SlideShare a Scribd company logo

Cloud risks; Are we looking in the right direction?

Swyx
Swyx

The perceived risks associated with cloud are a major barrier to adoption for enterprises considering cloud computing. But when they consider the risks, most simply look at the security risks within the cloud provider. However, many other, possibly more relevant risks also need to be assessed and managed, including enterprise, political and environmental, for which Canopy has developed a Cloud Risk Identification Matrix. This matrix helps an enterprise to identify and score risks so it can plan its path to the cloud more effectively. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don’t fear the cloud; embrace it.

BusinessTechnology
1 of 7
Download to read offline
1 Cloud Risks - Are we looking in the right direction? By Reinout Schotman, Abbas Shahim and Ahmed Mitwalli Risks of cloud computing are complex and diverse. With proper identification and management of those risks, cloud computing can be more secure than on premise. May2013 Executive Summary The perceived risks associated with cloud are a major barrier to adoption for enterprises considering cloud computing. But when they consider the risks, most simply look at the security risks within the cloud provider. However, many other, possibly more relevant risks also need to be assessed and managed, including enterprise, political and environmental, for which Canopy has developed a Cloud Risk Identification Matrix. This matrix helps an enterprise to identify and score risks so it can plan its path to the cloud more effectively. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don’t fear the cloud; embrace it.
2 The risks associated with the cloud are a top concern for enterprises considering cloud computing, with security uppermost thanks to the common assumption that a cloud solution is inherently less secure than a traditional one. It’s an issue to which cloud vendors respond by reassuring enterprises of the stringent security aspects of their solutions, but this sidesteps a much broader assessment of risk. This view of the cloud is too limited: while enterprises and vendors focus their attention on technical security risks, other, potentially bigger risks either remain unidentified or receive insufficient attention. Cloud computing can be secure - sometimes more secure than an enterprise can achieve on its own. But if an enterprise is to achieve acceptable levels of risk that allow it to migrate to the cloud, it must use a structured approach to identifying, assessing and mitigating risks as well as adopt a governance structure that enables it to manage risk effectively. Enterprises must also retain their legal and regulatory compliance as they move to a cloud model, and must be able to prove this compliance to ensure that the business is not subject to an uncontrolled risk. Cloud computing allows enterprises to achieve greater business efficiencies and can lower the barriers to entry to new markets. But with new paradigms come new risks which may not be well understood. This uncertainty is constraining adoption, as Figure 1 shows. Canopy’s Cloud Risk Identification Matrix allows enterprises to identify, segment and score risks so they can develop cloud risk profiles for different workloads. Cloud providers typically respond to enterprise concerns by demonstrating how well their solutions are protected and data centers secured, publishing up-time statistics and displaying compliance certificates. However, just as many enterprises overstate the risks of a cloud solution, at the other end of the scale, some fail to do adequate due diligence and may be too accepting of vendor assurances about the risks of their cloud solutions taking a vendor technical security assessment on trust. The true story is more complex. In reality, all risks are neither wholly the responsibility of the vendors nor are they mostly technical. Risk Identification Risks differ in type and origin, but regardless of the cloud delivery model (private, public, hybrid, etc), there are five sources of risk: 1. Users 2. Enterprise 3. Network Provider 4. Cloud Provider 5. Environment There are many different definitions of cloud risk - Gartner, Forrester, Wikipedia, each has their own that look at different attributes. Based on these definitions and Canopy’s experience, Canopy segments risk according to three key defining questions: 1. Which risks may jeopardize service availability? (Availability) 2. Which risks may jeopardize data integrity and confidentiality? (Integrity & Confidentiality) 3. Which risks may jeopardize compliance to in-house and external policies, rules and regulations and auditability? (Compliance & Auditing) Both the origin of risk and the type of risk define the Cloud Risk Identification Matrix. An enterprise needs to score the risks per application or workload and possibly even per cloud vendor as different vendors may imply different risks. Whether a risk is high or low is determined by three factors: 1. The likelihood of an event 2. The size of impact if that event happens 3. The ease by which such an event can be mitigated The combined risks in the Cloud Risk Identification Matrix define a risk profile for a specific workload which needs to match the risk appetite for that workload. For instance, the required risk profile for an internal training delivery system is likely to be different from that of a Figure 1: Barriers restricting cloud adoption in enterprises (European Commission, IDC 2012) Legal Jurisdiction Security & Data Protection Trust Data Access & Portability Data Location Local Support Change Control Ownership of Customization Evaluation of Usefulness Slow Internet Connection Local Language Tax Incentives 0% 10% 20% 30% 40% 17,0% 17,9% 18,0% 18,2% 21,4% 22,4% 22,8% 23,8% 24,9% 25,1% 30,5% 31,7% Respondents answering very/completely
3 financial transaction processing system. An example of a risk profile of a specific workload in an enterprise is shown below. Typically, the risks with high frequency and easy mitigation have low impact. This means that the overall risk score is low. Many of the more technical risks, such as performance issues at the provider, fall into this category. On the other hand, catastrophic, environmental risks may happen infrequently but can have a severe impact and can be difficult to mitigate. One problem with risk scoring is that while the impact can be determined accurately, the frequency cannot. Another is that mitigation may exist but may be neglected, which unintentionally increases the actual risk profile. Clearly cloud security is not just about technology - it is also about governance in a diversified business environment. Identifying the different risks in this complex environment will allow a more accurate assessment of the total risk and ensure mitigations that might otherwise be overlooked. This may in turn lead to different choices on the path to cloud computing. User risks Users are more mobile and often employ a variety of devices for access. In many cases these devices are either privately owned (Bring Your Own Device, BYOD) or subject to limited control by the enterprise (such as smartphones or tablets). A risk is the proliferation of data on devices beyond the control of the enterprise. If a device is lost, stolen or discarded, its data may still be accessible. This data does not necessarily need to be structured data; it could well be a file containing sensitive information. In fact, the most common applications - email and Excel - may also pose the highest risk as both applications are used heavily to