and infrastructure providers. They used to have to provision for each project, spending valuable time and resources equipping every new site with hardware, cabling and so on. With a cloud model, all the project team now needs is access to the internet (for example with their SIM card) and they’re productive from day one. And there’s no hardware to dispose of once the project is completed.

The real benefits of the cloud

This brings us to the nub of the matter: the real benefits of cloud computing come not from using it in isolation, but from combining it with other pieces of the digital transformation puzzle such as analytics, mobile workforce solutions and social media.

Once you put the pieces together you start to realise the full implications of the cloud. Extrapolating to the future, the scale benefits of the cloud mean it will ultimately make no sense for organisations to have their own IT infrastructure unless they’re very big indeed. A good analogy is the evolution of electricity: just as power from the grid means it’s no longer necessary for each factory to have its own generation facility, the cloud now makes computing services available universally.

Useful cloud computing resources

Cloud Security Alliance (CSA)

The CSA, present in every continent except Antarctica, is the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the expertise of industry practitioners, associations, governments and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.

CSA Security, Trust & Assurance Registry (STAR)

CSA operates the most popular cloud security provider certification programme, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance programme of self-assessment, third-party audit and continuous monitoring.

Cloud Security Alliance Switzerland Chapter (CSACH)

Klaus Gribi from Swisscom, President of the Cloud Security Alliance Switzerland Chapter (CSACH), describes its mission as follows: “CSACH focuses on information and data protection as well as legal aspects relevant to Swiss law to support and assist cloud consumers and cloud service providers in Switzerland. To achieve this goal, CSACH runs a series of research initiatives to compile and provide guidelines and best practices, organises cloud security events throughout Switzerland, and creates cloud security expert platforms for the exchange of information, know-how and experience in regard to cloud security in Switzerland.”

Swiss Federal Data Protection and Information Commissioner (FDPIC)

The Swiss Federal Data Protection and Information Commissioner has a supervisory and consultative role with respect to data protection and information-related issues. His function in the private sector is primarily consultative: explaining the legal provisions governing data protection, and advising on the registration of data files and trans-border data flows and enquiries relating to the right of access. The commissioner also advises on legal and technical matters, and acts as an intermediary in conflict situations.

What this ultimately means is that organisations can dynamically reconfigure their value chain to make it more agile, transforming the way they deliver value. You look at what value you provide and how you provide it, and then ‘plug and play’ the required software, services and infrastructure from cloud-based providers. If you don’t like a particular provider, you can switch them out with a different provider without having ‘stranded’ infrastructure assets or people.

The implications are huge, but the changes require a different mindset. Instead of thinking that you have to own or control your own supply chain, you have to start thinking in terms of an ecosystem that delivers value, and configure your supply chain accordingly using the most appropriate specialists in each area. Success in the world of digital business is going to be much more about managing information and getting the most out of it without actually owning or controlling the physical supply chain. The winners will be the organisations that have the clearest view of their end-to-end value chain and make the most effective use of this information, rather than necessarily those that have physical control.

What about the risks?

The upside of the cloud is immense. But what about the downside? Ironically, perhaps, many of people’s most pressing concerns about cloud computing – crucial issues such as data sovereignty, privacy and security – are already well understood, and good advice is available. International bodies such as the Cloud Security Alliance (see box) have been in existence for a number of years already, and have done a good job of clarifying best practices and issuing guidance on how to manage the cloud and the risks it entails.

Naturally, organisations entering the cloud have to work through the regulatory requirements as well – but again, these are well understood and guidance is available. For example, the Federal Data Protection and Information Commissioner (FDPIC; see box) has issued a guide to cloud computing from the standpoint of Swiss data privacy.

What many newcomers to the cloud tend to underestimate, however, is a whole range of less well understood risks.

