The benefits of cloud computing (specifically Software as a Service [SaaS]) over in-house development are clearly articulated and well known, and they include rapid deployment, ease of customisation, reduced build and testing effort, and reduced project risk. Similarly well known are Infrastructure as a Service (IaaS) benefits, which include reduction in cost, movement from capital expenditure to operational expenditure and agility.1 A consensus on the risk of cloud computing is, however, more difficult to achieve because the industry is lacking a structured framework for risk identification and assessment. In addition, businesses struggle with identifying and following a road map for cloud implementation. Paradoxically, from a small to medium-sized enterprise perspective, migrating to the cloud may in fact mitigate risk.2 For example, the likelihood of server misconfiguration or poor patch management leading to a successful attack is greatly reduced, as is the risk of data loss due to less use of portable media.
Recent high-profile outages and security breaches serve to further confuse businesses as they attempt to correlate their current internal control environment and proposed controls for the cloud with the external incidents chronicled in the press. For example, in April/May 2011, cloud risk came to widespread attention with the consecutive failures of Sony, VMware and Microsoft cloud-based services.3
Literature Review
Over the last few years, a plethora of documents have been written containing risk exposure, ad hoc guidance and control checklists to be consulted when considering cloud computing. Most of these are deep on security concerns but narrow across the breadth of IT risk where a comprehensive framework for assessment is needed.
Having said that, the International Organization for Standardization (in particular ISO/IEC JTC 1/SC 27) is embarking on the development of a series of standards that aims to formally address risk management of cloud computing services. The risk profile for cloud migration itself is also in a state of flux, as existing offerings are maturing and new offerings are emerging. Examples include new cloud offerings such as Data as a Service (DaaS) and the emergence of cloud service brokers, who provide intermediation, monitoring, transformation/portability, governance, provisioning and integration services in addition to existing cloud services.
In 2009, the European Network and Information Security Agency (ENISA) produced a document titled ‘Cloud Computing: Benefits, Risks and Recommendations for Information Security’. This document collates 35 types of risk identified by 19 contributors, and identifies eight top security risks based on ENISA’s view of indicative likelihood and impact.4 In March 2010, the Cloud Security Alliance (CSA) published ‘Top Threats to Cloud Computing V1.0’, which includes the top seven threats as identified by its members.5 More recently, in April 2011, the Open Web Application Security Project (OWASP) released a ‘pre-alpha list’ of its top 10 cloud security risks derived from a literature review of other publications and sources.6 In May 2011, the National Institute of Standards and Technology (NIST) released a draft titled ‘Cloud Computing Synopsis and Recommendations (Special Publication 800-146)’, which provides a deep analysis of risk, but again no coherent framework. Figure 1 gives a comparison of the top types of risk identified by the CSA, OWASP and ENISA, showing the variation in both content and ranking.
In July 2011, ISACA released IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, which provides a comprehensive guide to cloud controls taken from COBIT, Val IT and Risk IT. The ISACA publication7 critiques a number of standards, certifications or frameworks, including COBIT, ENISA, CSA, NIST, ISO 27001, the American Institute of Certified Public Accountants (AICPA) Service Organisation Control (SOC) 1 Report, AICPA Trust Services (SysTrust), CSA’s Cloud Security Matrix, FedRAMP, Health Information Trust Alliance (HITRUST), BITS Shared Assessment Program and Jericho Forum® Self-assessment Scheme (SAS). In doing so, the publication highlights both the need for a consistent and broadly accepted risk assessment framework and the fact that its existence still remains elusive.
A Framework for Assessment
The ISO/IEC 9126 standard (Information technology—Software product evaluation—Quality characteristics and guidelines for their use), when used in conjunction with a deep security assessment, is valuable for putting more structure and coherence around assessing the suitability of new vendors and new technologies, including cloud offerings. The objective of this international standard is to provide a framework, comprising six quality characteristics, for the evaluation of software quality. However, it also appears to be useful for SaaS, Platform as a Service (PaaS) and IaaS cloud assessments.