distribute sensitive data beyond the control of an enterprise. Information management should go beyond enterprise applications with structured data. If data is stored on a user device, enterprises must implement proper controls to ensure the data is secured. Enterprise risks Most enterprises regard the infrastructure within their premises as more secure than the (public) cloud. But in reality, enterprises seldom operate industrial-grade data centers similar to those of large- scale cloud providers, which are highly secure in terms of procedure and control. A data center’s Power Usage Effectiveness (PUE) assesses how efficiently a data center uses energy - the lower the PUE the better, with a PUE of 1.0 being ideal. Most enterprise data centers operate at a level of 2.0 or higher, whereas Google’s PUE, for example, is 1.14. Efficiency can only be achieved by scaling up to an industrial level with robust processes and control. Apart from being cheaper and greener, large cloud providers are also likely to operate more comprehensive security procedures, resulting in less operational risk. Other key risks may well also be reduced by moving to the cloud. For example, internal events are often under-reported because they are resolved through informal networks of employees, so the enterprise has an inaccurate picture of its current exposure to risk. Moving to the cloud eliminates this as cloud providers have stringent security processes where all events are logged. Another critical area of concern is enterprise identity and access management (IAM), an area any enterprise considering a move to the cloud needs to take seriously. Typically, enterprises use software such as Microsoft Active Directory (AD) to control access and register users. It’s not uncommon for 10-20% of registered identities to be “ghosts” as staff leave or access is revoked. Without good IAM governance processes, an enterprise will have an incomplete picture of its IAM status, which contributes to risk. This is critical as while a generic report on the technical security of a cloud provider may demonstrate excellent technology and processes, a move to that cloud provider may still result in lower security levels for some enterprises depending on the state of their IAM governance processes. To avoid this, a thorough and comprehensive assessment of different sources of risk must be undertaken before making a migration decision. Network provider risks Cloud services may significantly change network topology and bandwidth requirements. While Cloud Risk Identification Matrix Cloud Risk Identification Matrix Type of RiskType of RiskType of Risk Cloud Risk Identification Matrix Cloud Risk Identification Matrix Availability Integrity & Confidentiality Compliance & Auditing Risk Origin User Low Medium Low Risk Origin Enterprise High Medium Medium Risk Origin Network Provider Medium Medium Low Risk Origin Cloud Provider High Low Low Risk Origin Environment (natural, political) Medium Low Low
4 network availability is ubiquitous in some countries, in others it is not. There may be two “legs” of network connections: between the cloud provider and the enterprise, and between a cloud provider and a user. The first leg is more or less static and can be controlled; the second is mostly dynamic and therefore difficult to control. If the user is spread across different regions, it may be a challenge to control the quality of service, which can compromise the "Availability" component of the Cloud Risk Identification Matrix. For example, when a Mediterranean submarine cable was cut near Alexandria in 2012 it caused severe internet outages and disruption in the Middle East, India and Pakistan. In addition, a user may also be prone to session hijacks, such as “Man in the Middle” (MitM) attacks on wifi connections. Providers typically counter this risk by providing some form of encryption of the communication session, such as SSL. But these security measures can be breached and for enterprises and even cloud providers it can be difficult to identify, qualify and quantify such risks. Internet censorship may also cause disruption, again a risk difficult to qualify and quantify. Nevertheless, it and others should be accounted for under data integrity and confidentiality in the Cloud Risk Identification Matrix. When designing and implementing a solution, there should always be a thorough assessment of network topology, quality of service and risks. Indeed, it should be scheduled on a regular basis as it forms one of the building blocks of good governance for enterprise architecture. Cloud provider risks Enterprises often focus extensively on the risks of cloud providers when they choose a vendor. Many risks are related to the operations of the provider and are part of their service level agreement (SLA). But in reality these risks are small compared with those that would exist if the services were provided by the enterprise. Other risks, such as the continued existence of the provider itself, may be small, but could have an impact that is difficult to mitigate. What happens if a provider defaults financially and service is discontinued? The market is currently so fragmented that we can expect some providers to fail as well as consolidation as it matures. The risks of consolidation or bankruptcy among service providers are difficult to identify and it is hard to predict their timing and (expected) frequency. Obviously, scale is important and large providers such as Microsoft, Google and Amazon, are less likely to fail than small niche cloud providers. This risk should either be a selection criterion or risk mitigation scenarios should be available. Another common misconception is that operational risks can be solved through SLAs. An SLA is a contractual or financial incentive for the provider to prevent the occurrence of an event. The event and the impact can be well understood, but the expected occurrence can hardly ever be reliably determined. SLAs can impose an incentive on the provider to manage frequent, but low impact events. They cannot help prevent low frequency, high impact events. In fact, many small, start-up cloud providers may neglect such low frequency, high impact events because they operate with a different appetite for risk. For instance, a cloud provider may have server redundancy in its infrastructure within one data center, but may not have a mirrored infrastructure at hot stand-by available for disaster recovery. At the other end of the risk spectrum, a cloud provider may offer protection from risks so extreme that they are inconsequential. For example, a data center in Finland was built in a former military nuclear bunker complex and marketed its infrastructure as nuclear-bomb proof. Not many businesses care about the risk of such an event. Environmental risks While many risks can be controlled or mitigated, there remains a group that cannot; they are political or caused by natural disasters. Political risk comes in all shapes and sizes, from dictatorial to legislative. For example, when the Chinese government blocked Google in November 2012, many enterprise users with Google Docs were denied service. Yet to be resolved, and clearly a potential risk, is the lack of clarity concerning the impact of the US Patriot Act on data privacy. While the United States demands that its security Example: Email is probably amongst the most business critical and widely used enterprise applications. Many processes and management control will simply cease to exist without email. Email, or more widely grouped as “business productivity tools” have been an early adopter of cloud. Microsoft and Google compete fiercely on this market. A large, global enterprise adopted Google Apps for business productivity (such as Gmail). It was cheaper and more secure than what it could achieve in-house. What it did not realize is that by adopting Google Apps, it became exposed to risks out of control of both the enterprise and Google. In 2012, during the Chinese Party Congress, the Chinese government shut down all access to Google services to prevent any possible political unrest. As a result, the enterprises using Gmail was shut off too, which caused significant disruption of its Chinese operations. The enterprise could have prevented or limited the impact if it had identified this risk and planned a mitigation.
