The perceived risks associated with cloud are a major barrier to adoption for
enterprises considering cloud computing. But when they consider the risks, most
simply look at the security risks within the cloud provider. However, many other,
possibly more relevant risks also need to be assessed and managed, including
enterprise, political and environmental, for which Canopy has developed a Cloud
Risk Identification Matrix. This matrix helps an enterprise to identify and score
risks so it can plan its path to the cloud more effectively. The message is clear. The
risks of failing to plan for cloud computing are real. And so is the risk of missed
benefits. Don’t fear the cloud; embrace it.
Cloud risks; Are we looking in the right direction?
1. 1
Cloud Risks - Are we looking in the
right direction?
By Reinout Schotman, Abbas Shahim and Ahmed Mitwalli
Risks of cloud
computing are
complex and diverse.
With proper
identification and
management of those
risks, cloud
computing can be
more secure than on
premise.
May2013
Executive Summary
The perceived risks associated with cloud are a major barrier to adoption for
enterprises considering cloud computing. But when they consider the risks, most
simply look at the security risks within the cloud provider. However, many other,
possibly more relevant risks also need to be assessed and managed, including
enterprise, political and environmental, for which Canopy has developed a Cloud
Risk Identification Matrix. This matrix helps an enterprise to identify and score
risks so it can plan its path to the cloud more effectively. The message is clear. The
risks of failing to plan for cloud computing are real. And so is the risk of missed
benefits. Don’t fear the cloud; embrace it.
2. 2
The risks associated with the cloud
are a top concern for enterprises
considering cloud computing, with
security uppermost thanks to the
common assumption that a cloud
solution is inherently less secure
than a traditional one. It’s an issue to
which cloud vendors respond by
reassuring enterprises of the
stringent security aspects of their
solutions, but this sidesteps a much
broader assessment of risk. This
view of the cloud is too limited:
while enterprises and vendors focus
their attention on technical security
risks, other, potentially bigger risks
either remain unidentified or receive
insufficient attention.
Cloud computing can be secure -
sometimes more secure than an
enterprise can achieve on its own.
But if an enterprise is to achieve
acceptable levels of risk that allow it
to migrate to the cloud, it must use a
structured approach to identifying,
assessing and mitigating risks as
well as adopt a governance structure
that enables it to manage risk
effectively. Enterprises must also
retain their legal and regulatory
compliance as they move to a cloud
model, and must be able to prove
this compliance to ensure that the
business is not subject to an
uncontrolled risk.
Cloud computing allows
enterprises to achieve greater
business efficiencies and can lower
the barriers to entry to new markets.
But with new paradigms come new
risks which may not be well
understood. This uncertainty is
constraining adoption, as Figure 1
shows. Canopy’s Cloud Risk
Identification Matrix allows
enterprises to identify, segment and
score risks so they can develop cloud
risk profiles for different workloads.
Cloud providers typically
respond to enterprise concerns by
demonstrating how well their
solutions are protected and data
centers secured, publishing up-time
statistics and displaying compliance
certificates. However, just as many
enterprises overstate the risks of a
cloud solution, at the other end of
the scale, some fail to do adequate
due diligence and may be too
accepting of vendor assurances
about the risks of their cloud
solutions taking a vendor technical
security assessment on trust. The
true story is more complex. In
reality, all risks are neither wholly
the responsibility of the vendors nor
are they mostly technical.
Risk Identification
Risks differ in type and origin, but
regardless of the cloud delivery
model (private, public, hybrid, etc),
there are five sources of risk:
1. Users
2. Enterprise
3. Network Provider
4. Cloud Provider
5. Environment
There are many different definitions
of cloud risk - Gartner, Forrester,
Wikipedia, each has their own that
look at different attributes. Based on
these definitions and Canopy’s
experience, Canopy segments risk
according to three key defining
questions:
1. Which risks may jeopardize
service availability?
(Availability)
2. Which risks may jeopardize
data integrity and
confidentiality? (Integrity &
Confidentiality)
3. Which risks may jeopardize
compliance to in-house and
external policies, rules and
regulations and auditability?
(Compliance & Auditing)
Both the origin of risk and the
type of risk define the Cloud Risk
Identification Matrix. An enterprise
needs to score the risks per
application or workload and possibly
even per cloud vendor as different
vendors may imply different risks.
