User:Shawndouglas/sandbox/sublevel1

From LIMSWiki
Jump to navigationJump to search

In January 2021, Business Tech Weekly highlighted the biggest security challenges to organizations adopting cloud. Among them were[1]:

  • inadequate access control
  • insufficient contract regulation
  • unsecure software interfaces
  • low data visibility
  • delays in deleting data
  • inability to maintain regulatory compliance

These and other related challenges are a product of the various risks of doing business in the cloud. Those risks—in the scope of business, essentially aspects of business and the environment it operates in that endanger objectives—in turn must be managed to better ensure an organization meets its goals. This requires risk management.

Risk management is the process of identifying, evaluating, and prioritizing risks, and then developing an economical and efficient strategy for monitoring, controlling, and mitigating those risks. Whether risk management is part of an overall cybersecurity plan (as it should be) or an independent process (perhaps more common in really small organizations), it always makes sense to have strategies for managing threats and responding to opportunities, not only for the organization as a whole but also specifically for IT and software implementations.

But what are the major risks associated with cloud computing initiatives that drive the need for risk management? And what are the potential consequences if those risks are left unchecked? Business consultancy KPMG released a 2018 report about managing risk in the cloud. In that report, author Sai Gadia identified five critical categories of risk to organizations venturing into the cloud: data security and regulatory risk, technology risk, operational risk, vendor risk, and financial risk.[2]

These five categories neatly sum up the areas of risk to apply and cloud risk assessment, but let's look at them a bit more closely.

Data security and regulatory risk: This category examines the concerns of data integrity and availability.

  • The potential risks: data is leaked, lost, or becomes unavailable.
  • The potential consequences: reputation loss, regulatory non-compliance, business interruptions, and loss of revenue.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining enforcement of existing corporate security policies, maintaining regulatory compliance, managing user access effectively, managing networking across multitenancy or shared infrastructures, and gaining greater flexibility with encryption and security controls offered by the cloud service provider (CSP).
  • Getting around these challenges: Organizations should "have mature data protection and regulatory compliance programs staffed with talented individuals who have sufficient authority and clear responsibilities. Such organizations also leverage leading third-party or homegrown automated tools and continuously improve their capabilities."[2]

Technology risk: This category examines the concerns of rapid shifts in underlying technologies.

  • The potential risks: cloud-specific technologies rapidly evolve, and standardization of those technologies doesn't keep up.
  • The potential consequences: added costs associated with rearchitecting cloud systems, shifting data to new platforms, developing new integrations, and requiring additional training.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for rearchitecting cloud applications and systems periodically, maintaining the personnel to stay engaged and focused on changes happening in the industry, and identifying tools (e.g., dashboards) that can extend the life cycle of your cloud implementation.
  • Getting around these challenges: Organizations should "recognize that cloud will require the role and responsibilities of in-house IT professionals to evolve and are making the necessary investment to train individuals and encourage the adoption of innovative technology. In the process, they are also increasing alignment with the vision and business of the organization."[2] IT professionals should also be considering aspects of cloud such as compatibility with other CSPs as new services are added.

Operational risk: This category examines the concerns of how IT services and tasks get effectively performed.

  • The potential risks: suboptimal service reliability; suboptimal service features; insufficient control over the underlying service; and theft, fires, and other natural disasters.
  • The potential consequences: costly downtime, slower workflows, slower disaster recoveries, and permanent losses of vital assets.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for leading technologies, maintaining room in the budget for a service that meets most if not all workflow and regulatory requirements, having the budget and knowledge to implement redundant systems (e.g., via hybrid cloud), and being able to rapidly bounce back from asset losses.
  • Getting around these challenges: Organizations should "adopt the agile development methodology as well as the DevOps model for cloud deployments. Such organizations are now using the learning from pilot projects to shape the enterprise development methodologies of the future."[2] Additionally, they should investigate how to best cost-optimize redundant cloud storage based on access patterns, geography, etc.[3] Additionally, if the organization is responsible for localized (i.e., private cloud) assets housing critical operational data and equipment, the organization should have sufficient plans in place on how to mitigate risks from physical disasters and other threats to that data and equipment.