5 agencies have access to corporate data, even overseas, the European Union forbids such access. Enterprises could find themselves caught in the middle, in a very uncomfortable position. Natural disasters can also affect service availability, mostly due to internet or power outages. The 2011 tsunami in Japan and the subsequent failure of the Fukushima nuclear energy plants resulted in a severe shortage of power, while Hurricane Sandy in 2012 in the US showed that natural disasters can disrupt services in highly developed areas, and with some regularity. These events cannot be controlled. An enterprise can only ensure it has adequate disaster recovery procedures for those services that require high availability. Governance of risks The risks of cloud are diverse and broad. But the process of managing those risks does not fundamentally differ from general risk management. When considering risk mitigation strategies, the options are: 1. Avoid - prevent it from happening 2. Reduce - actively plan and manage to limit occurrence and severity 3. Outsource - hand over to other parties such as the provider 4. Accept - because the cost of mitigation outweighs the risk itself or simply because you cannot control it. The risk strategies of all risks combined and for all cloud solutions determine the risk profile of cloud for an enterprise. The framework below illustrates one approach to managing cloud risks. Such a process may have various permutations as risks are driven by demand (business process needs, cultural and people needs) and by supply (IT infrastructure, IT management and organization). The effectiveness of risk management is determined by the balance between supply and demand. Although the risk management and governance frameworks are not fundamentally different, cloud will affect how risk management is implemented. The experiences of employees with consumer IT has increased the demand for usability, flexibility and agility at lower cost and the informal use of cloud applications in enterprise is proof of this. Meanwhile, risk management has become more complex because many risks that were internal may now have external implications, such as insufficient identity and access management. Because many services that were previously in-house and on- premise are now provided by a cloud vendor, possibly on an informal basis, control over those risks has become indirect. Demand has grown while the complexity of supply has changed. Cloud computing has therefore led to a need for a new balance of demand and supply of risk management. A rigid risk governance framework is not sufficient to meet this new model. If an enterprise has very restrictive security measures in place, users may revert to informal cloud use. Although an enterprise may have a tightly implemented risk governance framework, the realities of cloud may still increase risk. Should enterprises embrace cloud? Figure 2: Risk Management demand & supply model Figure 3: Risk Management maturity model
6 As with any shift to a new model, there are uncertainties that need to be resolved. The business economics, rationale and user experiences are so compelling that the transformation into the cloud paradigm will happen regardless of enterprise policy. Informal use of public cloud in the enterprise is probably far more widespread than is visible to IT. Restricting rather than facilitating cloud computing will not lead to more security and may lead to inflexibility and competitive disadvantage. An appropriate response is a proactive one in which a clear migration roadmap which includes a clear and robust security plan is defined and managed across IT. Such a policy starts with a honest look at current risk of legacy, on-premise infrastructure. The alternative is a reactive response to demands that will only result in crisis management or repression. Summary Canopy’s assessment of risks associated with the use of cloud computing in the enterprise provides us with three important lessons: 1) Cloud is not necessarily less secure. Many cloud providers offer better security than enterprises could manage internally, due to better scale and focus. There are, however, new risks to consider. 2) Risk management in enterprises does not necessarily require a different framework, but an enterprise must ensure that supply and demand are balanced. Enterprises must also ensure that the maturity is sufficient and adjusted to cloud. 3) If enterprises do not embrace cloud, informal IT will increase, and with this comes unmanaged risk. A reactive approach will not only increase risk, but also will exclude many business opportunities that cloud may bring. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don’t fear the cloud; embrace it.
7 Copyright © 2013 Canopy Cloud Ltd Canopy - The Open Cloud Company and its logo are trademarks of Canopy Cloud Ltd. All rights reserved. About Canopy Cloud Canopy (www.canopy-cloud.com) is a one-stop-cloud-shop for enterprises. It provides strategic consultancy; development, migration and test environments; secure on- and off- premise private cloud implementation; and access to a growing eco-system of business solutions and processes through a SaaS Enterprise Application Store. Canopy is an independent company, founded by Atos, EMC and VMware. Headquartered in London, Canopy is global in scope, with consultancy teams operating across Europe, North America and Asia Pacific. Canopy Consulting is a trusted cloud computing advisor to leading private and public sector organizations around the world. Staffed almost exclusively with professionals trained at tier one strategic advisory firms, we focus on helping senior executives achieve business objectives by leveraging cloud technologies. About the Authors Reinout Schotman is Associate Partner at Canopy Cloud - Consulting and leader in the field of cloud computing. Prior to joining Canopy Cloud in 2013, Reinout worked at Accenture and several international telecom firms. Reinout holds a MSc in Applied Physics of Delft University of Technology. Abbas Shahim is Partner at Atos Consulting and the Global Lead of Information Security and Risk Management. He is also Associate Professor at the VU University Amsterdam and the Vice President of Information Systems Audit and Control Association (ISACA) chapter in the Netherlands. Ahmed Mitwalli is Managing Partner, Canopy Cloud - Consulting. Prior to Canopy, he was with McKinsey & Company for 12 years where he was a Partner and a leader in the Business Technology Office. He has a PhD in Electrical Engineering and Computer Science from MIT, and is a holder of five US technology patents. For more information on how Canopy Cloud helps organizations to benefit from the cloud, please contact: Reinout Schotman reinout.schotman@atos.net +31 6 11 14 19 16 Abbas Shahim abbas.shahim@atos.net +31 6 5384 9789 Ahmed Mitwalli ahmed.mitwalli@atos.net +1 917 982 5435