Whether a risk is high or low is
determined by three factors:
1. The likelihood of an event
2. The size of impact if that
event happens
3. The ease by which such an
event can be mitigated
The combined risks in the
Cloud Risk Identification Matrix
define a risk profile for a specific
workload which needs to match the
risk appetite for that workload. For
instance, the required risk profile for
an internal training delivery system
is likely to be different from that of a
Figure 1: Barriers restricting cloud adoption in enterprises (European
Commission, IDC 2012)
Legal Jurisdiction
Security & Data Protection
Trust
Data Access & Portability
Data Location
Local Support
Change Control
Ownership of Customization
Evaluation of Usefulness
Slow Internet Connection
Local Language
Tax Incentives
0% 10% 20% 30% 40%
17,0%
17,9%
18,0%
18,2%
21,4%
22,4%
22,8%
23,8%
24,9%
25,1%
30,5%
31,7%
Respondents answering very/completely
3. 3
financial transaction processing
system. An example of a risk profile
of a specific workload in an
enterprise is shown below.
Typically, the risks with high
frequency and easy mitigation have
low impact. This means that the
overall risk score is low. Many of
the more technical risks, such as
performance issues at the provider,
fall into this category. On the other
hand, catastrophic, environmental
risks may happen infrequently but
can have a severe impact and can be
difficult to mitigate.
One problem with risk scoring
is that while the impact can be
determined accurately, the frequency
cannot. Another is that mitigation
may exist but may be neglected,
which unintentionally increases the
actual risk profile.
Clearly cloud security is not just
about technology - it is also about
governance in a diversified business
environment. Identifying the
different risks in this complex
environment will allow a more
accurate assessment of the total risk
and ensure mitigations that might
otherwise be overlooked. This may
in turn lead to different choices on
the path to cloud computing.
User risks
Users are more mobile and often
employ a variety of devices for
access. In many cases these devices
are either privately owned (Bring
Your Own Device, BYOD) or subject
to limited control by the enterprise
(such as smartphones or tablets). A
risk is the proliferation of data on
devices beyond the control of the
enterprise. If a device is lost, stolen
or discarded, its data may still be
accessible. This data does not
necessarily need to be structured
data; it could well be a file
containing sensitive information. In
fact, the most common applications -
email and Excel - may also pose the
highest risk as both applications are
used heavily to distribute sensitive
data beyond the control of an
enterprise.
Information management
should go beyond enterprise
applications with structured data. If
data is stored on a user device,
enterprises must implement proper
controls to ensure the data is
secured.
Enterprise risks
Most enterprises regard the
infrastructure within their premises
as more secure than the (public)
cloud. But in reality, enterprises
seldom operate industrial-grade data
centers similar to those of large-
scale cloud providers, which are
highly secure in terms of procedure
and control. A data center’s Power
Usage Effectiveness (PUE) assesses
how efficiently a data center uses
energy - the lower the PUE the
better, with a PUE of 1.0 being
ideal. Most enterprise data centers
operate at a level of 2.0 or higher,
whereas Google’s PUE, for example,
is 1.14. Efficiency can only be
achieved by scaling up to an
industrial level with robust
processes and control. Apart from
being cheaper and greener, large
cloud providers are also likely to
operate more comprehensive
security procedures, resulting in less
operational risk.
Other key risks may well also be
reduced by moving to the cloud. For
example, internal events are often
under-reported because they are
resolved through informal networks
of employees, so the enterprise has
an inaccurate picture of its current
exposure to risk. Moving to the
cloud eliminates this as cloud
providers have stringent security
processes where all events are logged.
Another critical area of concern is
enterprise identity and access
management (IAM), an area any
enterprise considering a move to the
cloud needs to take seriously.
Typically, enterprises use software
such as Microsoft Active Directory
(AD) to control access and register
users. It’s not uncommon for 10-20%
of registered identities to be
“ghosts” as staff leave or access is
revoked. Without good IAM
governance processes, an enterprise
will have an incomplete picture of
its IAM status, which contributes to
risk. This is critical as while a
generic report on the technical
security of a cloud provider may
demonstrate excellent technology
and processes, a move to that cloud
provider may still result in lower
security levels for some enterprises
depending on the state of their IAM
governance processes. To avoid this,
a thorough and comprehensive
assessment of different sources of
risk must be undertaken before
making a migration decision.
