Cloud Computing SWOT Analysis

Cloud computing is the new kid on the block, a new way for organisations to manage their business systems and networks without investing in the traditional IT estate. E RADAR's Will Roebuck looks at why organisations are turning to the cloud, the opportunities this new technology can bring,  and identifies some of the risks involved.

Cloud computing - computation, software, data access and storage services that don't require end-user knowledge of the physical location and configuration of the system that delivers the services - is appealing to organisations and consumers alike as it offers many benefits over traditional, server or desktop-based computing.

However, with these benefits come corresponding risks which should not be overlooked, particularly around security and privacy. We know that technology is dynamic and complicated, and is an ongoing headache for law makers who strive to provide levels of certainty for the majority of us using it. Make no mistake that laws and regulations NEVER catch up with technology, but simply evolve to meet new circumstances. Cloud computing is by no means different with law makers setting down markers in order to shape the future of this exciting and cutting-edge technology.

This article sets out a cloud computing SWOT (strengths, weaknesses, opportunities and threats) analysis for organisations looking into cloud investment. It compliments my earlier article entitled The Law and Cloud Computing.


Cyber Crime Security, Cloud computing SWOT

The key strengths for cloud computing lay in business continuity, flexibility and agility, and mobility.

  •  Shared computer resources

Instead of wasting precious and costly computing power, an inherent drawback of the current client server model, cloud computing allows for a more efficient and affordable use of computing resources.

  • Cost savings

The end user is no longer burdened with the expense of maintaining and updating servers, data centres and software. Instead, the cloud computing provider carries these IT costs, while organisations simply pay a low monthly subscription fee.

  • No licensing
The all-in one package based upon a subscription fee does away with complicated and expensive software licences that need managing and updating regularly.
  • Reduced reliance on external consultants 

The provider now handles the updates and installation of software patches - dangerous security loop holes. Conflicts in software incompatibility is no longer your problem so there's no need for external IT consultants to troubleshoot your business systems.

  • Mobility

Data stored in the cloud can be accessed from virtually anywhere with an internet connection.


  • Legacy systems
Small and medium-sized organisations are more likely to embrace the benefits of the cloud than larger companies which may have complicated legacy systems.
  • User attitude and control
Organisations will still need to have 'control' over data and information to meet business, legal and regulatory requirements. For many, the idea of giving up control of the hardware that carries business critical data and outsourcing confidential customer data to a third party is an unsettling concept.
  • Global economy
All segments of the cloud computing market - Software as a Service (SaaS), Infrastructure-as-a-service (IaaS) and Platform as a Service (PaaS) - will be influenced by the overall state of the economy and global demand for IT services.


  • Agility and flexibility

Smaller firms are nimble and thus more easily able to move to the cloud and take advantage of cloud computing's  many cost-saving benefits.

  • Growth in cloud services
Cloud services will continue to grow with increasing competition from both established players and new entrants. Some observers estimate that the cloud market will top $270 billion in 2020 with SaaS offering more growth opportunities than any other segment
  • Consolidation in legal and regulatory environment
We will see the publication of more business guidance from law makers and regulators over the next few years. The UK Information Commissioner has already published his Guide to Keeping Personal Information Online  and the European Commission is currently looking into providing standard contracts for cloud services.


  • In house IT Personnel

Many IT professionals will need to re-invent themselves as organisations do away with expensive IT Departments.

  • Data Protection
European Union (EU) law states that organisations can only transfer data outside the EU if that country's data protection laws are adequate (to European standards). With cloud computing, you don't know where in the world your data is held even though you are still liable for it.
  • eDiscovery
Should a court or tribunal require your organisation to produce data or information (e.g. to defend allegations of breach of contract or for an employment disciplinary), can it retrieve them easily and guarantee that they meet evidential standards?
  • Security
How secure is your data? What track record does you cloud supplier have in the technology markets. No type of data storage system is risk free and for that reason, absolute security is impossible. Consider the following traditional security risks in the context of cloud computing:



- Physical equipment

- Physical environment

- Physical by-products


- Identity authentication

- Application privileges

- Input validation

- Appropriate behaviour patterns

- Reporting logs


- Permanent network connections

- Intermittent network connections

- Network maintenance


- Remote censors and control systems

- Back-up procedures

Human Operator

- Human maintenance of security procedures

- Intentional actions threatening security

Software Supply

- Internal policies for software development

- Policies for dealing with external vendors

Questions to ask your cloud services provider

Organisations should consider online security when purchasing software products from vendors. We’ve suggested some basic questions to ask below, albeit it is not an exhaustive list. Additional protections can then be built into the supplier contract.

  • Which SDL (Secure Development Life-cycle) programme does your development team adhere to?
  • What methodologies do you use for security testing your products? (Automated testing, code-review, fuzzing, manual tests etc.)
  • How frequently and using which methodology do third parties conduct security assessments on your products?
  • What training do your development and testing teams receive specific to application security?
  • Do you have a dedicated team to assess and respond to security vulnerabilities reported in your products?
  • What is your patch release strategy and what tools do you offer for patch deployment?
  • Do you disclose all vulnerabilities that affect your software, and how/when are customers notified?
  • How did you Threat-Model the application?
  • Do you conduct security testing separately from functional testing?
  • What technical guidance do you provide about vulnerabilities, including how they could be exploited, how they are currently being exploited, and how to mitigate vulnerability?
  • For applications developed on Microsoft platforms: do you utilise Microsoft's D.R.E.A.D model to assess the security of your software?
  • What is a typical vulnerability to patch delivery time frame?
  • Would you support a future product Health Check?
  • Are there any outsourced / subcontracted components related to your product? And how do you assess the security impact of such components?
  • Who do I talk to if there is a (security) problem with your product?
  • If the operating system is patched or upgraded, will the application continue to work and how will security be affected?
  • Is your organisation ISO 27000 compliant?