Recommended

Méthodes créatives: co-créer les services de demain
Méthodes créatives: co-créer les services de demainMéthodes créatives: co-créer les services de demain
Méthodes créatives: co-créer les services de demainThink Services
 
Tierra digital nº3 octubre 2015
Tierra digital nº3 octubre 2015Tierra digital nº3 octubre 2015
Tierra digital nº3 octubre 2015Ejército de Tierra
 
Libre albedrío
Libre albedríoLibre albedrío
Libre albedríocolegio francisco penzotti
 
Ahmedkorra cv
Ahmedkorra cvAhmedkorra cv
Ahmedkorra cvAhmed Korra
 
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...PEP-NET
 
Estudio de brucella
Estudio de brucellaEstudio de brucella
Estudio de brucellaChristian Quinteros
 
Branding Digital : Eiden
Branding Digital : EidenBranding Digital : Eiden
Branding Digital : EidenSantiago Trevisán
 
Presentacion Corporativa Turistiko 2011
Presentacion Corporativa Turistiko 2011Presentacion Corporativa Turistiko 2011
Presentacion Corporativa Turistiko 2011Estudio Racimo
 

Recommended

Méthodes créatives: co-créer les services de demain
Méthodes créatives: co-créer les services de demainMéthodes créatives: co-créer les services de demain
Méthodes créatives: co-créer les services de demainThink Services
 
Tierra digital nº3 octubre 2015
Tierra digital nº3 octubre 2015Tierra digital nº3 octubre 2015
Tierra digital nº3 octubre 2015Ejército de Tierra
 
Libre albedrío
Libre albedríoLibre albedrío
Libre albedríocolegio francisco penzotti
 
Ahmedkorra cv
Ahmedkorra cvAhmedkorra cv
Ahmedkorra cvAhmed Korra
 
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...
Can eParticipation take over the world? Paul Johnston keynote at the PEP-NET ...PEP-NET
 
Estudio de brucella
Estudio de brucellaEstudio de brucella
Estudio de brucellaChristian Quinteros
 
Branding Digital : Eiden
Branding Digital : EidenBranding Digital : Eiden
Branding Digital : EidenSantiago Trevisán
 
Presentacion Corporativa Turistiko 2011
Presentacion Corporativa Turistiko 2011Presentacion Corporativa Turistiko 2011
Presentacion Corporativa Turistiko 2011Estudio Racimo
 
Ch. 13 notes
Ch. 13 notesCh. 13 notes
Ch. 13 notesbswetland
 
Blogs empresa
Blogs empresaBlogs empresa
Blogs empresaÓscar Miranda
 
Coverma Nec
Coverma NecCoverma Nec
Coverma NecCVM Comunicaciones, S.A. de C.V.
 
