Conclusion: Cloud computing has multiple dimensions that must be considered when analysing risk. The use of four key variables can rapidly identify the expected level of risk in a cloud computing scenario. These four variables – deployment model, geographic location of data, supplier arrangements and information criticality – can be quickly applied to assess the level of risk and determine a suitable mitigation strategy.
Observations: Cloud computing has long been obscured by media hype and vendor exaggeration. The reality is that cloud computing is many-facetted and its suitability must be considered in the context of the particular circumstances where it might be applied.
The commonly accepted definition for cloud computing from the American National Institute of Standards and Technology identifies five essential characteristics, four deployment models and three service models that apply to cloud computing.
Essential characteristics: The essential characteristics of cloud computing are defined as: on demand self-service; broad network access; resource pooling; rapid elasticity; measured service. These characteristics can be used to test whether a “cloud” service is truly a cloud offering or merely an existing service or product “passing off”.
Service models: The service models of cloud computing are defined as Infrastructure as a Service (IaaS); Platform as a Service (PaaS); and, Software as a Service (SaaS). These service models describe the range of offerings available – whether low level storage and compute (Iaas), application development and customisation (PaaS) or end-user applications (SaaS).
Deployment models: The four deployment models Private, Community, Public, and Hybrid describe the degree to which cloud computing facilities are held privately, shared with other interested parties, or accessed as a public utility.
Of these three components of the cloud computing definition – it is the deployment model which has the biggest impact on the level of possible risk. The deployment model introduces the organisational barriers which come with the attendant contractual issues of warranty and liability.
Key external risk factors in cloud computing: Along with the deployment model there are three other key factors that influence the level of risk in cloud computing. These are:
Geographic location: The use of cloud computing is greatly complicated by cross-jurisdictional issues. This boils down to whether the data will either be transmitted or stored within a single nation or sovereign entity, or cross over into other legal jurisdictions, either nationally or internationally. Trans-border data flows are subject to legislative scrutiny through government and regulatory instruments such as the Privacy Act and the Australian Prudential Regulation Authority. Also the laws of other countries outside of Australia can have an adverse impact on the security and privacy of data.
Information sensitivity and criticality: The sensitivity of information can range from: publicly available material; the personal details of individuals, commercially sensitive knowledge; or, confidential or secret government information. The more sensitive the information, the greater the risk that is exposed in a cloud computing scenario.
The criticality of information is also important – is the availability of this information critical to the operation of core business processes? What would be the impact if this information was unavailable at any point in time? Public cloud computing introduces a critical dependence on the network connectivity between subscribers and providers. Internal network problems or local ISP outages will cause cloud services to be completely unavailable.
Supply arrangements: The delivery of cloud computing services can be either directly, as internal facilities, or through the services of a third-party enterprise services partner. The use of such a third party requires contractual agreements which must effectively cover the complicated nature of cloud computing services. Issues such as promises, remedies, limitations and obligations must all be contractually treated in watertight but workable manner.
The use of the following four variables allows a high-level risk matrix to be constructed that can be used to assess the level of risk for a particular cloud computing scenario:
This matrix identifies three levels of risk
Low: Established business practise and low level of risk if normal due diligence is observed.
Medium: Acceptable business practise but heightened level of diligence required in managing risks.
High: Not common practice and extreme caution advised.
Treating cloud computing risks: The following steps are advised to mitigate the level of risk incurred in a cloud computing scenario.
Management: Ensure that entry and exit scenarios are explicitly defined and supported. Support for continuity of operations and visibility of compliance activities is critical. Service levels and more importantly remedies must be formally agreed.
Information governance: Ensure that data is openly accessible and can be transferred in bulk if need be. Ensure data confidentiality through appropriate separation or encryption where necessary. Data location should be disclosed – both at rest and in transit.
Security and reliability: Identity and access management must be thorough and apply at all levels – people, process, and technology. Physical security should be audited and compliance reports made available for inspection.
Applications and software: Standard development tools and technologies should be available. Application environments should support multi-user access and source control across the end-to-end code/build/test cycle. Configuration management of underlying application components and operating system resources must be clear to avoid surprise upgrades of dependent technology.
Use the risk matrix to identify the likely level of risk applicable to a cloud computing scenario.
Decide whether the risk can be mitigated, or cloud computing is not an option given the circumstances
Apply appropriate risk mitigation strategies.