Who is responsible for risk mitigation in the Cloud?

October 6th, 2010

RISK

THREAT

MITIGATING PARTY

  • Insecure, Porous APIs
  • Man in the middle, content threats, code injection, DoS attacks
§ Enterprise and Cloud Provider
  • Logical Multi-Tenancy
  • Virtual machine attacks, malicious code execution, comingled tenant data
§ Cloud Provider
  • Data Protection and Confidentiality
  • Reduced confidentiality and privacy for private data stored in the clear at the cloud provider
§ Enterprise and Cloud Provider
  • Data Loss and Reliability
  • Unavailability or permanent loss of critical  Enterprise data
§ Cloud Provider
  • Audit and Monitoring
  • Increased risk due to rogue uses of cloud services within the Enterprise
§ Enterprise
  • Cloud Provider Insider Threats
  • Mismatched security practices at the cloud service provider creates a weak link for a determined attacker
§ Cloud Provider
  • Account Hacking, Access Control, and Authorization
  • Coarse account access control at the cloud provider increases the value of a stolen account
§ Enterprise and Cloud Provider

A number of posts and comments on these type of risks would lead many readers to believe that cloud computing (private or public) might never really get off the ground.  A couple of counter-points to that impression is that many businesses will explore this option as yet another means of reducing their IT costs, the U.S. government is a big proponent of this concept, as are local and state governments.  Time will tell whether the latter point is good or bad for this concept.

What remains as the final argument to these risks is that aside from greater use of virtual technology, which does in fact have more inherent risks in shared environment, these threats are the same in most outsourcing agreements.  Due diligence, sensible contract terms and market pressure will improve security and economics will pull the adoption along.

Let Daniel L. Ruggles and the team at PM Kinetics, LLC help you navigate the complexities of IT Governance, Cloud Computing, Sourcing & Capital Planning, Vendor Management, IT Security, and Infrastructure planning & execution. For more information on our technical consultancy services, contact or call PM Kinetics today at (678) 528-7399.