Irena Bojanova - Home

Evaluating Initial Cloud Risks

Irena Bojanova
APR 10, 2013 08:00 AM

painting of cowboy wrangling wild horses

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is:

Exciting
Fast-growing
Full of opportunities

The stages of the Cloud follow the evolution of sharing on the Internet: networking, network sharing, information sharing, resources sharing, and services sharing (IBM).

Figure 1 - Evolution of Sharing on the Internet

Figure 1. Evolution of Sharing on the Internet

The first stage of the Cloud was around networking, the TCP/IP abstraction. Multiple regional networks, linking computers, were built at universities and national laboratories. Their inter-networking with TCP/IP led to network sharing and the emergence of the Internet and its worldwide adoption.
The second stage of the Cloud was around documents, the WWW data abstraction. The HTML format, the HTTP protocol, and the Mosaic browser were adopted by universities for document exchange and then worldwide for information sharing. Then, grid computing emerged with the creation of standards and software for remote resources sharing and collaboration, exclusively utilized for highly scalable High Performance Computing (HPC) jobs.
The newest stage of the Cloud, cloud computing, has emerged to provide services sharing by abstracting infrastructure complexities of servers, applications, data, and heterogeneous platforms.

No wonder then that CSA Security Guidance for Critical Areas of Focus in Cloud Computing considers two categories of assets that can be supported by the Cloud:

Data (information)
Applications/ functions/ processes (transactions/ processing)

CSA has also developed a simple framework to help evaluate initial cloud risks and inform security decisions:

It is a quick method that helps understand:
- Importance of what is considered to be moved to the cloud
- Organization's risk tolerance
- Which combinations of deployment and service models are acceptable
It also helps get a good idea of potential exposure points for sensitive information and operations.

A concise version of the framework is provided in the following table. Note that SPI is used as an acronym for the most common cloud computing service models, Software as a Service, Platform as a Service, and Infrastructure as a Service.

Table 1. Evaluating Initial Cloud Risks

Steps in Evaluating Risk	Details
1. Identify asset for cloud deployment Determeine exactly what data or applications/ function/ process is being considered for the Cloud.	Potential uses of asset to account for: Scope creep — data and transaction volumes often become higher than expected.
2. Evaluate asset Determine how sensitive that data is and how important that application/ function/ process is to organization. Assess confidentiality, integrity, and availability; and how risk changes if all/ part of that asset is in the Cloud — similar to project outsourcing assessment, just with wider range of deployment options.	Ask what would be the harm if: Asset became widely public and widely distributed Asset were accessed by employee of Cloud provider Process/function were manipulated by outsider Process/function failed to provide expected results Data were unexpectedly changed Asset were unavailable for a period of time
3. Map asset to cloud deployment models Determine if any risks implicit to different deployment models (private, public, community, hybrid) and hosting scenarios (internal, external, combined) are acceptable. At this point there should be a good idea of the comfort level for transitioning to the Cloud, and which deployment models and locations fit desired security and risk requirements.	Which model is acceptable for identified asset: Public Private, internal/ on premises Private, external — look at dedicated or shared infrastructure Community — look at hosting location, service provider, community members Hybrid — look at least at rough architecture of where components, functions, and data will reside
4. Evaluate cloud service models and providers Focus on degree of control organization will have at each SPI tier to implement any required risk management (risk mitigation). For a specific offering, switch to a fuller risk assessment.	Consider: SaaS PaaS IaaS	Consider: Providers' offerings
5. Map out data flow For specific provider offering, map out data flow between organization, cloud service, any customers/ other nodes. Understand whether and how data can move in and out of the Cloud. For any offering, sketch out rough data flow for any deployment option on your acceptable list, to help you identify risk exposure points when making final decisions.	Consider: Private Public Community Hybrid	Consider: Providers' offerings

Steps in Evaluating Risk

Details

1. Identify asset for cloud deployment

Determeine exactly what data or applications/ function/ process is being considered for the Cloud.

Potential uses of asset to account for:

Scope creep — data and transaction volumes often become higher than expected.

2. Evaluate asset

Determine how sensitive that data is and how important that application/ function/ process is to organization. Assess confidentiality, integrity, and availability; and how risk changes if all/ part of that asset is in the Cloud — similar to project outsourcing assessment, just with wider range of deployment options.

Ask what would be the harm if:

Asset became widely public and widely distributed
Asset were accessed by employee of Cloud provider
Process/function were manipulated by outsider
Process/function failed to provide expected results
Data were unexpectedly changed
Asset were unavailable for a period of time

3. Map asset to cloud deployment models

Determine if any risks implicit to different deployment models (private, public, community, hybrid) and hosting scenarios (internal, external, combined) are acceptable.
At this point there should be a good idea of the comfort level for transitioning to the Cloud, and which deployment models and locations fit desired security and risk requirements.

Which model is acceptable for identified asset:

Public
Private, internal/ on premises
Private, external — look at dedicated or shared infrastructure
Community — look at hosting location, service provider, community members
Hybrid — look at least at rough architecture of where components, functions, and data will reside

4. Evaluate cloud service models and providers

Focus on degree of control organization will have at each SPI tier to implement any required risk management (risk mitigation).
For a specific offering, switch to a fuller risk assessment.

Consider:

SaaS
PaaS
IaaS

Consider:

Providers' offerings

5. Map out data flow

For specific provider offering, map out data flow between organization, cloud service, any customers/ other nodes. Understand whether and how data can move in and out of the Cloud.
For any offering, sketch out rough data flow for any deployment option on your acceptable list, to help you identify risk exposure points when making final decisions.

Consider:

Private
Public
Community
Hybrid

Consider:

Providers' offerings

Anyone have ideas or sources on how initial cloud risks are or should be evaluated? Please share here!

