• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud risks; Are we looking in the right direction?

Cloud risks; Are we looking in the right direction?



The perceived risks associated with cloud are a major barrier to adoption for ...

The perceived risks associated with cloud are a major barrier to adoption for
enterprises considering cloud computing. But when they consider the risks, most
simply look at the security risks within the cloud provider. However, many other,
possibly more relevant risks also need to be assessed and managed, including
enterprise, political and environmental, for which Canopy has developed a Cloud
Risk Identification Matrix. This matrix helps an enterprise to identify and score
risks so it can plan its path to the cloud more effectively. The message is clear. The
risks of failing to plan for cloud computing are real. And so is the risk of missed
benefits. Don’t fear the cloud; embrace it.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Cloud risks; Are we looking in the right direction? Cloud risks; Are we looking in the right direction? Document Transcript

    • 1Cloud Risks - Are we looking in theright direction?By Reinout Schotman, Abbas Shahim and Ahmed MitwalliRisks of cloudcomputing arecomplex and diverse.With properidentification andmanagement of thoserisks, cloudcomputing can bemore secure than onpremise.May2013Executive SummaryThe perceived risks associated with cloud are a major barrier to adoption forenterprises considering cloud computing. But when they consider the risks, mostsimply look at the security risks within the cloud provider. However, many other,possibly more relevant risks also need to be assessed and managed, includingenterprise, political and environmental, for which Canopy has developed a CloudRisk Identification Matrix. This matrix helps an enterprise to identify and scorerisks so it can plan its path to the cloud more effectively. The message is clear. Therisks of failing to plan for cloud computing are real. And so is the risk of missedbenefits. Don’t fear the cloud; embrace it.
    • 2The risks associated with the cloudare a top concern for enterprisesconsidering cloud computing, withsecurity uppermost thanks to thecommon assumption that a cloudsolution is inherently less securethan a traditional one. It’s an issue towhich cloud vendors respond byreassuring enterprises of thestringent security aspects of theirsolutions, but this sidesteps a muchbroader assessment of risk. Thisview of the cloud is too limited:while enterprises and vendors focustheir attention on technical securityrisks, other, potentially bigger riskseither remain unidentified or receiveinsufficient attention.Cloud computing can be secure -sometimes more secure than anenterprise can achieve on its own.But if an enterprise is to achieveacceptable levels of risk that allow itto migrate to the cloud, it must use astructured approach to identifying,assessing and mitigating risks aswell as adopt a governance structurethat enables it to manage riskeffectively. Enterprises must alsoretain their legal and regulatorycompliance as they move to a cloudmodel, and must be able to provethis compliance to ensure that thebusiness is not subject to anuncontrolled risk.Cloud computing allowsenterprises to achieve greaterbusiness efficiencies and can lowerthe barriers to entry to new markets.But with new paradigms come newrisks which may not be wellunderstood. This uncertainty isconstraining adoption, as Figure 1shows. Canopy’s Cloud RiskIdentification Matrix allowsenterprises to identify, segment andscore risks so they can develop cloudrisk profiles for different workloads.Cloud providers typicallyrespond to enterprise concerns bydemonstrating how well theirsolutions are protected and datacenters secured, publishing up-timestatistics and displaying compliancecertificates. However, just as manyenterprises overstate the risks of acloud solution, at the other end ofthe scale, some fail to do adequatedue diligence and may be tooaccepting of vendor assurancesabout the risks of their cloudsolutions taking a vendor technicalsecurity assessment on trust. Thetrue story is more complex. Inreality, all risks are neither whollythe responsibility of the vendors norare they mostly technical.Risk IdentificationRisks differ in type and origin, butregardless of the cloud deliverymodel (private, public, hybrid, etc),there are five sources of risk:1. Users2. Enterprise3. Network Provider4. Cloud Provider5. EnvironmentThere are many different definitionsof cloud risk - Gartner, Forrester,Wikipedia, each has their own thatlook at different attributes. Based onthese definitions and Canopy’sexperience, Canopy segments riskaccording to three key definingquestions:1. Which risks may jeopardizeservice availability?