The types of risk identified in the reviewed literature can map directly to ISO/IEC 9126 (as shown in figure 2). In addition, the standard can be used to derive a superset of risk that is currently not coherently articulated in the industry. The example shown in figure 2 is based on an assessment by Force.com conducted by the author several years ago, and may not reflect the current offering from Salesforce.com.
The security-related risk can be assessed in a similar structured approach by assessing against selected ISO 2700x, COBIT and NIST 800-53 controls that are applicable to the exposures within cloud computing. As an example, figure 3 shows a cross-reference of the security-related risk (identified in the literature reviewed) to COBIT 4.1 DS5 Ensure systems security.
The Ten Principles of Cloud Computing Risk
The ten principles of cloud computing risk8 help to give context to the frameworks for assessment previously discussed, and they can be used as an overall road map for migration to cloud computing. The road map is based on four guiding principles:
- Vision—What is the business vision and who will own the initiative?
- Visibility—What needs to be done and what are the risks?
- Accountability—Who is accountable and to whom?
- Sustainability—How will it be monitored and measured?
The ISACA Business Model for Information SecurityTM (BMISTM)9 (figure 4) was used as an overarching framework for risk and security.
Based on BMIS, these 10 principles of cloud computing risk provide a framework for cloud computing migration which is presented here in a case study.
This case study considers moving a risk management business function (e.g., a home loan mortgage insurance calculation) to the cloud. The business function is part of the decision-making process within the end-to-end home loan business process shown in figure 5. In this process, an application is received and acknowledged, various calculations are performed, and a decision is made regarding whether to lend money.
The business benefit of placing this function in the cloud is that it will allow branches, call centres, brokers and other channels to use the same code base and avoid replicating the calculations in multiple places. The use of the cloud will also reduce paper handling and host system access and the associated security required. There is also a potential business driver for allowing customers access to their own data if placed on the public cloud.
The first step in the framework is to formulate and communicate a vision for the cloud at an enterprise and business-unit level. The first two principles relate to this vision:
1. Executives must have oversight over the cloud—The business as a whole needs to recognise the value of the cloud-based technology and data. There must be constant vigilance and continuous monitoring of risk to these information assets, including ensuring compliance with appropriate laws, regulations, policies and frameworks. This is related to the governance dimension of BMIS. In the case study, the head of the retail banking department obtains briefings from internal and/or external business and technical experts to understand the technology and its alignment to the business objectives. The individual then sets a ‘tone from the top’, mandating policies and structures to ensure that this alignment is maintained within industry standards and regulatory constraints.
2. Management must own the risks in the cloud—The management of the relevant business unit must own the risk associated with its use of cloud services, and must establish, direct, monitor and evaluate commensurate risk management on an on-going basis. This is related to the organisation dimension of BMIS. In the case study, the business decides to assign ownership of the complete (business and IT) risk of the initiative to the retail bank operational risk manager, who works with the departmental IT risk manager to plan actions covering both the business and technical risk involved.
Once the vision is articulated and the risk management organisation is in place, the next step in the road map is to ensure visibility of what needs to be done and the risk of doing it. There are three principles related to ensuring visibility:
3. All necessary staff must have knowledge of the cloud—All users of the cloud should have knowledge of the cloud and its risk (commensurate with their role in the organisation), understand their responsibilities and be accountable for their use of the cloud. This is related to the human factors dimension of BMIS. In the case study, the home lending line-of-business owner and the IT manager work together to ensure that the involved business and technology staff have the appropriate skills to embark on the cloud initiative or that the needed expertise is obtained externally.
4. Management must know who is using the cloud—Appropriate security controls must be in place for all uses of the cloud, including human resources practices (e.g., recruitment, transfers, terminations). This is related to the people dimension of BMIS. In the case study, the home lending line of business owner must ensure that the necessary background checks, segregation of duties, least privilege and user access review controls are in place in the business, IT and cloud service provider. This will require working with the IT manager and the possible engagement of external assessment organisations.