Network provider risks
Cloud services may significantly
change network topology and
bandwidth requirements. While
Cloud Risk
Identification Matrix
Cloud Risk
Identification Matrix
Type of RiskType of RiskType of Risk
Cloud Risk
Identification Matrix
Cloud Risk
Identification Matrix
Availability
Integrity &
Confidentiality
Compliance &
Auditing
Risk
Origin
User Low Medium Low
Risk
Origin
Enterprise High Medium Medium
Risk
Origin
Network
Provider
Medium Medium Low
Risk
Origin Cloud
Provider
High Low Low
Risk
Origin
Environment
(natural,
political)
Medium Low Low
4. 4
network availability is ubiquitous in
some countries, in others it is not.
There may be two “legs” of network
connections: between the cloud
provider and the enterprise, and
between a cloud provider and a user.
The first leg is more or less static and
can be controlled; the second is mostly
dynamic and therefore difficult to
control. If the user is spread across
different regions, it may be a challenge
to control the quality of service,
which can compromise the
"Availability" component of the Cloud
Risk Identification Matrix. For
example, when a Mediterranean
submarine cable was cut near
Alexandria in 2012 it caused severe
internet outages and disruption in the
Middle East, India and Pakistan.
In addition, a user may also be
prone to session hijacks, such as “Man
in the Middle” (MitM) attacks on wifi
connections. Providers typically
counter this risk by providing some
form of encryption of the
communication session, such as SSL.
But these security measures can be
breached and for enterprises and even
cloud providers it can be difficult to
identify, qualify and quantify such risks.
Internet censorship may also cause
disruption, again a risk difficult to
qualify and quantify. Nevertheless, it
and others should be accounted for
under data integrity and confidentiality
in the Cloud Risk Identification Matrix.
When designing and
implementing a solution, there should
always be a thorough assessment of
network topology, quality of service
and risks. Indeed, it should be
scheduled on a regular basis as it forms
one of the building blocks of good
governance for enterprise architecture.
Cloud provider risks
Enterprises often focus extensively on
the risks of cloud providers when they
choose a vendor. Many risks are related
to the operations of the provider and
are part of their service level
agreement (SLA). But in reality these
risks are small compared with those
that would exist if the services were
provided by the enterprise. Other risks,
such as the continued existence of the
provider itself, may be small, but could
have an impact that is difficult to
mitigate. What happens if a provider
defaults financially and service is
discontinued? The market is currently
so fragmented that we can expect some
providers to fail as well as
consolidation as it matures.
The risks of consolidation or
bankruptcy among service providers
are difficult to identify and it is hard to
predict their timing and (expected)
frequency. Obviously, scale is important
and large providers such as Microsoft,
Google and Amazon, are less likely to
fail than small niche cloud providers.
This risk should either be a selection
criterion or risk mitigation scenarios
should be available.
Another common misconception is
that operational risks can be solved
through SLAs. An SLA is a contractual
or financial incentive for the provider
to prevent the occurrence of an event.
The event and the impact can be well
understood, but the expected
occurrence can hardly ever be reliably
determined.
SLAs can impose an incentive on
the provider to manage frequent, but
low impact events. They cannot help
prevent low frequency, high impact
events. In fact, many small, start-up
cloud providers may neglect such low
frequency, high impact events because
they operate with a different appetite
for risk. For instance, a cloud provider
may have server redundancy in its
infrastructure within one data center,
but may not have a mirrored
infrastructure at hot stand-by available
for disaster recovery.
At the other end of the risk
spectrum, a cloud provider may offer
protection from risks so extreme that
they are inconsequential. For example,
a data center in Finland was built in a
former military nuclear bunker
complex and marketed its
infrastructure as nuclear-bomb proof.
Not many businesses care about the
risk of such an event.
Environmental risks
While many risks can be controlled or
mitigated, there remains a group that
cannot; they are political or caused by
natural disasters.
Political risk comes in all shapes
and sizes, from dictatorial to legislative.
For example, when the Chinese
government blocked Google in
November 2012, many enterprise users
with Google Docs were denied service.
Yet to be resolved, and clearly a
potential risk, is the lack of clarity
concerning the impact of the US
Patriot Act on data privacy. While the
United States demands that its security
Example:
Email is probably amongst the most business critical and widely used
enterprise applications. Many processes and management control will
simply cease to exist without email. Email, or more widely grouped as
“business productivity tools” have been an early adopter of cloud.
Microsoft and Google compete fiercely on this market.