Vendor risk: This category examines the concerns of doing business with a CSP.

  • The potential risks: vendor files for bankruptcy, is named in a lawsuit, is scrutinized by a regulatory body, or otherwise has an underlying lack of sustainability or compliance.
  • The potential consequences: loss of data, loss of service, reduced service, and lack of compliance (which has its own costs to an organization).
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: knowing the deep inner workings of the CSP, knowing the financial stability of the CSP, knowing the CSP's true reputation among a wide number of other customers, and putting faith in the CSP's trust center materials.
  • Getting around these challenges: Organizations should "take a long-term strategic view to manage their relationships with cloud service providers. Such companies are actively engaged and are shaping the road map of CSPs' service offerings to help accelerate their move to cloud while being offered better tools by the CSP to efficiently manage risks."[2] This long-term strategic view should include significant due diligence about the vendor's underlying operations, stability, and fall-back plans should they suffer a major business loss.

Financial risk: This category examines the concerns of the organization’s long-term revenues and ability to budget for cloud services.

  • The potential risks: underestimating initial implementation costs, long-term service costs, long-term capital expenditure carry-over (if any), and long-term business revenues.
  • The potential consequences: cost overruns, layoffs, budget cut-backs, and detrimental scaling back of necessary services.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: finding and retaining experienced and knowledgeable staff capable of budgeting future (and changing) cloud costs, as well as managing the financial activities of the organization.
  • Getting around these challenges: Organizations should “assign individuals with the responsibility for budgeting, tracking, and managing cloud costs. Such organizations are also making use of advanced third-party analytical tools available to manage cloud costs.”[2] Estimating those costs can be challenging, particularly in industries where high-throughput data is being created and managed. As such, negotiating a special agreement with the CSP may be of value.[4] Also, ensure the organization is considering costs associated with contract modifications and cancellation fees.

When identifying risks associated with doing business in the cloud, most likely you'll be able to fit them into one of these five categories. As indicated above, potential consequences come with potential risks, and you'll want to identify those consequences. Of course, it's not a simple matter of addressing those risks and consequences; they come with their own challenges. Identifying risks and consequences, and the challenges surrounding and limiting them, are all part of risk management. Finally, after identifying risks, consider the usefulness of an external review of those risks to ensure your organization hasn't missed anything significant.[5]

But how does an organization successfully go through the risk management process? That's best accomplished with the aid of one or more risk management and cybersecurity frameworks.

References

  1. Antonenko, D. (4 January 2021). "Cloud computing security issues and challenges". Business Tech Weekly. https://www.businesstechweekly.com/cybersecurity/data-security/cloud-computing-security-issues-and-challenges/. Retrieved 21 August 2021. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 Gadia, S. (March 2018). "How to manage five key cloud computing risks" (PDF). KPMG LLP. https://assets.kpmg/content/dam/kpmg/ca/pdf/2018/03/cloud-computing-risks-canada.pdf. Retrieved 21 August 2021. 
  3. "Cost-optimized redundant data storage in the cloud". Service Oriented Computing and Applications 11: 411–26. 2017. doi:10.1007/s11761-017-0218-9. 
  4. Navale, V.; Bourne, P.E. (2018). "Cloud computing applications for biomedical science: A perspective". PLoS Computational Biology 14 (6): e1006144. doi:10.1371/journal.pcbi.1006144. PMC PMC6002019. PMID 29902176. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6002019. 
  5. Bhat, V.; Kapur, S.; Hodgkinson, S. et al. (2020). "FFIEC statement on risk management for cloud computing services" (PDF). Deloitte Development, LLC. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf. Retrieved 21 August 2021.