Mssa tratamiento
Mssa tratamientoMssa tratamiento
Mssa tratamientoevidenciaterapeutica.com
 
proyecto problematica de la construcion
proyecto problematica de la construcionproyecto problematica de la construcion
proyecto problematica de la construcionroki2257
 
WordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think VisibilityWordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think VisibilityJoost de Valk
 
PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco Doctora Edilicia
 
Subastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidadSubastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidadQueOportunidad.es
 
Restauración de filmes
Restauración de filmesRestauración de filmes
Restauración de filmesPurificación Jiménez Herrero
 
JR-PORT-email
JR-PORT-emailJR-PORT-email
JR-PORT-emailJose Rodrigues
 
Granja escuela la martina
Granja escuela la martinaGranja escuela la martina
Granja escuela la martinaHotel
 
2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...WALEBUBLÉ
 
IT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid ScenariosIT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid ScenariosAmazon Web Services
 
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.comServicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.comUniversidad de Cantabria
 
Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Swyx
 
Canopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketingCanopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketingSwyx
 
Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Swyx
 
Cloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspectiveCloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspectiveSwyx
 
The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"Swyx
 
ISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transitionISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transitionSwyx
 
SaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVsSaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVsSwyx
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 

More Related Content

Viewers also liked

Ch. 13 notes
Ch. 13 notesCh. 13 notes
Ch. 13 notesbswetland
 
proyecto problematica de la construcion
proyecto problematica de la construcionproyecto problematica de la construcion
proyecto problematica de la construcionroki2257
 
WordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think VisibilityWordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think VisibilityJoost de Valk
 
PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco Doctora Edilicia
 
Subastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidadSubastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidadQueOportunidad.es
 
Granja escuela la martina
Granja escuela la martinaGranja escuela la martina
Granja escuela la martinaHotel
 
2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...WALEBUBLÉ
 
IT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid ScenariosIT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid ScenariosAmazon Web Services
 
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.comServicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.comUniversidad de Cantabria
 

Viewers also liked (14)

Ch. 13 notes
Ch. 13 notesCh. 13 notes
Ch. 13 notes
 
Blogs empresa
Blogs empresaBlogs empresa
Blogs empresa
 
Coverma Nec
Coverma NecCoverma Nec
Coverma Nec
 
Mssa tratamiento
Mssa tratamientoMssa tratamiento
Mssa tratamiento
 
proyecto problematica de la construcion
proyecto problematica de la construcionproyecto problematica de la construcion
proyecto problematica de la construcion
 
WordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think VisibilityWordPress Optimisation @ Think Visibility
WordPress Optimisation @ Think Visibility
 
PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco PDM San Antonio de Esmoruco
PDM San Antonio de Esmoruco
 
Subastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidadSubastas de coches | venta directa que oportunidad
Subastas de coches | venta directa que oportunidad
 
Restauración de filmes
Restauración de filmesRestauración de filmes
Restauración de filmes
 
JR-PORT-email
JR-PORT-emailJR-PORT-email
JR-PORT-email
 
Granja escuela la martina
Granja escuela la martinaGranja escuela la martina
Granja escuela la martina
 
2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...2009 - Empleo de la viabilidad celular como herramienta para el control de la...
2009 - Empleo de la viabilidad celular como herramienta para el control de la...
 
IT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid ScenariosIT Extreme Makeover with Hybrid Scenarios
IT Extreme Makeover with Hybrid Scenarios
 
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.comServicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
Servicios SEO-SEM-SOCIAL MEDIA-SMO | SER SEO | Los primeros en google.com
 

More from Swyx

Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Swyx
 
Canopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketingCanopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketingSwyx
 
Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Swyx
 
Cloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspectiveCloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspectiveSwyx
 
The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"Swyx
 
ISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transitionISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transitionSwyx
 
SaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVsSaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVsSwyx
 

More from Swyx (7)

Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?
 
Canopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketingCanopy whitepaper big-data-for-marketing
Canopy whitepaper big-data-for-marketing
 
Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?Big Data for Marketing: When is Big Data the right choice?
Big Data for Marketing: When is Big Data the right choice?
 
Cloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspectiveCloud infrastructure; Public or Private? A cost perspective
Cloud infrastructure; Public or Private? A cost perspective
 
The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"The essence of cloud economics - the "Wacky Graph Theory"
The essence of cloud economics - the "Wacky Graph Theory"
 
ISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transitionISVs in the Cloud, considerations for a successful transition
ISVs in the Cloud, considerations for a successful transition
 
SaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVsSaaS is a game changer, take notice ISVs
SaaS is a game changer, take notice ISVs
 

Recently uploaded

8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandPB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandSharisaBethune
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 

Recently uploaded (20)

8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal BrandPB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal Brand
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 

Cloud risks; Are we looking in the right direction?

