Cloud Computing - A Risk Management Perspective

2 pages

Please download to get full document.

View again

of 2
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Cloud Computing – An boon for IT Value optimization or a bane on Enterprise risk management Well, it depends on the way a business looks at Clouds. It depends on how sensitive and responsive its programs are for IT value expansion and protection by managing risks to information and all that’s associated in the wake of emerging technologies such as Clouds. While cloud computing has its own challenges for risk management, many of the contemporary risks can still be applicable. A Cloud specific inf
  Cloud Computing  –     An boon for IT Value optimization or a bane onEnterprise risk management Well, it depends on the way a business looks atClouds. It depends on how sensitive and responsive itsprograms are for IT value expansion and protection bymanaging risks to information and all that ’ s associatedin the wake of emerging technologies such as Clouds.While cloud computing has its own challenges for riskmanagement, many of the contemporary risks can still be applicable. A Cloud specific information securitypolicy founded on sound IT governance and anenterprise risk management structure can be the key. It’s not as gloomy as Clouds are oftenmade out to be The benefits and risks of migration to the Clouds willlargely depend on the type of Cloud model to be chosen and the provider’s s ecurity offerings.Clouds can pave the way for data centric, granularsecurity measures to protect data throughout its life-cycle, as they are driven by the pay-for-only-what-you-use model. This data centric approach may usherin IP(Internet Protocol) packet level self-defensemechanisms and technologies as computing powerand bandwidth become cheaper and cheaper and moredata will be moved outside an enterprise to takeadvantage of economies of scale. Before you make the first step Clouds do not take away all the responsibilities andliabilities on the part of a Cloud customer. Anenterprise still needs to retain an appropriatestructure, programs for managing the risks, securityand compliance through the Cloud provider. A majorpart of tactical and operational responsibilities mayget shifted to the Cloud provider. Whatever be theCloud model, traditional techniques for managinginformation security and technology risks can still beapplied. Threats to Cloud security: Are they real? The ever growing list of threats that have beenplaguing the industry for decades is applicable to theCloud too. Threats such as malware infection, mis-configurations, errors & omissions, espionage, socialengineering, poorly communicated and implementedpolicies, cyber warfare, etc.,Forensics requires freezing of all compute resources assoon as a security breach is discovered. On a Cloud,how will one achieve this? Similarly, eDiscoveryrequires ferreting out all data needed by prosecution.Unless Clouds offer a way to keep track customers’  data, things can get worse.Infections due to malware can spread to multiplecustomers rapidly. Impact from a successful attack can be devastating.The multi-tenant nature of Clouds means that a givenvirtual environment or the underlying physical serverscan host data from different customers havingdifferent requirements for security, privacy andcompliance. What will be the data classification basedsecurity level for that virtual or physical machine?How can the Cloud provider offer a policy that willaddress the requirements of all of its customers? Howcan Cloud provider ensure that its virtual computingresources are not misused by a malicious organizationdisguised as a legitimate consumer of the Cloud?While the answers will emerge, Security as early asduring the adoption of a Cloud model can go a longway. A Cloud adoption approach such as the one thatfollows based on traditional but very critical measurescan go a long way.1.   Prepare a strategy for IT and alsoInformation Architecture. BuildSecurity, Privacy and Compliance intothe architecture. Have a carefully evaluatedstrategy for IT before moving to Clouds.Clouds are in a way, an outsourcing model.Clearly, it ’ s your Cloud based IT strategythat is going to drive your business strategy,innovation and operational excellence.2.   Adopt a risk management approachand integrate it with your firm-widerisk management program. With theadoption of Cloud, liabilities do not justdisappear though IT overhead can reducesignificantly and clouds have the potential ingetting the best of everything in dataprotection and compliance, even if it comesat a cost. Revisit your current riskmanagement program and include a plan foraddressing Cloud related concerns into theprogram.3.   Select a cloud service model that bestaligns with your IT strategy. Moving a business handling sensitive and privacy dataregulated by PCI, HIPAA, GLBA, etc.,demands clear understanding of the risksinvolved in & protections offered by cloud.Chances are your IT and security strategiesare going to be largely influenced by thesafeguards to be offered by the Cloud.4.   Choose a cloud provider that bestmeets your IT & Compliancerequirements. Verification of Cloud provider’s policies & procedures related to information & IT operational security would   be necessary. Apart from that, verify Cloudproviders ’ track record, financial stability,future direction, security and complianceassurances offered such as ISO 27001 andSysTrust apart from SAS 70.5.   Draft a well defined legal andcontractual agreement that addressesyour business requirements forsecurity, privacy and compliance.  Adoption of Cloud can mean a big shift inwhat remains in your strategic a well astactical control. A strong contractualframework can help make a case for “outsourcing control of your controls” .6.   Align your security policies &procedures. This can be really challengingas a mutual alignment is a must to avoidexposure of your data. Alignment should not be at the cost of compromising your security& compliance requirements.7.   Know your data. Have a well defineddata classification policy that can beimplemented by the Cloud provider.  Your classification policy should clearly setforth user access and authorization rules,data protection such as encryption, etc.8.   Have a clearly articulated datasecurity policy and procedures.  Understand how idle data are stored,isolated and protected. Find out whathappens to your data when your subscriptionis over or when you need to scale down or if you are a Cloud storage customer.9.   Understand and evaluate controls in Cloud’s con trol. Ensure that Cloud providers’ has effective measures forpersonnel, physical & environmentalsecurity, user access controls, data securityare rest and in motion, isolation from othercustomers, etc. Pay attention to granularissues such as if encryption is offered, findout how key management is implemented.10.   Have a data retention and disposalpolicy that suits your Cloud strategy. Define your back-up and recoveryrequirements. Back-up data deservesprotection in accordance with itsclassification if store in the clouds. Betterstore data in an offsite location controlled byyou.11.   Have a regular program for creatingand monitoring security awareness .12.   Implement, Review, Assess & Audit .Have an independent audit and securityassessment firms audit Cloud providers ’  policies, procedures, controls, tests, audits,etc., Review your contractual framework inline with emerging trends in Cloud security.While safeguards related to physical &environmental security may be a givenincluding basic disaster recoveryarrangements, Cloud adopters have to paycloser attention to risks related to data,application and users.This Cloud has certainly a silver lining,probably many.
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks