Cian Blackwell - Risk management and mitigation 2011


Published on

Irish Future Internet Forum Conference, 2011.
Session 1

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In general, the agenda for the presentation is to dispel some of the myths associated with cloud computing hype. The presentation will cover how the risks of cloud computing are not as obvious as they seem—some risks get too much attention, some don't get enough—and will also cover some of the risks that can be mitigated by a move to cloud computing. Finally, we will cover some of the approaches to mitigating risk, including the risk management model, and certification.
  • Cloud computing has attracted a considerable amount of hype recently, and continues to do so. The Gartner Hype Cycle from 2010 shows "Cloud Computing" just beyond the "Peak of Inflated Expectations." Although positive hype is nothing unusual for new technologies, negative hype—specifically about the risks of cloud computing—is potentially more damaging and needs to be addressed.
  • Coverage in February 2010 of a Department of Finance memo warning public sector bodies not to purchase cloud computing services. Whilst this was really just good advice—don't embark on something new unless you have dealt with the issues—much of the coverage interpreted it as a dire warning of the risks of cloud computing.
  • Science fiction author Theodore Sturgeon ( originated what has since become known (in science fiction circles at least) as Sturgeon's Law. He found he was frequently defending the genre from people citing examples of trashy pulp sci-fi as "evidence" that 90% of science fiction—and thus the genre itself—was rubbish. He argued that, in his own words: of course 90% of science fiction is "crud" — "90% of everything is crud". His point of course was that just because science fiction is an easily identifiable genre of fiction, it's easy to 'tar it all with the same brush'. Likewise for cloud computing—an easily identifiable genre of technology—just because much of it is risky doesn't mean it should all be dismissed. There is nothing inherently risky about outsourcing critical processes—finance departments have been doing it for years, for example to shared service centres within or outside their own company. Just because the risks related to cloud computing are different to what we may be used to, does not mean that they are worse .
  • We need to be aware of the appropriate perspective from which to view our risks—as a general rule, one person's risk is another person's opportunity. It's easy to work out the major risk from the cloud service provider's perspective—it's the commercial risk of not enough customers paying enough for your cloud services. We can take that for granted, and look at it from the customer's perspective, where in general terms, a risk is not just some theoretical "adverse event" but, in very real terms, anything that can adversely affect the achievement of the customer's business goals. Obviously the service provider needs to focus on the customer's perception of risk.
  • This is an example of what I call a "red herring" risk. Data protection is seen as being much riskier when you move beyond the perceived safety of the relatively strong legislative framework in the EU. Although it is indeed true that the EU (and a small number of other jurisdictions) have stronger data protection legislation than most of the rest of the world, the protection provided by legislation is largely illusory. Mitigating data protection risk is almost entirely a behavioural issue, with behavioural solutions (policies, procedures, training, communication, restricting potentially risky practices, etc). There are huge data protection issues in any jurisdiction, regardless of how good the legislation is.
  • The above are a number of examples of risks that increase when you move to a cloud environment. Most are self-explanatory; a few need more explanation. Contingency bandwidth is not the same as peak bandwidth—it means the bandwidth required in exceptional circumstances, such as re-uploading a month's worth of transactions to resolve a database corruption issue, or restoring your data from the cloud archiving solution you use. The migration point relates to the safeguards that should be in place if you decide to terminate your contract with a cloud service provider—do they make it easy to get the data back out again? As easy as it was when you were signing up? Forensic issues relate to whether you have sufficient access to the cloud systems in the event that you need to perform a forensic investigation. Regarding general security issues—the use of security testing (e.g. penetration tests) is a common control, but cloud service providers may be very reluctant to allow customers to attempt to hack their systems, requiring a rethink and a different approach. Unfortunately, not all of the above get the attention they deserve.
  • The often overlooked point is that there are some risks that are greater when you stick with a non-cloud "solution." Having your infrastructure and apps in-house, managed by your own team that only deals with your company means that you don't have the levels of objectivity, economies of scale and contractual guarantees that you should (although may not always) have with a cloud service provider.
  • There is no "one-size-fits-all" solution to managing risk—it all depends on your organisation. However, the approach to identifying, managing and mitigating risks should be consistent across an organisation. "Cloud risks" don't deserve special treatment; nor do "IT risks". A "risk" is either a risk to the achievement of the organisation's strategic objectives, or it isn't. The response should be commensurate with the magnitude of the risk, i.e. impact x likelihood.
  • This is the overall risk management cycle consists of three major steps: Risks are identified Controls are put in place to mitigate the risks Auditing (internal, external, compliance reviews, security reviews, etc) provides assurance that controls are working and risks are being mitigated It's important to note that there must be a correlation between controls and risk . It doesn't have to be a 1:1 correlation—you can have a single control that mitigates multiple risks, or a single risk that requires multiple controls to mitigate it effectively. The crucial points are that: Every risk must have control(s) that mitigate it effectively Every control must be there to mitigate specific risk(s)—otherwise it's a waste of resources
  • Cian Blackwell - Risk management and mitigation 2011