A large, global enterprise adopted Google Apps for business productivity
(such as Gmail). It was cheaper and more secure than what it could achieve
in-house. What it did not realize is that by adopting Google Apps, it
became exposed to risks out of control of both the enterprise and Google.
In 2012, during the Chinese Party Congress, the Chinese government shut
down all access to Google services to prevent any possible political unrest.
As a result, the enterprises using Gmail was shut off too, which caused
significant disruption of its Chinese operations. The enterprise could have
prevented or limited the impact if it had identified this risk and planned a
mitigation.
5. 5
agencies have access to corporate data,
even overseas, the European Union
forbids such access. Enterprises could
find themselves caught in the middle,
in a very uncomfortable position.
Natural disasters can also affect
service availability, mostly due to
internet or power outages. The 2011
tsunami in Japan and the subsequent
failure of the Fukushima nuclear
energy plants resulted in a severe
shortage of power, while Hurricane
Sandy in 2012 in the US showed that
natural disasters can disrupt services
in highly developed areas, and with
some regularity.
These events cannot be
controlled. An enterprise can only
ensure it has adequate disaster
recovery procedures for those services
that require high availability.
Governance of risks
The risks of cloud are diverse and
broad. But the process of managing
those risks does not fundamentally
differ from general risk management.
When considering risk mitigation
strategies, the options are:
1. Avoid - prevent it from
happening
2. Reduce - actively plan and
manage to limit occurrence and
severity
3. Outsource - hand over to other
parties such as the provider
4. Accept - because the cost of
mitigation outweighs the risk
itself or simply because you
cannot control it.
The risk strategies of all risks
combined and for all cloud solutions
determine the risk profile of cloud
for an enterprise. The framework
below illustrates one approach to
managing cloud risks. Such a process
may have various permutations as
risks are driven by demand (business
process needs, cultural and people
needs) and by supply (IT
infrastructure, IT management and
organization). The effectiveness of
risk management is determined by
the balance between supply and
demand.
Although the risk management
and governance frameworks are not
fundamentally different, cloud will
affect how risk management is
implemented. The experiences of
employees with consumer IT has
increased the demand for usability,
flexibility and agility at lower cost and
the informal use of cloud applications
in enterprise is proof of this.
Meanwhile, risk management has
become more complex because many
risks that were internal may now have
external implications, such as
insufficient identity and access
management. Because many services
that were previously in-house and on-
premise are now provided by a cloud
vendor, possibly on an informal basis,
control over those risks has become
indirect. Demand has grown while the
complexity of supply has changed.
Cloud computing has therefore led to a
need for a new balance of demand and
supply of risk management.
A rigid risk governance
framework is not sufficient to meet this
new model. If an enterprise has very
restrictive security measures in place,
users may revert to informal cloud use.
Although an enterprise may have a
tightly implemented risk governance
framework, the realities of cloud may
still increase risk.
Should enterprises embrace cloud?
Figure 2: Risk Management demand & supply model
Figure 3: Risk Management maturity model
6. 6
As with any shift to a new model, there
are uncertainties that need to be
resolved. The business economics,
rationale and user experiences are so
compelling that the transformation into
the cloud paradigm will happen
regardless of enterprise policy.
Informal use of public cloud in the
enterprise is probably far more
widespread than is visible to IT.
Restricting rather than facilitating
cloud computing will not lead to more
security and may lead to inflexibility
and competitive disadvantage.
An appropriate response is a
proactive one in which a clear
migration roadmap which includes a
clear and robust security plan is defined
and managed across IT. Such a policy
starts with a honest look at current risk
of legacy, on-premise infrastructure.
The alternative is a reactive response
to demands that will only result in
crisis management or repression.
Summary
Canopy’s assessment of risks associated with the use of cloud computing in the enterprise provides
us with three important lessons:
1) Cloud is not necessarily less secure. Many cloud providers offer better security than
enterprises could manage internally, due to better scale and focus. There are, however,
new risks to consider.
2) Risk management in enterprises does not necessarily require a different framework, but
an enterprise must ensure that supply and demand are balanced. Enterprises must also
ensure that the maturity is sufficient and adjusted to cloud.
3) If enterprises do not embrace cloud, informal IT will increase, and with this comes
unmanaged risk. A reactive approach will not only increase risk, but also will exclude
many business opportunities that cloud may bring.
The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of
missed benefits. Don’t fear the cloud; embrace it.