  • 1. 1 Cloud Risks - Are we looking in the right direction? By Reinout Schotman, Abbas Shahim and Ahmed Mitwalli Risks of cloud computing are complex and diverse. With proper identification and management of those risks, cloud computing can be more secure than on premise. May2013 Executive Summary The perceived risks associated with cloud are a major barrier to adoption for enterprises considering cloud computing. But when they consider the risks, most simply look at the security risks within the cloud provider. However, many other, possibly more relevant risks also need to be assessed and managed, including enterprise, political and environmental, for which Canopy has developed a Cloud Risk Identification Matrix. This matrix helps an enterprise to identify and score risks so it can plan its path to the cloud more effectively. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don’t fear the cloud; embrace it.
  • 2. 2 The risks associated with the cloud are a top concern for enterprises considering cloud computing, with security uppermost thanks to the common assumption that a cloud solution is inherently less secure than a traditional one. It’s an issue to which cloud vendors respond by reassuring enterprises of the stringent security aspects of their solutions, but this sidesteps a much broader assessment of risk. This view of the cloud is too limited: while enterprises and vendors focus their attention on technical security risks, other, potentially bigger risks either remain unidentified or receive insufficient attention. Cloud computing can be secure - sometimes more secure than an enterprise can achieve on its own. But if an enterprise is to achieve acceptable levels of risk that allow it to migrate to the cloud, it must use a structured approach to identifying, assessing and mitigating risks as well as adopt a governance structure that enables it to manage risk effectively. Enterprises must also retain their legal and regulatory compliance as they move to a cloud model, and must be able to prove this compliance to ensure that the business is not subject to an uncontrolled risk. Cloud computing allows enterprises to achieve greater business efficiencies and can lower the barriers to entry to new markets. But with new paradigms come new risks which may not be well understood. This uncertainty is constraining adoption, as Figure 1 shows. Canopy’s Cloud Risk Identification Matrix allows enterprises to identify, segment and score risks so they can develop cloud risk profiles for different workloads. Cloud providers typically respond to enterprise concerns by demonstrating how well their solutions are protected and data centers secured, publishing up-time statistics and displaying compliance certificates. However, just as many enterprises overstate the risks of a cloud solution, at the other end of the scale, some fail to do adequate due diligence and may be too accepting of vendor assurances about the risks of their cloud solutions taking a vendor technical security assessment on trust. The true story is more complex. In reality, all risks are neither wholly the responsibility of the vendors nor are they mostly technical. Risk Identification Risks differ in type and origin, but regardless of the cloud delivery model (private, public, hybrid, etc), there are five sources of risk: 1. Users 2. Enterprise 3. Network Provider 4. Cloud Provider 5. Environment There are many different definitions of cloud risk - Gartner, Forrester, Wikipedia, each has their own that look at different attributes. Based on these definitions and Canopy’s experience, Canopy segments risk according to three key defining questions: 1. Which risks may jeopardize service availability? (Availability) 2. Which risks may jeopardize data integrity and confidentiality? (Integrity & Confidentiality) 3. Which risks may jeopardize compliance to in-house and external policies, rules and regulations and auditability? (Compliance & Auditing) Both the origin of risk and the type of risk define the Cloud Risk Identification Matrix. An enterprise needs to score the risks per application or workload and possibly even per cloud vendor as different vendors may imply different risks. Whether a risk is high or low is determined by three factors: 1. The likelihood of an event 2. The size of impact if that event happens 3. The ease by which such an event can be mitigated The combined risks in the Cloud Risk Identification Matrix define a risk profile for a specific workload which needs to match the risk appetite for that workload. For instance, the required risk profile for an internal training delivery system is likely to be different from that of a Figure 1: Barriers restricting cloud adoption in enterprises (European Commission, IDC 2012) Legal Jurisdiction Security & Data Protection Trust Data Access & Portability Data Location Local Support Change Control Ownership of Customization Evaluation of Usefulness Slow Internet Connection Local Language Tax Incentives 0% 10% 20% 30% 40% 17,0% 17,9% 18,0% 18,2% 21,4% 22,4% 22,8% 23,8% 24,9% 25,1% 30,5% 31,7% Respondents answering very/completely
  • 3. 3 financial transaction processing system. An example of a risk profile of a specific workload in an enterprise is shown below. Typically, the risks with high frequency and easy mitigation have low impact. This means that the overall risk score is low. Many of the more technical risks, such as performance issues at the provider, fall into this category. On the other hand, catastrophic, environmental risks may happen infrequently but can have a severe impact and can be difficult to mitigate. One problem with risk scoring is that while the impact can be determined accurately, the frequency cannot. Another is that mitigation may exist but may be neglected, which unintentionally increases the actual risk profile. Clearly cloud security is not just about technology - it is also about governance in a diversified business environment. Identifying the different risks in this complex environment will allow a more accurate assessment of the total risk and ensure mitigations that might otherwise be overlooked. This may in turn lead to different choices on the path to cloud computing. User risks Users are more mobile and often employ a variety of devices for access. In many cases these devices are either privately owned (Bring Your Own Device, BYOD) or subject to limited control by the enterprise (such as smartphones or tablets). A risk is the proliferation of data on devices beyond the control of the enterprise. If a device is lost, stolen or discarded, its data may still be accessible. This data does not necessarily need to be structured data; it could well be a file containing sensitive information. In fact, the most common applications - email and Excel - may also pose the highest risk as both applications are used heavily to distribute sensitive data beyond the control of an enterprise. Information management should go beyond enterprise applications with structured data. If data is stored on a user device, enterprises must implement proper controls to ensure the data is secured. Enterprise risks Most enterprises regard the infrastructure within their premises as more secure than the (public) cloud. But in reality, enterprises seldom operate industrial-grade data centers similar to those of large- scale cloud providers, which are