Cloud Computing: Key IT-Related Risks and Mitigation Strategies for Consideration by IT Security Practitioners
In Brief: Cloud computing is defined as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell and Grance, 2009). Applications of cloud computing broadly span three areas known as ‘cloud service delivery models’: (a) Infrastructure as a Service (IaaS), (b) Platform as a Service (PaaS), and (c) Software as a Service (SaaS).
The purpose of this study is to describe and identify key public cloud computing IT-related risks as reported in selected literature. IT-related risk is defined in this study as “the net mission/business impact considering . . . the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability” (Stoneburner, et al., 2004, p. A-2).
Cloud computing frees organizations from the need to buy and maintain their own hardware and software infrastructure.
This review focuses on a presentation of the primary IT-related risks of cloud computing and suggested mitigation strategies. IT-related risks are classified into three risk categories:
(1) Policy and organizational risks, which are business-related IT risks that organizations may face when considering cloud computing service providers. Such risks include lock-in, loss of governance, compliance challenges, loss of business reputation, and cloud service termination or failure;
(2) Technical risks, which are IT-related risks that have a direct, technological impact on the cloud computing systems that host customer programs and/or data. Such risks include availability of service, resource exhaustion, intercepting data in transit, data transfer bottlenecks, and distributed denial of service; and
(3) Legal risks, which include the IT-related risks that are legal in nature and can also have a negative impact on an organization using cloud computing services. Legal risks include subpoena and e-discovery, changes of jurisdiction, data privacy, and licensing.
Mitigation strategies include: (a) audit controls, (b) policies and procedures, (c) service level agreements, and (d) other forms of governance.
Figure 1 presents an overview of fourteen key IT-related cloud computing risks, which represent the most frequently cited concerns for security practitioners to consider. Each risk is reviewed within three major risk categories as defined by ENISA (2009, p. 23). Three aspects of each risk category are summarized, including the risk level, probability, and impact.
| Risk | Risk Level | Probability | Impact | |
|---|---|---|---|---|
| Lock-in | High | High | Medium | |
| Loss of governance | High | Very High | Very High (IaaS Very High, Saas Low) | |
| Compliance challenges | High | Very High (depends on PCI, SOX) | High | |
| Loss of business reputation | Medium | Low | High | |
| Cloud service termination or failure | Medium | N/A (not rated by ENISA) | Very High | |
| Availability of service | N/A—Although not listed as a specific risk by ENISA (2009), this risk was frequently cited by other experts, including Armbrust, et al. (2009), who listed it as the top obstacle to cloud computing acceptance. | |||
| Resource exhaustion | Medium | Medium (Additional Capacity) Low (Current Capacity) |
Low/Medium (Additional Capacity) High (Current Capacity) |
|
| Intercepting data in transit | Medium | Medium | High | |
| Data transfer bottlenecks | High | Medium | Very High | |
| Distributed denial of service | Medium | Medium (Customer) Low (Provider) |
High (Customer) Very High (Provider) |
|
| Subpoena and e-discovery | High | High | Medium | |
| Changes of jurisdiction | High | Very High | High | |
| Data privacy | High | High | High | |
| Licensing | Medium | Medium | Medium | |
Figure 1—Key IT-Related Cloud Computing Risks.
References
- Abadi, D. (2009). Data management in the cloud: Limitations and opportunities. Bulletin of the IEEE Computer Society Technical Committee on Data Engineering. Retrieved from Data Management in the Cloud: Limitations and Opportunities
- Cloud Security Alliance. (2009). Security guidance for critical areas of focus in cloud computing. Retrieved from Cloud Security Alliance
- ENISA. (2009). Cloud computing: benefits, risks and recommendations for information security. Retrieved from European Network and Information Security Agency
- Mell, P. & Grance, T. (2009.) The NIST definition of cloud computing. Retrieved from National Institute of Standards and Technology
- Stoneburner, G., Hayden, C. & Feringa, A. (2004). Engineering principles for information technology security (a baseline for achieving security), Revision A. NIST Special Publication 800-27 Rev A. Retrieved from National Institute of Standards and Technology
Research Paper Author: Thomas J. Betcher—2010 AIM Graduate
Abstract: Although the benefits of cloud computing are well known, safety concerns have received less attention. This review of selected literature, published between 2007 and 2009, identifies key IT-related cloud computing risks that should be considered by security practitioners. Three types of cloud computing risks are examined: policy and organizational, technical, and legal. Risk mitigation strategies are also explored, and include audit controls, policies and procedures, service level agreements, and other forms of governance.
