Does risk outweigh the benefits from the cloud?

Cloud computing provides organizations with an alternative way of obtaining IT services and offers many benefits including increased flexibility as well as cost reduction. However many organizations are reluctant to adopt the cloud because of concerns over information security and a loss of control over the way IT service is delivered.

These fears have been exacerbated by recent events reported in the press including outages by Amazon and the 3 day loss of Blackberry services from RIM. What approach can an organization take to ensure that the benefits of the cloud outweigh the risks?

To understand the risks involved it is important to understand that the cloud is not a single model. The cloud covers a wide spectrum of services and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the internet. A clear explanation of this range is described by NIST. This document describes the 5 essential characteristics that define the cloud, the 3 service models and the 4 deployment models. The risks of the cloud depend upon both the service model and the delivery model adopted.

When moving to the cloud it is important that the business requirements for the move are understood and that the cloud service is selected meets these needs. Taking a good governance approach, such as COBIT , is the key to safely embracing the cloud and the benefits that it provides:

• Identify the business requirements for the cloud based solution. This seems obvious but many organizations are using the cloud without knowing it.
• Determine the cloud service needs based on the business requirements. Some applications will be more business critical than others.
• Develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the cloud is too high.
• Understand what the accreditations and audit reports offered by the cloud provider mean and actually cover.

The risks associated with cloud computing depend on both the service model and the delivery model adopted. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the cloud environment. Particular issues that need attention when adopting the cloud include ensuring compliance and avoiding lock-in.

To manage risk an organization moving to the cloud should make a risk assessment using one of the several methodologies available. An independent risk assessment of cloud computing was undertaken by ENISA (the European Network Information and Security Agency). This identifies 35 risks which are classified according to their probability and their impact. When the risks important to your organization have been identified these lead to the questions you need to ask the cloud provider. I propose the following top ten questions:

1. How is legal and regulatory compliance assured?

2. Where will my data be geographically located?

3. How securely is my data handled?

4. How is service availability assured?

5. How is identity and access managed?

6. How is my data protected against privileged user abuse?

7. What levels of isolation are supported?

8. How are the systems protected against internet threats?

9. How are activities monitored and logged?

10. What certification does your service have?

The cloud service provider may respond to these questions with reports from auditors and certifications. It is important to understand what these reports cover. There are two common types of report that are offered SOC 1 and SOC 2. SOC stands for “Service Organization Controls” and the reports are based on the auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements which became effective in June 2011):

• SOC 1 report: provides the auditors opinion on whether or not the description of the service is fair (it does exist) and whether or not the controls are appropriate. Appropriate controls could achieve their objectives if they were operating effectively.
• SOC 2 Report: is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively. It includes how the auditor tested the effectiveness of the controls and the results of these test.

Note that these reports are based on the statement of the service that the organization claims to provide – they are not an assessment against best practice.

A service organization may also provide an auditor’s report based on established criteria such as Trust Services that cover security, availability, processing integrity, privacy, and confidentiality. A typical auditor’s report on a cloud service will simply refer to which of the five areas are covered by the report and it is up to the customer to evaluate whether the Trust Principle and Criteria are appropriate for their needs. In addition ISACA have recently published a set of IT control objectives for cloud computing.

Cloud computing can reduce costs by providing alternative models for the procurement and delivery of IT services. However organizations need to consider the risks involved in a move to the cloud. The information security risks associated with cloud computing depend upon both the service model and the delivery model adopted. The common security concerns of a cloud computing approach are maintaining the confidentiality, integrity and availability of data. The best approach to managing risk in the cloud is one of good IT governance covering both cloud and internal IT services.