(Availability)2. Which risks may jeopardizedata integrity andconfidentiality? (Integrity &Confidentiality)3. Which risks may jeopardizecompliance to in-house andexternal policies, rules andregulations and auditability?(Compliance & Auditing)Both the origin of risk and thetype of risk define the Cloud RiskIdentification Matrix. An enterpriseneeds to score the risks perapplication or workload and possiblyeven per cloud vendor as differentvendors may imply different risks.Whether a risk is high or low isdetermined by three factors:1. The likelihood of an event2. The size of impact if thatevent happens3. The ease by which such anevent can be mitigatedThe combined risks in theCloud Risk Identification Matrixdefine a risk profile for a specificworkload which needs to match therisk appetite for that workload. Forinstance, the required risk profile foran internal training delivery systemis likely to be different from that of aFigure 1: Barriers restricting cloud adoption in enterprises (EuropeanCommission, IDC 2012)Legal JurisdictionSecurity & Data ProtectionTrustData Access & PortabilityData LocationLocal SupportChange ControlOwnership of CustomizationEvaluation of UsefulnessSlow Internet ConnectionLocal LanguageTax Incentives0% 10% 20% 30% 40%17,0%17,9%18,0%18,2%21,4%22,4%22,8%23,8%24,9%25,1%30,5%31,7%Respondents answering very/completely
    • 3financial transaction processingsystem. An example of a risk profileof a specific workload in anenterprise is shown below.Typically, the risks with highfrequency and easy mitigation havelow impact. This means that theoverall risk score is low. Many ofthe more technical risks, such asperformance issues at the provider,fall into this category. On the otherhand, catastrophic, environmentalrisks may happen infrequently butcan have a severe impact and can bedifficult to mitigate.One problem with risk scoringis that while the impact can bedetermined accurately, the frequencycannot. Another is that mitigationmay exist but may be neglected,which unintentionally increases theactual risk profile.Clearly cloud security is not justabout technology - it is also aboutgovernance in a diversified businessenvironment. Identifying thedifferent risks in this complexenvironment will allow a moreaccurate assessment of the total riskand ensure mitigations that mightotherwise be overlooked. This mayin turn lead to different choices onthe path to cloud computing.User risksUsers are more mobile and oftenemploy a variety of devices foraccess. In many cases these devicesare either privately owned (BringYour Own Device, BYOD) or subjectto limited control by the enterprise(such as smartphones or tablets). Arisk is the proliferation of data ondevices beyond the control of theenterprise. If a device is lost, stolenor discarded, its data may still beaccessible. This data does notnecessarily need to be structureddata; it could well be a filecontaining sensitive information. Infact, the most common applications -email and Excel - may also pose thehighest risk as both applications areused heavily to distribute sensitivedata beyond the control of anenterprise.Information managementshould go beyond enterpriseapplications with structured data. Ifdata is stored on a user device,enterprises must implement propercontrols to ensure the data issecured.Enterprise risksMost enterprises regard theinfrastructure within their premisesas more secure than the (public)cloud. But in reality, enterprisesseldom operate industrial-grade datacenters similar to those of large-scale cloud providers, which arehighly secure in terms of procedureand control. A data center’s PowerUsage Effectiveness (PUE) assesseshow efficiently a data center usesenergy - the lower the PUE thebetter, with a PUE of 1.0 beingideal. Most enterprise data centersoperate at a level of 2.0 or higher,whereas Google’s PUE, for example,is 1.14. Efficiency can only beachieved by scaling up to anindustrial level with robustprocesses and control. Apart frombeing cheaper and greener, largecloud providers are also likely tooperate more comprehensivesecurity procedures, resulting in lessoperational risk.Other key risks may well also bereduced by moving to the cloud. Forexample, internal events are oftenunder-reported because they areresolved through informal networksof employees, so the