Managing Risk in a Cloud implementation

9/1/2011

By Keith A. Ferguson, CISA, CISSP, CRISC

Cloud computing is a similar concept to the old mainframe days where multiple terminals were connected to a massive central computer through a private wide area network with dedicated lines. Cloud computing uses the concept of connecting users through the internet to allow users the ability to access technology enabled resources and services from anywhere in the world.

Currently there are three cloud computing service models. There is Software as a Service (SaaS) where an application is hosted by a cloud service provider (CSP) and made available across the Internet. The second model is an Infrastructure as a Service (IaaS). This is where a vendor uses the cloud to provide access to hardware, such as a SAN, servers, networks, applications, services and other technical resources. The third model is a Platform as a Service (PaaS), where a cloud vendor provides application development and the required underlying infrastructure.

Some opportunities with cloud computing include long term savings in information technology costs, the ability to pay for only the service models your organization needs, reducing the overall costs to manage your IT infrastructure, pursuing new business opportunities, and improving business permanence. Before your organization begins to travel down the road to cloud computing you should identify your organizations business objectives and the risks associated with using the cloud. You should identify what services may provide the most benefits and decide on what types of data your organizations willing to trust having on the cloud.

Security concerns, privacy issues and complexity are the biggest barriers to cloud acceptance and implementation. Some of these concerns include:

• How is the organization’s data protected?
• What are the access controls that restrict access to the data?
• Is the service always available or will there be unexpected or unreasonable downtime?
• Are there confidentiality risks?
• Is the security that surrounds the applications robust enough?
• How are potential vulnerabilities in the system and network managed?
• Does the CSP have the ability to recover data in case of a disaster? Is the disaster recovery plan sufficient?

Before implementing a cloud solution, you should identify a business strategy and analyze the benefits of using the cloud. Security concerns that exist in a cloud computing environment should be identified, and the controls that help remediate those concerns should be put into practice prior to a cloud implementation. Your CSP should work with your organization to make sure your organization’s security requirements are inclusive of theirs.