Enterprise Risk Management for Cloud Computing

As defined in COSO’s 2004 Enterprise Risk Management – Integrated Framework: “Risk is the possibility that an event will occur and adversely affect the achievement of objectives.”
The types of risks (e.g., security, integrity, availability, and performance) are the same with systems in the cloud as they are with non-cloud technology solutions.

An organization’s level of risk and risk profile will in most cases change if cloud solutions are adopted (depending on how and for what purpose the cloud solutions are used). This is due to the increase or decrease in likelihood and impact with respect to the risk events (inherent and residual) associated with the CSP that has been engaged for services.

Some of the typical risks associated with cloud computing are:

Disruptive force – Facilitating innovation (with increased speed) and the cost-savings aspects of cloud computing can themselves be viewed as risk events for some organizations. By lowering the barriers of entry for new competitors, cloud computing could threaten or disrupt some business models, even rendering them obsolete in the future. For example, streaming media over the Internet was a technology solution that significantly reduced the sales of CDs and DVDs and the need for physical retail stores. Existing competitors that fully embrace the cloud might be able to bring new ideas and innovation into their markets faster. Since cloud computing solutions yield considerable short-term cost savings due to reduced capital expenditures, an organization adopting the cloud might be able to extract better margins than its non-cloud competitors. Thus, when an industry member adopts cloud solutions, other organizations in the industry could be forced to follow suit and adopt cloud computing.
Residing in the same risk ecosystem as the CSP and other tenants of the cloud – When an organization adopts third-party-managed cloud solutions, new dependency relationships with the CSP are created with respect to legal liability, the risk universe, incident escalation, incident response, and other areas. The actions of the CSP and fellow cloud tenants can impact the organization in various ways. Consider the following:
1. Legally, third-party cloud service providers and their customer organizations are distinct enterprises. However, if the CSP neglects or fails in its responsibilities, it could have legal liability implications for the CSP’s customer organizations. But if a cloud customer organization fails in its responsibilities, it is less likely there would be any legal implications to the CSP.
2. Cloud service providers and their customer organizations are likely to have separate enterprise risk management (ERM) programs to address their respective universe of perceived risks. Only in a minority of cases (involving very high-dollar contracts) will CSPs attempt to integrate portions of their ERM programs with those of their customers. The universe of risks confronting an organization using third-party cloud computing is a combination of risks the individual organization faces along with a subset of the risks that its CSP is facing.

Lack of transparency – A CSP is unlikely to divulge detailed information about its processes, operations, controls, and methodologies. For instance, cloud customers have little insight into the storage location(s) of data, algorithms used by the CSP to provision or allocate computing resources, the specific controls used to secure components of the cloud computing architecture, or how customer data is segregated within the cloud.

Reliability and performance issues – System failure is a risk event that can occur in any computing environment but poses unique challenges with cloud computing. Although service-level agreements can be structured to meet particular requirements, CSP solutions might sometimes be unable to meet these performance metrics if a cloud tenant or incident puts an unexpected resource demand on the cloud infrastructure.

Vendor lock-in and lack of application portability or interoperability – Many CSPs offer application software development tools with their cloud solutions. When these tools are proprietary, they may create applications that work only within the CSP’s specific solution architecture. Consequently, these new applications (created by these proprietary tools) might not work well with systems residing outside of the cloud solution. In addition, the more applications developed with these proprietary tools and the more organizational data stored in a specific CSP’s cloud solution, the more difficult it becomes to change providers.

Security and compliance concerns – Depending on the processes cloud computing is supporting, security and retention issues can arise with respect to complying
with regulations and laws such as the Sarbanes-Oxley Act of 2002 (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the various data privacy and protection regulations enacted in different countries. Examples of these data privacy and protection laws would include the USA PATRIOT Act, the EU Data Protection Directive, Malaysia’s Personal Data Protection Act 2010, and India’s IT Amendments Act. In the cloud, data is located on hardware outside of the organization’s direct control. Depending on the cloud solution used (SaaS, PaaS, or IaaS), a cloud customer organization may be unable to obtain and review network operations or security incident logs because they are in the possession of the CSP. The CSP may be under no obligation to reveal this information or might be unable to do so without violating the confidentiality of the other tenants sharing the cloud infrastructure.

High-value cyber-attack targets – The consolidation of multiple organizations operating on a CSP’s infrastructure presents a more attractive target than a single organization, thus increasing the likelihood of attacks. Consequently, the inherent risk levels of a CSP solution in most cases are higher with respect to confidentiality and data integrity.

Risk of data leakage – A multi-tenant cloud environment in which user organizations and applications share resources presents a risk of data leakage that does not exist when dedicated servers and resources are used exclusively by one organization. This risk of data leakage presents an additional point of consideration with respect to meeting data privacy and confidentiality requirements.

IT organizational changes – If cloud computing is adopted to a significant degree, an organization needs fewer internal IT personnel in the areas of infrastructure management, technology deployment, application development, and maintenance. The morale and dedication of remaining IT staff members could be at risk as a result.

Cloud service provider viability – Many cloud service providers are relatively young companies, or the cloud computing business line is a new one for a well- established company. Hence the projected longevity and profitability of cloud services are unknown. At the time of publication, some CSPs are curtailing their cloud service offerings because they are not profitable. Cloud computing service providers might eventually go through a consolidation period. As a result, CSP customers might face operational disruptions or incur the time and expense of researching and adopting an alternative solution, such as converting back to in-house hosted solutions.

In addition to these risks, certain characteristics of cloud computing may give rise to other less apparent challenges that warrant evaluation.

Some management teams may be willing to accept the risks of running their entire enterprise in a public cloud given the small up-front capital investment requirements. Start-ups and venture capitalists are likely to prefer focusing their investments on the business model rather than a technology infrastructure that would be of limited value if the venture were to fail. Start-ups can deploy their business models supported by cloud solutions more quickly and more economically in comparison to the previous generation of technology options.

All of the cloud computing risks discussed here should be given careful consideration (that is, undergo a risk assessment), as the materialization of any of these risks will present very undesirable consequences. Many of the risks highlighted here are not likely to be mitigated by contractual clauses with a CSP (assuming the contract is even negotiable – most commodity cloud contracts are not). Consequently, mitigation solutions may need to be implemented outside of the immediate cloud solution provided by the CSP.

https://www.coso.org/Documents/Cloud-Computing-Thought-Paper.pdf

2024 LinkedIn Rewind

Here's my 2024 LinkedIn Rewind, by Coauthor.studio: 2024 demonstrated that as AI and digital transformation accelerate, robust IT governance frameworks becomeRead more

Risk Management and Business Impact Analysis (BIA)

Risk Management and Business Impact Analysis (BIA) are both crucial steps in forming an Information Security Program. Which One Comes FirstRead more