Irena Bojanova, Ph.D., is the Founding Chair of IEEE CS Cloud Computing STC, an associate editor of IEEE Transactions on Cloud Computing, and an editorial board member of IEEE CS IT Professional. She is a professor and program director, Information and Technology Systems, at University of Maryland University College, managed academic programs at Johns Hopkins University and PIsoft Ltd., and co-started OBS Ltd., (now CSC Bulgaria). Her current research interests include cloud computing, web-based systems, and educational innovations. She is a member of the IEEE and can be reached at ibojanova@umuc.edu.

FIRST

LAST

Page(s):

[%= name %]

[%= createDate %]

[%= comment %]

Preview of Encyclopedia of Cloud Computing – Part 1

Wednesday, Feb 17, 2016

ARTICLE: The book covers broad range of topics aimed at helping you gain an informed and comprehensive understanding of the promises and the potential of cloud computing.

Defining Cloud Computing

Sunday, Feb 24, 2013

BLOGPOST: Cloud computing (CC) allows pay-per-use or charge-per-use access to applications, software development and deployment environments, and computing infrastructure. It provides optimized and efficient computing through enhanced collaboration, agility, scalability...

Evaluating Initial Cloud Risks

Wednesday, Apr 10, 2013

BLOGPOST: The stages of the Cloud follow the evolution of sharing on the Internet: networking, network sharing, information sharing, resources sharing, and services sharing.

Understanding Multi-Tenancy I

Wednesday, Apr 24, 2013

BLOGPOST: NIST has defined five essential cloud characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.

Understanding Multi-Tenancy II

Friday, May 3, 2013

BLOGPOST: Continuing our discussion on multi-tenancy, note that Gartner places multi-tenancy close to the peak of expectations in the Hype Cycle for Cloud Computing, shown on Figure 1.

Exploring Service Model Architecture

Friday, May 10, 2013

BLOGPOST: NIST lists three cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) (please see the "As discussed in the Defining Cloud Computing" post and Figure 1).

Addressing Cloud Security

Monday, May 20, 2013

BLOGPOST: Understanding cloud security risks is related to understanding the relationships and dependencies between cloud computing models. IaaS forms the foundation of the service model architecture, PaaS builds upon IaaS, and SaaS in turn builds upon PaaS; and information security issues and risks are inherited just as capabilities are.

Cloud Interoperability and Portability

Thursday, Jun 20, 2013

BLOGPOST: Interoperability and portability are closely related to the previously discussed Cloud elasticity and multi-tenancy. Any IaaS to SaaS cloud-implemented system should have as design goals both interoperability and portability to fully gain the benefits of the Cloud elastic environment. Although interoperability and portability are not unique for cloud and the related security aspects did not emerge with cloud computing, multi-tenancy (where data and applications of different customers/companies share platforms, storage, networks) brings the need of greater precautions than those required for traditional processing models.

Cloud Interoperability and Portability II

Thursday, Jul 25, 2013

BLOGPOST: Being locked-in by a cloud provider is not what customers plan to experience. So, let’s explore a bit more on the cloud portability and interoperability topic. The Open Cloud Manifesto explains data and applications interoperability and portability

Cloud Interoperability and Federation

Thursday, Aug 8, 2013

BLOGPOST: Clouds today do not interoperate, resulting in absolute limitations in geographical coverage, resource functionality, and resource scalability. A cloud provider may not have resources where a cloud consumer needs them; a cloud provider may not offer the type of resource needed; and a cloud provider's resources cannot be infinitely elastic.

Cloud Computing in Research and Education

Tuesday, Nov 5, 2013

BLOGPOST: Cloud computing has huge potential to accelerate research, enhance collaboration, and enrich education. Educators, research administrators, IT directors, and research should realize and leverage cloud’s potential in research, teaching, and learning. They can complement their current in-house cyberinfrastructure by deploying public, private, or hybrid clouds. In fact, as a recent survey reveals, some are already benefiting by embracing the clouds.

Cloud Computing - What's Next?

Monday, Feb 3, 2014

PODCAST: Cloud computing is no longer on the horizon; it’s already here in a big way. Governments, business, industry, and individuals are increasingly using cloud computing for their information processing, and computational and developmental needs. They have begun to realize several benefits of cloud computing, including pay for the use, quick deployment of applications, variety of offerings from several cloud service providers, enhanced collaboration, agility, scalability, and availability.

CLOUD - Future of Mobility and its Impact to Cloud

Friday, Mar 28, 2014

BLOGPOST: This week, I had the honor of co-hosting the “Future of Mobility and its Impact to Cloud” breakout session at The Intersection of Cloud and Mobility Forum, which attracted more than 50 government and business experts in the fields of cloud, mobility, and measurement. Here I share some of my presentation main points, and the brainstorming questions. >>> Wearables, Scannables, Drivables, Flyables: Did your pill just call you?—Don’t be surprised! It all is coming in full speed. We will be able to monitor our health through wearables, get our houses on the phone, use the human body for data transmission, and sense the environment.

The Nexus of Forces at World Cup 2014

Thursday, Jul 10, 2014

BLOGPOST: The Nexus of Forces (defined as convergence and mutual reinforcement of social, mobile, cloud, and information) in combination with the Internet of Everything (IoE) had a game changing role at the World Cup in Brazil

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is:

[% if(channel!='') { %][%=channel%] - [% } %][%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=title%]

[%=dateTime%]

There are no entries that match your criteria.

It's the High-Tech Wild, Wild West out there! Although the Cloud Computing marketplace is still chaotic, it is:

[% if(channel!='') { %][%=channel%] - [% } %][%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=dateTime%]

[%=title%]

[%=title%]

[%=dateTime%]

There are no entries that match your criteria.

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is: