Risk management for cloud computing deployments
Cloud risk management involves more than meets the eye. Our expert details risk management for public cloud setups in this multi-part series.
When you consider the recent trends and studies on cloud computing, it’s clear that after the Internet, it’s the turn of cloud computing to shape the future of computing. The question is no longer “To cloud or not to cloud”, but more of “when will the shift happen” and “what processes will shift to the cloud”. In this series of articles, we will endeavor to perform a complete cloud risk management exercise.
As part of a risk management exercise for cloud computing, it’s important to rank the positive information security benefits from utilizing cloud infrastructure. Since the largest risks lie on public cloud fronts (unless mentioned otherwise), all references are only to public cloud infrastructure.
A background
By its very nature, cloud computing setups have a huge setup in place, which typically comprises of hundreds (if not thousands) of servers running a wide variety of operating systems, virtualized platforms and databases. The network will utilize equipment with Gigabit transfer rates and high end security systems. The data centre is at least a tier 2+, if not a tier 3/4 setup.
What this translates into is:
- Specialized personnel: Since the entire business model is based on providing IT resources, cloud providers can afford to hire and retain the industry’s finest skillsets. This is a huge boon for many organizations, since they are unable to attract and retain highly skilled resources. It’s not rare to see organizations which are able to spend large sums on IT Infrastructure, but unable to derive due benefits due to lack of skilled resources.
- Opex, NOT capex: In many countries, organizations purchasing IT equipments for internal consumption – “capex - capital expenditure” cannot take immediate tax benefits by writing off expenditure, but get staggered benefits spread over five years. By employing a cloud provider’s resources, investments in cloud resources get classified as operational expense (opex), which results in immediate tax benefits.
- Platform support: Many organizations are unable to rollout patches on time, or even identify the applicable patches due to various reasons like lack of adequate knowledge base, time, or adequate testing infrastructure. These shortcomings are not there for most cloud providers, ensuring that the platforms and applications that you use on those cloud setups are adequately up to date. This is a two edged sword, since this very point has also been observed as a weakness in certain cloud providers whom we have audited.
Organizations which have fairly mature processes in place ensure aspects like timely internal system updates and adequate testing. The same cannot be said in a guaranteed manner for cloud providers due to lack of visibility and transparency. We will cover this aspect in detail with mitigation strategies in the next installments of this tip. - Backup and recovery: Almost all the organizations that I have worked with in the past 20 years take regular backups. However, very few organizations ever perform regular restoration to check the working and adequacy of backups, which lead to last minute unpleasant surprises. Cloud providers have this step pat in place, since the repercussions of a mess-up will be fatal for their existence. Again, this is a two edged sword dependent on the policies of the cloud provider, which may or may not be sufficient for your organizational requirements. We will cover mitigation strategies in detail in the next parts.
- Disaster recovery: This is critical for most organizations, but regularly side-stepped or watered down. Redundancy and disaster recovery capabilities are built into cloud computing environments. This is a two edged sword dependent on the cloud provider’s policies and implementation strategy, which may not be sufficient for your organizational requirements.
- Thin clients: Since applications and data (in most cases) will reside on the cloud infrastructure, you will not require powerful laptops and desktops to run your applications. Not much confidential data will reside on your internal systems, thus cutting down on your information risk factors. This is again based on the cloud provider’s policies and your implementation topology.
- Power savings: Last year, Pike Research found that cloud computing could lead to a 38 percent reduction in worldwide data center energy use by 2020, compared to what the growth of data center energy consumption would be without cloud computing. Another study from Microsoft, Accenture and WSP Environment and Energy in 2011 found that moving business applications to the cloud could cut the associated per-user carbon footprint by 30 percent for large, already-efficient companies. This figure could be as much as 90 percent for the smallest and least efficient businesses.
I have exceeded the word count limit for my article, so adieu for now. The upcoming articles will contain more insights on cloud risk management.