enterprise hasan inaccurate picture of its currentexposure to risk. Moving to thecloud eliminates this as cloudproviders have stringent securityprocesses where all events are logged.Another critical area of concern isenterprise identity and accessmanagement (IAM), an area anyenterprise considering a move to thecloud needs to take seriously.Typically, enterprises use softwaresuch as Microsoft Active Directory(AD) to control access and registerusers. It’s not uncommon for 10-20%of registered identities to be“ghosts” as staff leave or access isrevoked. Without good IAMgovernance processes, an enterprisewill have an incomplete picture ofits IAM status, which contributes torisk. This is critical as while ageneric report on the technicalsecurity of a cloud provider maydemonstrate excellent technologyand processes, a move to that cloudprovider may still result in lowersecurity levels for some enterprisesdepending on the state of their IAMgovernance processes. To avoid this,a thorough and comprehensiveassessment of different sources ofrisk must be undertaken beforemaking a migration decision.Network provider risksCloud services may significantlychange network topology andbandwidth requirements. WhileCloud RiskIdentification MatrixCloud RiskIdentification MatrixType of RiskType of RiskType of RiskCloud RiskIdentification MatrixCloud RiskIdentification MatrixAvailabilityIntegrity &ConfidentialityCompliance &AuditingRiskOriginUser Low Medium LowRiskOriginEnterprise High Medium MediumRiskOriginNetworkProviderMedium Medium LowRiskOrigin CloudProviderHigh Low LowRiskOriginEnvironment(natural,political)Medium Low Low
    • 4network availability is ubiquitous insome countries, in others it is not.There may be two “legs” of networkconnections: between the cloudprovider and the enterprise, andbetween a cloud provider and a user.The first leg is more or less static andcan be controlled; the second is mostlydynamic and therefore difficult tocontrol. If the user is spread acrossdifferent regions, it may be a challengeto control the quality of service,which can compromise the"Availability" component of the CloudRisk Identification Matrix. Forexample, when a Mediterraneansubmarine cable was cut nearAlexandria in 2012 it caused severeinternet outages and disruption in theMiddle East, India and Pakistan.In addition, a user may also beprone to session hijacks, such as “Manin the Middle” (MitM) attacks on wificonnections. Providers typicallycounter this risk by providing someform of encryption of thecommunication session, such as SSL.But these security measures can bebreached and for enterprises and evencloud providers it can be difficult toidentify, qualify and quantify such risks.Internet censorship may also causedisruption, again a risk difficult toqualify and quantify. Nevertheless, itand others should be accounted forunder data integrity and confidentialityin the Cloud Risk Identification Matrix.When designing andimplementing a solution, there shouldalways be a thorough assessment ofnetwork topology, quality of serviceand risks. Indeed, it should bescheduled on a regular basis as it formsone of the building blocks of goodgovernance for enterprise architecture.Cloud provider risksEnterprises often focus extensively onthe risks of cloud providers when theychoose a vendor. Many risks are relatedto the operations of the provider andare part of their service levelagreement (SLA). But in reality theserisks are small compared with thosethat would exist if the services wereprovided by the enterprise. Other risks,such as the continued existence of theprovider itself, may be small, but couldhave an impact that is difficult tomitigate. What happens if a providerdefaults financially and service isdiscontinued? The market is currentlyso fragmented that we can expect someproviders to fail as well asconsolidation as it matures.The risks of consolidation orbankruptcy among service providersare difficult to identify and it is hard topredict their timing and (expected)frequency. Obviously, scale is importantand large providers such as Microsoft,Google and Amazon, are less likely tofail than small niche cloud providers.This risk should either be a selectioncriterion or risk mitigation scenariosshould be available.Another common misconception isthat operational risks can be solvedthrough SLAs. An SLA is a contractualor financial incentive for the providerto prevent the occurrence of an event.The event and the impact can be wellunderstood, but the expectedoccurrence can hardly ever be reliablydetermined.SLAs can