5. Management must authorise what is put in the cloud—All cloud-based technology and data must be formally classified for confidentiality, integrity and availability (CIA) and must be assessed for risk in business terms, and best practice business and technical controls must be incorporated and tested to mitigate the risk throughout the asset life cycle. This is related to the technology dimension of BMIS, and it is where the ISO 9126-based framework for assessment is used in this road map.
In the case study, the home loan mortgage insurance calculation process uses sensitive data such as customer identity, date of birth and taxable income. The CIA rating of the business data is an average of high, based on the assessment provided in figure 6.
A more complete CIA analysis might also consider detailed business requirements, data retention requirements, and privacy and regulatory requirements.
Once this assessment is completed, the asset can be mapped to potential cloud deployment models. Based on the profile of high concern in the case study, management decided that the process should be considered for migration to a private cloud. In this type of deployment, the calculation can be made accessible to the various stakeholders with their heterogeneous client devices, but still provide an acceptable level of security over the data. A key consideration would be the limited scalability or agility that a private cloud would offer compared to a public cloud. In this case, the retail banking executive decides to deploy to a private cloud until customer access becomes a compelling requirement.
As the next step, the risk associated with a cloud implementation must be assessed against the risk associated with the incumbent in-house system, and also against the option of acquiring a new internally operated system. The framework for assessment could be used for each of these options, to assess risk areas such as deficient vendor or internal support, application complexity, and application reliability. In the case study, an assessment of the existing loan mortgage insurance application identified an aging application with overreliance on a single vendor and limited disaster recovery.
The current risk assessment may have identified a value-at-risk (VaR) of US $20 million per year and a need to spend approximately US $1 million–$2 million, stabilising and securing the existing system. The as-is risk profile for the current in-house system (using the risk associated with deficient characteristics from the ISO 9216 framework) is shown in figure 7.
The risk profile for the business process after moving it to a private cloud (using the combined ISO 9126 and COBIT assessment framework) is shown in figure 8. A similar risk assessment (as well as an assessment of relative business value) should be conducted on the other option—an internally operated and hosted system.
Movement of the business function to a private cloud reduced the VaR to around US $2 million per annum by removing the exposure to aging, poor-performing technology, and removing the user and data security risk of having multiple copies of the system and data in circulation. At a more detailed level, an organisation may have an overall scorecard covering the combined ISO 9126 and COBIT frameworks; a detailed control assessment of applicable preventive, detective and impact controls; and a risk assessment for each risk showing inherent (prior to control) and residual (after control) impact and likelihood.
The third step in the cloud computing road map is accountability. In the case study, the business owner works with the operational risk manager to develop a matrix of roles and responsibilities, shown in figure 9.
This accountability extends to process, architecture and culture through the next three principles:
6. Mature IT processes must be followed in the cloud— All cloud-based systems development and technical infrastructure processes must align with policy, meet agreed business requirements, be well documented and communicated to all stakeholders, and be appropriately resourced. This is related to the process dimension of BMIS. In the case study, the retail bank operational risk manager ensures that relevant policies are in place and communicated, and that a mapping of policy clauses to the assessment framework is included. A gap analysis is then performed against IT development and support processes and included in the risk and control profile.
7. Management must buy or build management and security in the cloud—Information risk and security, as well as its monitoring and management, must be a consideration in all cloud investment decisions. This is related to the architecture dimension of BMIS. In the case study, the departmental IT risk manager is involved in all aspects of the initiative, including vendor evaluation and management, technology review, security assessment and design, and the final investment decision.
8. Management must ensure cloud use is compliant—All providers and users of the cloud must comply with regulatory, legal, contractual and policy obligations; uphold the values of integrity and client commitment; and ensure that all use is appropriate and authorised. This is related to the culture dimension of BMIS. In the case study, the retail banking operational risk manager works with the compliance manager to ensure that all policies, regulations and employee codes of conduct are in place; training is performed; and compliance is periodically reviewed. The operational risk manager works with the IT risk manager and vendor manager to ensure that processes are in place to similarly assess compliance within the cloud service provider.