Many of these are contractual in nature. A key question to ask is whether there’s any scope to negotiate the terms and conditions of your contract. If you’re dealing with a large cloud provider, you might not have any scope at all. For example, you might want to agree guaranteed service levels. If you can’t, where does that leave you in the event of an outage if the contract doesn’t provide for any remedies? Termination arrangements might also be difficult. What do you do if something happens to your cloud provider, they terminate at short notice, and you no longer have access to your data or have too little time to move it to a new provider? This is one aspect of a bigger risk that often gets overlooked: the long-term viability of your cloud provider. Small providers (and large ones) can go out of business, and it can be difficult to recover your data if your provider goes down or is taken over.

Another potential pitfall is e-discovery. In the event of legal issues, you might not have the right to access data – or have the right for only a limited time – for e-discovery. It’s crucial to look at your data retention and archiving requirements and consider how they’re met by your cloud provider. If you’re required to keep data for seven years and your provider only keeps it for one, you have a problem.

Another risk is a failure to get an adequate picture of the costs. Often, when initially assessing a cloud computing business case, organisations forget to consider or underestimate the expense involved in data obfuscation: the range of technologies, including encryption and tokenisation, designed to hide data or otherwise protect it from prying eyes. This can be a costly process, so it’s important to have a realistic idea of what’s involved.

The cloud can also entail tax risks, with different implications depending on where the service is provided from, that also have to be monitored. But the flipside is the potential tax opportunities: the cloud can make it possible to move parts of your supply chain to more tax-advantageous jurisdictions. For example, an organisation might choose to relocate its research and development people to a jurisdiction with advantages for R&D; thanks to the cloud, it can now do so without having to have massive infrastructure in place locally to support them.

Another cloud-related challenge, especially for large organisations and their IT people, is ‘shadow IT’. The fact that everyone within the organisation can potentially get computing services from the cloud, without involving the IT department, can lead to a situation where the costs and procurement are virtually unmanaged. Smart organisations implement cloud computing policies to make sure the risks are properly assessed and the relevant requirements (regulatory and so on) are met.

Help is at hand!

The important thing to remember about these risks is that they’re all manageable, and none of them will necessarily stop you going down the cloud path to reap the immense benefits it offers.

As already mentioned (more details in the box), there are global and national bodies and frameworks devoted to providing guidance on how to negotiate the cloud.

Professional services firms with specialists in cyber-business and digital transformation also offer extensive support, ranging from digital strategy formulation to actual migration services enabling organisations to get from their current environment to the cloud. A lot of this work involves regulatory and risk assessments, and helping organisations demonstrate to the regulatory authorities that they are meeting requirements (for example by producing independent reports to the regulator). It also often includes support with business cases, tax, etc. Professional services firms can also help clients get the bigger picture, enabling them to harness cloud computing and understand how to integrate various cloud services in their supply chain. Many large organisations are finding it useful to set up their own internal function to orchestrate all these building blocks to build the wall, and there are many cloud brokering technologies (used to integrate cloud services and manage their performance and resilience) evolving to facilitate this.

Professional services firms also support cloud providers by providing third-party controls assurance: evidence a provider can publish on its website that its services meet well-developed global professional standards. They also help create and evolve a reliable global framework for digital transformation and cloud computing through their active involvement in standards bodies, industry bodies and best practice organisations such as the Cloud Security Alliance.

We’re at your service!

Jan Schreuder

Jan Schreuder

Partner, Cybersecurity and Technology Risk

+41 58 792 24 84


The cloud is already revolutionising the way business is done throughout the private and public sectors. There are risks, but all of them are manageable. Some are already well understood, and comprehensive best practice guidance is available. Other challenges simply have to be worked through carefully – but again, support is available. The most important thing is to see the cloud as part of the big picture: as an enabler that allows organisations to dynamically reconfigure their supply chain to deliver value more intelligently and effectively. Ultimately, can you afford not to be in the cloud?

  1. Business case: The business case sets out the economic rationale and impact in the run-up to an outsourcing project. It contains an outline of the processes involved and the organisation that will work with these processes following outsourcing. It also compares the costs of the outsourced portion of the business with the status quo, and forecasts the point within a timeframe of five years at which the outsourced process will be profitable.