highly secure in terms of procedure and control. A data center’s Power Usage Effectiveness (PUE) assesses how efficiently a data center uses energy - the lower the PUE the better, with a PUE of 1.0 being ideal. Most enterprise data centers operate at a level of 2.0 or higher, whereas Google’s PUE, for example, is 1.14. Efficiency can only be achieved by scaling up to an industrial level with robust processes and control. Apart from being cheaper and greener, large cloud providers are also likely to operate more comprehensive security procedures, resulting in less operational risk. Other key risks may well also be reduced by moving to the cloud. For example, internal events are often under-reported because they are resolved through informal networks of employees, so the enterprise has an inaccurate picture of its current exposure to risk. Moving to the cloud eliminates this as cloud providers have stringent security processes where all events are logged. Another critical area of concern is enterprise identity and access management (IAM), an area any enterprise considering a move to the cloud needs to take seriously. Typically, enterprises use software such as Microsoft Active Directory (AD) to control access and register users. It’s not uncommon for 10-20% of registered identities to be “ghosts” as staff leave or access is revoked. Without good IAM governance processes, an enterprise will have an incomplete picture of its IAM status, which contributes to risk. This is critical as while a generic report on the technical security of a cloud provider may demonstrate excellent technology and processes, a move to that cloud provider may still result in lower security levels for some enterprises depending on the state of their IAM governance processes. To avoid this, a thorough and comprehensive assessment of different sources of risk must be undertaken before making a migration decision. Network provider risks Cloud services may significantly change network topology and bandwidth requirements. While Cloud Risk Identification Matrix Cloud Risk Identification Matrix Type of RiskType of RiskType of Risk Cloud Risk Identification Matrix Cloud Risk Identification Matrix Availability Integrity & Confidentiality Compliance & Auditing Risk Origin User Low Medium Low Risk Origin Enterprise High Medium Medium Risk Origin Network Provider Medium Medium Low Risk Origin Cloud Provider High Low Low Risk Origin Environment (natural, political) Medium Low Low
  • 4. 4 network availability is ubiquitous in some countries, in others it is not. There may be two “legs” of network connections: between the cloud provider and the enterprise, and between a cloud provider and a user. The first leg is more or less static and can be controlled; the second is mostly dynamic and therefore difficult to control. If the user is spread across different regions, it may be a challenge to control the quality of service, which can compromise the "Availability" component of the Cloud Risk Identification Matrix. For example, when a Mediterranean submarine cable was cut near Alexandria in 2012 it caused severe internet outages and disruption in the Middle East, India and Pakistan. In addition, a user may also be prone to session hijacks, such as “Man in the Middle” (MitM) attacks on wifi connections. Providers typically counter this risk by providing some form of encryption of the communication session, such as SSL. But these security measures can be breached and for enterprises and even cloud providers it can be difficult to identify, qualify and quantify such risks. Internet censorship may also cause disruption, again a risk difficult to qualify and quantify. Nevertheless, it and others should be accounted for under data integrity and confidentiality in the Cloud Risk Identification Matrix. When designing and implementing a solution, there should always be a thorough assessment of network topology, quality of service and risks. Indeed, it should be scheduled on a regular basis as it forms one of the building blocks of good governance for enterprise architecture. Cloud provider risks Enterprises often focus extensively on the risks of cloud providers when they choose a vendor. Many risks are related to the operations of the provider and are part of their service level agreement (SLA). But in reality these risks are small compared with those that would exist if the services were provided by the enterprise. Other risks, such as the continued existence of the provider itself, may be small, but could have an impact that is difficult to mitigate. What happens if a provider defaults financially and service is discontinued? The market is currently so fragmented that we can expect some providers to fail as well as consolidation as it matures. The risks of consolidation or bankruptcy among service providers are difficult to identify and it is hard to predict their timing and (expected) frequency. Obviously, scale is important and large providers such as Microsoft, Google and Amazon, are less likely to fail than small niche cloud providers. This risk should either be a selection criterion or risk mitigation scenarios should be available. Another common misconception is that operational risks can be solved through SLAs. An SLA is a contractual or financial incentive for the provider to prevent the occurrence of an event. The event and the impact can be well understood, but the expected occurrence can hardly ever be reliably determined. SLAs can impose an incentive on the provider to manage frequent, but low impact events. They cannot help prevent low frequency, high impact events. In fact, many small, start-up cloud providers may neglect such low frequency, high impact events because they operate with a different appetite for risk. For instance, a cloud provider may have server redundancy in its infrastructure within one data center, but may not have a mirrored infrastructure at hot stand-by available for disaster recovery. At the other end of the risk spectrum, a cloud provider may offer protection from risks so extreme that they are inconsequential. For example, a data center in Finland was built in a former military nuclear bunker complex and marketed its infrastructure as nuclear-bomb proof. Not many businesses care about the risk of such an event. Environmental risks While many risks can be controlled or mitigated, there remains a group that cannot; they are political or caused by natural disasters. Political risk comes in all shapes and sizes, from dictatorial to legislative. For example, when the Chinese government blocked Google in November 2012, many enterprise users with Google Docs were denied service. Yet to be resolved, and clearly a potential risk, is the lack of clarity concerning the impact of the US Patriot Act on data privacy. While the United States demands that its security Example: Email is probably amongst the most business critical and widely used enterprise applications. Many processes and management control will simply cease to exist without email. Email, or more widely grouped as “business productivity tools” have been an early adopter of cloud. Microsoft and Google compete fiercely on this market. A large, global enterprise adopted Google Apps for business productivity (such as Gmail). It was cheaper and more secure than what it could achieve in-house. What it did not realize is that by adopting Google Apps, it became exposed to risks out of control of both the enterprise and Google. In 2012, during the Chinese Party Congress, the Chinese government shut down all access to Google services to prevent any possible political unrest. As a result, the enterprises using Gmail was shut off too, which caused significant disruption of its Chinese operations. The enterprise could have prevented or limited the impact if it had identified this risk and planned a mitigation.