impose an incentive onthe provider to manage frequent, butlow impact events. They cannot helpprevent low frequency, high impactevents. In fact, many small, start-upcloud providers may neglect such lowfrequency, high impact events becausethey operate with a different appetitefor risk. For instance, a cloud providermay have server redundancy in itsinfrastructure within one data center,but may not have a mirroredinfrastructure at hot stand-by availablefor disaster recovery.At the other end of the riskspectrum, a cloud provider may offerprotection from risks so extreme thatthey are inconsequential. For example,a data center in Finland was built in aformer military nuclear bunkercomplex and marketed itsinfrastructure as nuclear-bomb proof.Not many businesses care about therisk of such an event.Environmental risksWhile many risks can be controlled ormitigated, there remains a group thatcannot; they are political or caused bynatural disasters.Political risk comes in all shapesand sizes, from dictatorial to legislative.For example, when the Chinesegovernment blocked Google inNovember 2012, many enterprise userswith Google Docs were denied service.Yet to be resolved, and clearly apotential risk, is the lack of clarityconcerning the impact of the USPatriot Act on data privacy. While theUnited States demands that its securityExample:Email is probably amongst the most business critical and widely usedenterprise applications. Many processes and management control willsimply cease to exist without email. Email, or more widely grouped as“business productivity tools” have been an early adopter of cloud.Microsoft and Google compete fiercely on this market.A large, global enterprise adopted Google Apps for business productivity(such as Gmail). It was cheaper and more secure than what it could achievein-house. What it did not realize is that by adopting Google Apps, itbecame exposed to risks out of control of both the enterprise and Google.In 2012, during the Chinese Party Congress, the Chinese government shutdown all access to Google services to prevent any possible political unrest.As a result, the enterprises using Gmail was shut off too, which causedsignificant disruption of its Chinese operations. The enterprise could haveprevented or limited the impact if it had identified this risk and planned amitigation.
    • 5agencies have access to corporate data,even overseas, the European Unionforbids such access. Enterprises couldfind themselves caught in the middle,in a very uncomfortable position.Natural disasters can also affectservice availability, mostly due tointernet or power outages. The 2011tsunami in Japan and the subsequentfailure of the Fukushima nuclearenergy plants resulted in a severeshortage of power, while HurricaneSandy in 2012 in the US showed thatnatural disasters can disrupt servicesin highly developed areas, and withsome regularity.These events cannot becontrolled. An enterprise can onlyensure it has adequate disasterrecovery procedures for those servicesthat require high availability.Governance of risksThe risks of cloud are diverse andbroad. But the process of managingthose risks does not fundamentallydiffer from general risk management.When considering risk mitigationstrategies, the options are:1. Avoid - prevent it fromhappening2. Reduce - actively plan andmanage to limit occurrence andseverity3. Outsource - hand over to otherparties such as the provider4. Accept - because the cost ofmitigation outweighs the riskitself or simply because youcannot control it.The risk strategies of all riskscombined and for all cloud solutionsdetermine the risk profile of cloudfor an enterprise. The frameworkbelow illustrates one approach tomanaging cloud risks. Such a processmay have various permutations asrisks are driven by demand (businessprocess needs, cultural and peopleneeds) and by supply (ITinfrastructure, IT management andorganization). The effectiveness ofrisk management is determined bythe balance between supply anddemand.Although the risk managementand governance frameworks are notfundamentally different, cloud willaffect how risk management isimplemented. The experiences ofemployees with consumer IT hasincreased the demand for usability,flexibility and agility at lower cost andthe informal use of cloud applicationsin enterprise is proof of this.Meanwhile, risk management hasbecome more complex because manyrisks that were internal may now haveexternal implications, such asinsufficient identity and accessmanagement. Because many servicesthat were previously in-house and