Comment: Governance is Key to Managing Cloud Risk

"The risks of adopting the cloud depend upon both the service and delivery models", according to Mike Small
"The risks of adopting the cloud depend upon both the service and delivery models", according to Mike Small
Mike Small, KuppingerCole, ISACA
Mike Small, KuppingerCole, ISACA

The cloud provides an alternative way of procuring IT services that offers many benefits, including increased flexibility as well as reduced cost. However, many organizations are reluctant to adopt the cloud because of concerns over information assurance and a loss of control over the way IT service is delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon and the three-day loss of Blackberry services from RIM this past autumn. Adopting cloud computing can save money, but good governance is needed to manage the risks.

The cloud covers a wide spectrum of services and delivery models, ranging from IaaS (infrastructure as a service) delivered through in-house virtual servers, to SaaS (software as a service) delivered over the internet to multiple organizations. A clear explanation of this range is described by NIST. The risks of adopting the cloud depend upon both the service and delivery models. Taking a good governance approach, such as COBIT, is the key to safely embracing the cloud and the benefits that it provides.

First, identify the business requirements for the cloud-based solution. This seems obvious, but many organizations are using the cloud without knowing it. Use the business requirements to determine the risk profile for the cloud service. Some applications will be more business critical than others.

Second, develop scenarios to understand the security threats and weaknesses. Use these to determine the response to risks in terms of requirements for controls and questions to be answered by the cloud service provider. This may lead to the conclusion that the risk of moving to the cloud is too high.

Finally, understand what the accreditations and independent audit reports offered by the cloud provider mean and actually cover. Are these appropriate for your business needs?

The common cloud security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the Cloud environment. In addition, particular issues that need attention include ensuring compliance and avoiding lock-in.

According to Neelie Kroes, vice president of the European Commission responsible for Digital Agenda European Cloud Computing Strategy: “to offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily.” Currently there are a number of factors that can make it difficult to change providers. There may be contractual costs incurred on termination of the service contract. The ownership of the data held in the cloud may not be clear, and return of the data on termination of contract may be costly or slow. Cloud services, built using cloud Platforms (PaaS in particular), may be based on a proprietary architecture and interfaces, making it very difficult to migrate to another provider.

To manage these risks an organization moving to the cloud should make a risk assessment using one of the several methodologies available. When the risks important to your organization have been identified, these lead to the questions you need to ask the cloud provider:

  1. How is legal and regulatory compliance assured?
  2. Where will my data be geographically located?
  3. How securely is my data handled?
  4. How is service availability assured?
  5. How is identity and access managed?
  6. How is my data protected against privileged user abuse?
  7. What levels of isolation are supported?
  8. How are the systems protected against internet threats?
  9. How are activities monitored and logged
  10. What certification does your service have?

The cloud service provider may offer certifications and reports from auditors. It is important to understand what these cover.

There are two common types of report that are offered – SOC 1 and SOC 2. SOC stands for ‘service organization controls”, and the reports are based on the auditing standard SSAE No. 16 (Statement on Standards for Attestation Engagements, which became effective June 2011).

SOC type 1 reports provide the auditors opinion on whether or not the description of the service is fair (the service as described does exist) and whether or not the controls are appropriate. SOC type 2 reports are extensions of type 1, including further information on whether or not the controls were actually working effectively. They include how the auditor tested the effectiveness of the controls and the results of these tests.

Note that these reports are based on the statement of the service that the organization claims to provide – they are not an assessment against best practice.

A service organization may also provide an auditor’s report based on established criteria such as Trust Services (including WebTrust and SysTrust). The Trust Services Principles and Criteria were established by the AICPA and cover security, availability, processing integrity, privacy, and confidentiality. A typical auditor’s report on a cloud service will simply refer to which of the five areas are covered by the report, and it is up to the customer to evaluate whether the Trust Principle and Criteria are appropriate for their needs. In addition, ISACA has recently published a set of IT Control Objectives for Cloud Computing.

Cloud computing offers an alternative way to procure IT services with more flexibility and at a lower cost than through traditional outsourcing. However, these benefits come with certain risks that depend upon the cloud service and delivery model adopted. The common risks are maintaining the confidentiality, integrity and availability of data. In addition, particular issues that need attention include ensuring compliance and avoiding lock-in. The best approach to managing risk in the cloud is one of good IT governance.


Mike Small is a senior analyst at KuppingerCole, a fellow of the BCS, and a member of the London Chapter of ISACA. Until 2009, Small worked for CA where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA.

What’s hot on Infosecurity Magazine?