Many of the risks frequently associated with cloud computing are not new, and can be found in enterprises today. Well
planned risk management activities will be crucial in ensuring that information is simultaneously available and protected.
Business processes and procedures need to account for security, and information security managers may need to adjust
their enterprise’s policies and procedures to meet the business’s needs. Given the dynamic business environment and
focus on globalization, there are very few enterprises that do not outsource some part of their business. Engaging in a
relationship with a third party will mean that the business is not only using the services and technology of the cloud
provider, but also must deal with the way the provider runs its organization, the architecture the provider has in place,
and the provider’s organizational culture and policies. Some examples of cloud computing risks for the enterprise that
need to be managed include:
• Enterprises need to be particular in choosing a provider. Reputation, history and sustainability should all be factors to
consider. Sustainability is of particular importance to ensure that services will be available and data can be tracked.
• The cloud provider often takes responsibility for information handling, which is a critical part of the business. Failure
to perform to agreed-upon service levels can impact not only confidentiality but also availability, severely affecting
business operations.
• The dynamic nature of cloud computing may result in confusion as to where information actually resides. When
information retrieval is required, this may create delays.
• Third-party access to sensitive information creates a risk of compromise to confidential information. In cloud
computing, this can pose a significant threat to ensuring the protection of intellectual property (IP) and trade secrets.
• Public clouds allow high-availability systems to be developed at service levels often impossible to create in private
networks, except at extraordinary costs. The downside to this availability is the potential for commingling of
information assets with other cloud customers, including competitors. Compliance to regulations and laws in different
geographic regions can be a challenge for enterprises. At this time there is little legal precedent regarding liability in the
cloud. It is critical to obtain proper legal advice to ensure that the contract specifies the areas where the cloud provider
is responsible and liable for ramifications arising from potential issues.
• Due to the dynamic nature of the cloud, information may not immediately be located in the event of a disaster. Business
continuity and disaster recovery plans must be well documented and tested. The cloud provider must understand the
role it plays in terms of backups, incident response and recovery. Recovery time objectives should be stated in the
contract
No comments:
Post a Comment