The final phase in the cloud computing road map is sustainability, and there are two related principles:
9. Management must monitor risk in the cloud—All cloud-based technology developed or acquired must enable transparent and timely reporting of information risk and be supported by well-documented and communicated monitoring and escalation processes. This is related to the enabling and support dimension of BMIS. In the case study, the retail banking operational risk manager and departmental IT risk manager work together to develop an ongoing cloud risk and security monitoring, reporting and escalation process. Ideally, this process includes regular information and escalations from the cloud service provider.
10. Best practices must be followed in the cloud—All cloud-based systems development and technical infrastructure related processes must consider contemporary technology and controls to address emerging information risk identified through internal and external monitoring. This is related to the emergence dimension of BMIS. In the case study, the departmental IT risk manager and IT resources involved in the cloud initiative undertake continuing education on cloud technology and related risk through formal education, industry contacts and associations such as ISACA.
Conclusion
This article has reviewed some of the existing guidance to keep in mind when considering cloud computing, suggested ISO 9126 as a valuable standard for a more structured and coherent assessment of cloud offerings, and proposed ten principles of cloud computing risk loosely based on BMIS and cloud assessment road map consisting of four guiding principles: vision, visibility, accountability and sustainability.
The framework suggested is not a panacea, as variations occur in each of the different service models (SaaS, PaaS or IaaS) and deployment models (public, community, private, or hybrid). Variations also occur depending on whether the private/community clouds are onsite, outsourced or virtual (virtual private clouds). A cloud-consuming business needs to be aware of risk variations within each cloud model and remain accountable for risk and security regardless of the cloud model or the contractual obligations of the cloud service provider.
The proposed framework could be tailored to map to these various cloud models, and it could be expanded by mapping to detailed controls within ISO 27001, COBIT, NIST and other guidance and regulatory requirements in various industries. Another area of development is an expansion of the trade-offs between the various quality characteristics (in particular, functionality, reliability and efficiency) and the ways that various cloud offerings address the issue of consistency vs. availability vs. partitioning.
Endnotes
1 Wei, Yi; M. B. Blake, ‘Service-Oriented Computing and Cloud Computing: Challenges and Opportunities’, IEEE Internet Computing, November/December 2010
2 Hofmann, P.; D. Woods, ‘Cloud Computing: The Limits of Public Clouds for Business Applications’, IEEE Internet Computing, November/December 2010
3 Infoworld, ‘The 10 Worst Cloud Outages (and What We Can Learn From Them)’, 27 June 2011, www.infoworld.com
4 ENISA, ‘Cloud Computing: Benefits, Risks and Recommendations for Information Security’, 2009, www.enisa.europa.eu
5 Cloud Security Alliance, ‘Top Threats to Cloud Computing V1.0’, March 2010, www.cloudsecurityalliance.org/topthreats
6 OWASP, ‘OWASP Cloud—10 Project’, www.owasp.org/index.php/Category:OWASP_Cloud__10_Project
7 ISACA, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, USA, 2011, www.isaca.org/cloud
8 The ten principles of cloud computing risk arose from a client engagement. The chief executive officer (CEO), overwhelmed with security issues, asked the chief information security officer (CISO) and his consultant (the author) to provide a list of the six principles that he should ask everyone in the organisation to follow regarding cloud computing. The author took this on as a challenge, but could not keep the list to six.
9 ISACA, Business Model for Information Security, USA, 2010
Editor’s Note
Guidance for BMIS is now incorporated in COBIT 5, www.isaca.org/cobit
David Vohradsky, CGEIT, CRISC, is a principal consultant with Tata Consultancy Services and has more than 25 years of experience in the areas of applications development, program management, information management and risk management. He has worked in senior management and consulting across multiple industries, adapting, implementing and utilising industry frameworks and ensuring compliance with regulatory requirements. Vohradsky specialises in governance, risk and compliance within TCS’s Global Consulting Practice, is a member of the ISACA CGEIT Test Enhancement Subcommittee, and an external thesis examiner for the Doctor of Business Administration at Charles Sturt University (Australia).