Applied Information Management

Cloud Computing: Key IT-Related Risks and Mitigation Strategies for Consideration by IT Security Practitioners

In Brief: Cloud computing is defined as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction" (Mell and Grance, 2009). Applications of cloud computing broadly span three areas known as "cloud service delivery models": (a) Infrastructure as a Service (IaaS), (b) Platform as a Service (PaaS), and (c) Software as a Service (SaaS).

The purpose of this study is to describe and identify key public cloud computing IT-related risks as reported in selected literature. IT-related risk is defined in this study as "the net mission/business impact considering . . . the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability" (Stoneburner, et al., 2004, p. A-2).

Cloud computing frees organizations from the need to buy and maintain their own hardware and software infrastructure.

This review focuses on a presentation of the primary IT-related risks of cloud computing and suggested mitigation strategies. IT-related risks are classified into three risk categories:

(1) Policy and organizational risks, which are business-related IT risks that organizations may face when considering cloud computing service providers. Such risks include lock-in, loss of governance, compliance challenges, loss of business reputation, and cloud service termination or failure;

(2) Technical risks, which are IT-related risks that have a direct, technological impact on the cloud computing systems that host customer programs and/or data. Such risks include availability of service, resource exhaustion, intercepting data in transit, data transfer bottlenecks, and distributed denial of service; and

(3) Legal risks, which include the IT-related risks that are legal in nature and can also have a negative impact on an organization using cloud computing services. Legal risks include subpoena and e-discovery, changes of jurisdiction, data privacy, and licensing.

Mitigation strategies include: (a) audit controls, (b) policies and procedures, (c) service level agreements, and (d) other forms of governance.

Figure 1 presents an overview of fourteen key IT-related cloud computing risks, which represent the most frequently cited concerns for security practitioners to consider. Each risk is reviewed within three major risk categories as defined by ENISA (2009, p. 23). Three aspects of each risk category are summarized, including the risk level, probability, and impact.

Risk Category Risk Risk Level Probability Impact
Policy Lock-in High High Medium
Loss of governance High Very High Very High (IaaS Very High, Saas Low)
Compliance challenges High Very High (depends on PCI, SOX) High
Loss of business reputation Medium Low High
Cloud service termination or failure Medium N/A (not rated by ENISA) Very High
Technical Availability of service N/A—Although not listed as a specific risk by ENISA (2009), this risk was frequently cited by other experts, including Armbrust, et al. (2009), who listed it as the top obstacle to cloud computing acceptance.
Resource exhaustion Medium
Medium (Additional Capacity)
Low (Current Capacity)
Low/Medium (Additional Capacity)
High (Current Capacity)
Intercepting data in transit Medium Medium High
Data transfer bottlenecks High Medium Very High
Distributed denial of service Medium
Medium (Customer)
Low (Provider)
High (Customer)
Very High (Provider)
Legal Subpoena and e-discovery High High Medium
Changes of jurisdiction High Very High High
Data privacy High High High
Licensing Medium Medium Medium

Figure 1—Key IT-Related Cloud Computing Risks.


AIM alumnus Thomas Betcher

Research Paper Author: Thomas J. Betcher—2010 AIM Graduate

Abstract: Although the benefits of cloud computing are well known, safety concerns have received less attention. This review of selected literature, published between 2007 and 2009, identifies key IT-related cloud computing risks that should be considered by security practitioners. Three types of cloud computing risks are examined: policy and organizational, technical, and legal. Risk mitigation strategies are also explored, and include audit controls, policies and procedures, service level agreements, and other forms of governance.

Download the entire Capstone research project