    1. 1. Risk management and mitigationCian BlackwellPartner, Business Risk Services1 June 2011© 2010 Grant Thornton International. All rights reserved.
    2. 2. Agenda and themes• focus on cloud computing• hype and renewed interest in risk• dispelling a few myths about risk and new technologies• back to fundamentals—a model for assessing and addressing risk© 2010 Grant Thornton International. All rights reserved.
    3. 3. Cloud computing hype• both positive and negative abounds• positive hype is nothing unusual• negative hype needs more attention....© 2010 Grant Thornton International. All rights reserved.
    4. 4. © 2010 Grant Thornton International. All rights reserved.
    5. 5. What is the truth about cloud computing risk?• much of what goes on in the cloud is risky....• ... much of everything is risky• cloud computing—or any form of outsourcing—is not inherently a bad idea• the risks with cloud computing are not inherently worse – theyre just different© 2010 Grant Thornton International. All rights reserved.
    6. 6. Risk and opportunity….• "risk" only makes sense in the context of an organisations objectives• risk can be seen as: – anything that adversely affects the achievement of an organisations goals• opportunity can be seen as : – anything that positively affects the achievement of an organisations goals© 2010 Grant Thornton International. All rights reserved.
    7. 7. But its not all negative hype….• “…the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.• "The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost effective” – Source: ENISA, Cloud computing: Benefits, risks and recommendations for information security© 2010 Grant Thornton International. All rights reserved.
    8. 8. How does cloud computing change the risks?• some risks have increased, and not always the ones you expect – for example, data protection risk is seen as significantly higher if the data is stored outside the EU • but even within the EU, and regardless of whether you use cloud computing, data protection risks are high • the risk is more closely linked to the nature of the data than the type of technologies used© 2010 Grant Thornton International. All rights reserved.
    9. 9. How does cloud computing change the risks?• some risks can increase, for example: – visibility and control of whats happening to your data – contractual risk, including SLAs and performance – bandwidth—especially "contingency bandwidth" – migration of data (out, rather than in....) – forensic considerations—incident response, e-discovery – general security issues—policies, standards, procedures—what about testing?© 2010 Grant Thornton International. All rights reserved.
    10. 10. How does cloud computing change the risks?• however, cloud computing can also reduce risk, for example – increase in independence and segregation of duties – increased economies of scale for security investment – availability of specialised security expertise – existence of a contractual or SLA framework© 2010 Grant Thornton International. All rights reserved.
    11. 11. Managing risk (1)• risks are not the same for everyone— circumstances differ, priorities differ• however, the approach to addressing and mitigating risk needs to be standard• a consistent risk management process should be organisation-wide, not IT-specific© 2010 Grant Thornton International. All rights reserved.
    12. 12. Managing risk (2)• the risk management process...• controls need to match the risk— sufficient, but not Risk excessive• auditing provides assurance the controls work— Control Audit and identifies risk© 2010 Grant Thornton International. All rights reserved.
    13. 13. In summary• dont believe the hype—everything is risky• there are no default risks—every organisation has its own risk profile, and any change in technology changes the risks• a consistent approach to evaluating and addressing risk is essential—the approach is the same regardless of the risks• risk and opportunity go hand-in-hand© 2010 Grant Thornton International. All rights reserved.