on-premise are now provided by a cloudvendor, possibly on an informal basis,control over those risks has becomeindirect. Demand has grown while thecomplexity of supply has changed.Cloud computing has therefore led to aneed for a new balance of demand andsupply of risk management.A rigid risk governanceframework is not sufficient to meet thisnew model. If an enterprise has veryrestrictive security measures in place,users may revert to informal cloud use.Although an enterprise may have atightly implemented risk governanceframework, the realities of cloud maystill increase risk.Should enterprises embrace cloud?Figure 2: Risk Management demand & supply modelFigure 3: Risk Management maturity model
    • 6As with any shift to a new model, thereare uncertainties that need to beresolved. The business economics,rationale and user experiences are socompelling that the transformation intothe cloud paradigm will happenregardless of enterprise policy.Informal use of public cloud in theenterprise is probably far morewidespread than is visible to IT.Restricting rather than facilitatingcloud computing will not lead to moresecurity and may lead to inflexibilityand competitive disadvantage.An appropriate response is aproactive one in which a clearmigration roadmap which includes aclear and robust security plan is definedand managed across IT. Such a policystarts with a honest look at current riskof legacy, on-premise infrastructure.The alternative is a reactive responseto demands that will only result incrisis management or repression.SummaryCanopy’s assessment of risks associated with the use of cloud computing in the enterprise providesus with three important lessons:1) Cloud is not necessarily less secure. Many cloud providers offer better security thanenterprises could manage internally, due to better scale and focus. There are, however,new risks to consider.2) Risk management in enterprises does not necessarily require a different framework, butan enterprise must ensure that supply and demand are balanced. Enterprises must alsoensure that the maturity is sufficient and adjusted to cloud.3) If enterprises do not embrace cloud, informal IT will increase, and with this comesunmanaged risk. A reactive approach will not only increase risk, but also will excludemany business opportunities that cloud may bring.The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk ofmissed benefits. Don’t fear the cloud; embrace it.
    • 7Copyright © 2013 Canopy Cloud LtdCanopy - The Open Cloud Companyand its logo are trademarks ofCanopy Cloud Ltd.All rights reserved.About Canopy CloudCanopy (www.canopy-cloud.com) is aone-stop-cloud-shop for enterprises.It provides strategic consultancy;development, migration and testenvironments; secure on- and off-premise private cloud implementation;and access to a growing eco-system ofbusiness solutions and processesthrough a SaaS EnterpriseApplication Store. Canopy is anindependent company, founded byAtos, EMC and VMware.Headquartered in London, Canopy isglobal in scope, with consultancyteams operating across Europe, NorthAmerica and Asia Pacific. CanopyConsulting is a trusted cloudcomputing advisor to leading privateand public sector organizationsaround the world. Staffed almostexclusively with professionals trainedat tier one strategic advisory firms,we focus on helping senior executivesachieve business objectives byleveraging cloud technologies.About the AuthorsReinout Schotman is Associate Partnerat Canopy Cloud - Consulting andleader in the field of cloud computing.Prior to joining Canopy Cloud in 2013,Reinout worked at Accenture andseveral international telecom firms.Reinout holds a MSc in Applied Physicsof Delft University of Technology.Abbas Shahim is Partner at AtosConsulting and the Global Lead ofInformation Security and RiskManagement. He is also AssociateProfessor at the VU UniversityAmsterdam and the Vice President ofInformation Systems Audit and ControlAssociation (ISACA) chapter in theNetherlands.Ahmed Mitwalli is Managing Partner,Canopy Cloud - Consulting. Prior toCanopy, he was with McKinsey &Company for 12 years where he was aPartner and a leader in the BusinessTechnology Office. He has a PhD inElectrical Engineering and ComputerScience from MIT, and is a holder offive US technology patents.For more information on how CanopyCloud helps organizations to benefitfrom the cloud, please contact:Reinout Schotmanreinout.schotman@atos.net+31 6 11 14 19 16Abbas Shahimabbas.shahim@atos.net+31 6 5384 9789Ahmed Mitwalliahmed.mitwalli@atos.net+1 917 982 5435