The rise of cloud computing brings many benefits to organizations seeking to refocus on key business goals, such as improving speed to market, boosting a competitive edge and reducing capital and/or operational expenditures.
Investing in cloud technologies such as software as a service (SaaS) or infrastructure as a service (IaaS) reduces the services typically needed from traditional in-house enterprise information technology departments. Services managed by other business units, such as training, human resources, payroll and healthcare management, are reduced as they are moved to the cloud.
While capital and operational costs are reduced, there is an increase in risk due to the rise of information brokers from the Dark Web. These nefarious parties trade and sell everything from personal identities to financial information to intellectual property.
Risk of information leaks is compounded since information is only as secure as the hosting company's expertise. Additionally, those who specialize in information brokering will make cloud providers their target because they are aware of the treasure trove of information they control. To manage the risks of cloud computing, it's important to first understand what risk is.
Contextualizing risk in the cloud
Risk is the probability that something unwanted will happen. In the information security world, risk is the probability that a malicious or nonmalicious event that exposes confidential information, threatens the integrity of data and interferes with system and information availability will occur. Any organization connected to the Internet is at risk considering the Dark Web's elasticity and ability to extend to private and public networks. An organization's Internet access provides return pathways for legitimate data exchanges such as email, VPN and FTP, as well as hostile data exchanges like malware, information gathering and eavesdropping.
Hostile data exchanges are not something an organization or even private individuals want. Usually, the result is down-time to recover, lost revenue, lost data, impact to human capital and a tarnished reputation. If an organization is part of a regulated industry, it may face sanctions depending on why a hostile event succeeded. Even when sanctions are not meted out, businesses cannot afford to become the page-one news for a security breach that reduces consumer and business partner confidence.
Cloud computing's message is this: We can do it better and cheaper. Concentrate on your business and we will manage your technology and protect your data cost effectively. While this may be true, a cloud provider has the same challenges as any other business. Depending on its business model, it may have greater challenges than a typical organization. Take for instance a cloud provider that caters to a niche industry such as credit cards. If it becomes known that all of its clients possess credit card information, it could become a target for information brokers. A single successful hack could result in a windfall for information brokers seeking to sell identities or credit cards or generate additional credit cards.
Risk to a cloud computing provider also resides with the consumers it hosts. Regardless of the amount of physical, logical and virtual segregation and segmentation of clients, cloud infrastructures share common power, hardware, application and network resources. When a cloud provider offers SaaS, it trusts the enterprise customer to keep its user IDs and passwords safe. Likewise, the computing resources used to access the SaaS must be secure. If an enterprise is breached and information like user IDs and passwords are harvested, a skilled information gather may access the SaaS application and determine a method for accessing other customers' data. Suddenly the confidentiality, integrity and availability of other enterprises' cloud environments are in jeopardy.
The final risk lies with the cloud provider and its level of technology expertise. Providers must accept risk transference and understand and comply with regulations. They have the same challenges as any other business, particularly attracting and retaining talent. When human capital is not successfully attracted or retained by a cloud provider, the overall cloud environment may suffer due to one area of neglect. The absence of scalability, inability to provide rich feature-sets or adequately provide assurance of security and privacy affects a cloud provider's ability to attract and retain consumers.
Risk transference is an integral part of cloud computing since the provider has contractual agreements to maintain a specific level of service. Part of this service involves assurance of security for information assets. If a cloud provider experiences a breach due to a lack of due diligence toward industry best practices or regulations, it may be responsible for notifying those affected by the breach and open to litigious action. A cloud provider must be prepared to verify through audits and certification that its cloud infrastructures will remain available and secure. It must also be prepared to respond to breaches. Even with good intentions, flaws such as zero-days occur and penetrate the best security architectures.
It's also important to understand the necessary compliance regulations. For privacy reasons, financial integrity and national security organizations typically have at least one regulation they must comply with. Most organizations have multiple regulations. Consider a national organization that manages credit card data. It must comply with federal requirements and those locale-specific statutes that may be more stringent than federal statutes. Global organizations add another layer of complexity as they must adhere to both U.S.-specific regulations and international regulations from the countries they operate with. Cloud providers must invest in understanding regulations and how to comply as their noncompliance also means noncompliance for the consumer organization that has the ultimate responsibly of providing assurance to its customers and regulators.
Three dimensions of risk
Business professionals understand and accept that risk is associated with cloud consumers and cloud providers. Regardless of your role, to manage potential unwanted events, risk management must be employed. In the case of the cloud computing relationship, a bilateral risk management effort is necessary in which both the consumer organization and cloud provider must have mature risk management programs. Maturation is demonstrated through a program that has governance, cyclical reporting and quantitative evidence of maintaining a low risk posture.
Risk management is achieved through three dimensions: Risk identification, risk assessment and risk control.
- Risk identification -- Consumer organizations must articulate what risks are introduced through cloud computing investments. This enables the organization to ensure the necessary business controls are executed during the procurement of cloud services. Additionally, the appropriate processes are created and/or updated to support interruptions due to outages associated with cloud services.
A cloud provider must identify risk to determine which cloud services it is best able to deliver. Some providers may determine that they prefer to service specific industries, thereby becoming a niche provider and reducing the regulatory landscape. The risk may be too high to offer cloud services to a variety of industry consumers.
- Risk assessment -- An enterprise must understand which of its assets are too valuable to risk outsourcing to a third-party service provider. Conversely, it may assist in recognizing that a third-party may be better served to protect target-rich assets when that third-party's primary talent is hosting and protecting data.
- Risk control -- Once risk has been quantified through identification, assessment controls should be selected and applied to control risk. In the cloud computing model, this is a shared responsibility, hence the expectation that cloud consumers and providers have complementary risk management programs. It is the responsibility of the cloud consumer to set expectations with the cloud provider for the application of controls. It is the role of the cloud provider to ensure controls are implemented and maintained in accordance with consumer expectations and to provide attestation as dictated by a service-level agreement as well as compliance requirements.
To some, cloud computing is risky because it requires giving enterprise assets to someone else for care, feeding and protection. However, given its acceptance across industries such as healthcare, e-commerce and government, expect it to remain a go-to technology for reducing costs and streamlining business operations. The first step is to understand the risk and how to manage it.
About the author:
Ravila Helen White is the director of IT architecture for a healthcare entity. She is a CISSP, CISM, CISA, CIPP and GCIH, and a native of the Pacific Northwest.
Learn more in our cloud computing risk management guide.