  • 5. 5 agencies have access to corporate data, even overseas, the European Union forbids such access. Enterprises could find themselves caught in the middle, in a very uncomfortable position. Natural disasters can also affect service availability, mostly due to internet or power outages. The 2011 tsunami in Japan and the subsequent failure of the Fukushima nuclear energy plants resulted in a severe shortage of power, while Hurricane Sandy in 2012 in the US showed that natural disasters can disrupt services in highly developed areas, and with some regularity. These events cannot be controlled. An enterprise can only ensure it has adequate disaster recovery procedures for those services that require high availability. Governance of risks The risks of cloud are diverse and broad. But the process of managing those risks does not fundamentally differ from general risk management. When considering risk mitigation strategies, the options are: 1. Avoid - prevent it from happening 2. Reduce - actively plan and manage to limit occurrence and severity 3. Outsource - hand over to other parties such as the provider 4. Accept - because the cost of mitigation outweighs the risk itself or simply because you cannot control it. The risk strategies of all risks combined and for all cloud solutions determine the risk profile of cloud for an enterprise. The framework below illustrates one approach to managing cloud risks. Such a process may have various permutations as risks are driven by demand (business process needs, cultural and people needs) and by supply (IT infrastructure, IT management and organization). The effectiveness of risk management is determined by the balance between supply and demand. Although the risk management and governance frameworks are not fundamentally different, cloud will affect how risk management is implemented. The experiences of employees with consumer IT has increased the demand for usability, flexibility and agility at lower cost and the informal use of cloud applications in enterprise is proof of this. Meanwhile, risk management has become more complex because many risks that were internal may now have external implications, such as insufficient identity and access management. Because many services that were previously in-house and on- premise are now provided by a cloud vendor, possibly on an informal basis, control over those risks has become indirect. Demand has grown while the complexity of supply has changed. Cloud computing has therefore led to a need for a new balance of demand and supply of risk management. A rigid risk governance framework is not sufficient to meet this new model. If an enterprise has very restrictive security measures in place, users may revert to informal cloud use. Although an enterprise may have a tightly implemented risk governance framework, the realities of cloud may still increase risk. Should enterprises embrace cloud? Figure 2: Risk Management demand & supply model Figure 3: Risk Management maturity model
  • 6. 6 As with any shift to a new model, there are uncertainties that need to be resolved. The business economics, rationale and user experiences are so compelling that the transformation into the cloud paradigm will happen regardless of enterprise policy. Informal use of public cloud in the enterprise is probably far more widespread than is visible to IT. Restricting rather than facilitating cloud computing will not lead to more security and may lead to inflexibility and competitive disadvantage. An appropriate response is a proactive one in which a clear migration roadmap which includes a clear and robust security plan is defined and managed across IT. Such a policy starts with a honest look at current risk of legacy, on-premise infrastructure. The alternative is a reactive response to demands that will only result in crisis management or repression. Summary Canopy’s assessment of risks associated with the use of cloud computing in the enterprise provides us with three important lessons: 1) Cloud is not necessarily less secure. Many cloud providers offer better security than enterprises could manage internally, due to better scale and focus. There are, however, new risks to consider. 2) Risk management in enterprises does not necessarily require a different framework, but an enterprise must ensure that supply and demand are balanced. Enterprises must also ensure that the maturity is sufficient and adjusted to cloud. 3) If enterprises do not embrace cloud, informal IT will increase, and with this comes unmanaged risk. A reactive approach will not only increase risk, but also will exclude many business opportunities that cloud may bring. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don’t fear the cloud; embrace it.
  • 7. 7 Copyright © 2013 Canopy Cloud Ltd Canopy - The Open Cloud Company and its logo are trademarks of Canopy Cloud Ltd. All rights reserved. About Canopy Cloud Canopy (www.canopy-cloud.com) is a one-stop-cloud-shop for enterprises. It provides strategic consultancy; development, migration and test environments; secure on- and off- premise private cloud implementation; and access to a growing eco-system of business solutions and processes through a SaaS Enterprise Application Store. Canopy is an independent company, founded by Atos, EMC and VMware. Headquartered in London, Canopy is global in scope, with consultancy teams operating across Europe, North America and Asia Pacific. Canopy Consulting is a trusted cloud computing advisor to leading private and public sector organizations around the world. Staffed almost exclusively with professionals trained at tier one strategic advisory firms, we focus on helping senior executives achieve business objectives by leveraging cloud technologies. About the Authors Reinout Schotman is Associate Partner at Canopy Cloud - Consulting and leader in the field of cloud computing. Prior to joining Canopy Cloud in 2013, Reinout worked at Accenture and several international telecom firms. Reinout holds a MSc in Applied Physics of Delft University of Technology. Abbas Shahim is Partner at Atos Consulting and the Global Lead of Information Security and Risk Management. He is also Associate Professor at the VU University Amsterdam and the Vice President of Information Systems Audit and Control Association (ISACA) chapter in the Netherlands. Ahmed Mitwalli is Managing Partner, Canopy Cloud - Consulting. Prior to Canopy, he was with McKinsey & Company for 12 years where he was a Partner and a leader in the Business Technology Office. He has a PhD in Electrical Engineering and Computer Science from MIT, and is a holder of five US technology patents. For more information on how Canopy Cloud helps organizations to benefit from the cloud, please contact: Reinout Schotman reinout.schotman@atos.net +31 6 11 14 19 16 Abbas Shahim abbas.shahim@atos.net +31 6 5384 9789 Ahmed Mitwalli ahmed.mitwalli@atos.net +1 917 982 5435