Cloud Risks - Are we looking in the right direction? May Executive Summary

Transcription

1 May 2013 Risks of cloud computing are complex and diverse. With proper identification and management of those risks, cloud computing can be more secure than on premise. Cloud Risks - Are we looking in the right direction? By Reinout Schotman, Abbas Shahim and Ahmed Mitwalli Executive Summary The perceived risks associated with cloud are a major barrier to adoption for enterprises considering cloud computing. But when they consider the risks, most simply look at the security risks within the cloud provider. However, many other, possibly more relevant risks also need to be assessed and managed, including enterprise, political and environmental, for which Canopy has developed a Cloud Risk Identification Matrix. This matrix helps an enterprise to identify and score risks so it can plan its path to the cloud more effectively. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don t fear the cloud; embrace it. 1

2 2 The risks associated with the cloud are a top concern for enterprises considering cloud computing, with security uppermost thanks to the common assumption that a cloud solution is inherently less secure than a traditional one. It s an issue to which cloud vendors respond by reassuring enterprises of the stringent security aspects of their solutions, but this sidesteps a much broader assessment of risk. This view of the cloud is too limited: while enterprises and vendors focus their attention on technical security risks, other, potentially bigger risks either remain unidentified or receive insufficient attention. Cloud computing can be secure - sometimes more secure than an enterprise can achieve on its own. But if an enterprise is to achieve acceptable levels of risk that allow it to migrate to the cloud, it must use a structured approach to identifying, assessing and mitigating risks as well as adopt a governance structure that enables it to manage risk effectively. Enterprises must also retain their legal and regulatory compliance as they move to a cloud model, and must be able to prove this compliance to ensure that the business is not subject to an uncontrolled risk. Cloud computing allows enterprises to achieve greater business efficiencies and can lower the barriers to entry to new markets. But with new paradigms come new risks which may not be well understood. This uncertainty is constraining adoption, as Figure 1 shows. Canopy s Cloud Risk Identification Matrix allows enterprises to identify, segment and score risks so they can develop cloud risk profiles for different workloads. Cloud providers typically respond to enterprise concerns by demonstrating how well their solutions are protected and data centers secured, publishing up-time statistics and displaying compliance certificates. However, just as many enterprises overstate the risks of a cloud solution, at the other end of the scale, some fail to do adequate due diligence and may be too accepting of vendor assurances about the risks of their cloud solutions taking a vendor technical security assessment on trust. The true story is more complex. In reality, all risks are neither wholly the responsibility of the vendors nor are they mostly technical. Risk Identification Risks differ in type and origin, but regardless of the cloud delivery model (private, public, hybrid, etc), there are five sources of risk: 1. Users 2. Enterprise 3. Network Provider 4. Cloud Provider 5. Environment Legal Jurisdiction Security & Data Protection Trust Data Access & Portability Data Location Local Support Change Control Ownership of Customization Evaluation of Usefulness Slow Internet Connection Local Language Tax Incentives Figure 1: Barriers restricting cloud adoption in enterprises (European Commission, IDC 2012) There are many different definitions of cloud risk - Gartner, Forrester, Wikipedia, each has their own that look at different attributes. Based on these definitions and Canopy s experience, Canopy segments risk according to three key defining questions: 1. Which risks may jeopardize service availability? (Availability) 18,2% 18,0% 17,9% 17,0% 25,1% 24,9% 23,8% 22,8% 22,4% 21,4% 31,7% 30,5% 0% 10% 20% 30% 40% Respondents answering very/completely 2. Which risks may jeopardize data integrity and confidentiality? (Integrity & Confidentiality) 3. Which risks may jeopardize compliance to in-house and external policies, rules and regulations and auditability? (Compliance & Auditing) Both the origin of risk and the type of risk define the Cloud Risk Identification Matrix. An enterprise needs to score the risks per application or workload and possibly even per cloud vendor as different vendors may imply different risks. Whether a risk is high or low is determined by three factors: 1. The likelihood of an event 2. The size of impact if that event happens 3. The ease by which such an event can be mitigated The combined risks in the Cloud Risk Identification Matrix define a risk profile for a specific workload which needs to match the risk appetite for that workload. For instance, the required risk profile for an internal training delivery system is likely to be different from that of a

3 Cloud Risk Identification Matrix Risk Origin financial transaction processing system. An example of a risk profile of a specific workload in an enterprise is shown below. Typically, the risks with high frequency and easy mitigation have low impact. This means that the overall risk score is low. Many of the more technical risks, such as performance issues at the provider, fall into this category. On the other hand, catastrophic, environmental risks may happen infrequently but can have a severe impact and can be difficult to mitigate. One problem with risk scoring is that while the impact can be determined accurately, the frequency cannot. Another is that mitigation may exist but may be neglected, which unintentionally increases the actual risk profile. Clearly cloud security is not just about technology - it is also about governance in a diversified business environment. Identifying the different risks in this complex environment will allow a more accurate assessment of the total risk and ensure mitigations that might otherwise be overlooked. This may in turn lead to different choices on the path to cloud computing. User risks Users are more mobile and often employ a variety of devices for access. In many cases these devices Availability Type of Risk Integrity & Confidentiality are either privately owned (Bring Your Own Device, BYOD) or subject to limited control by the enterprise (such as smartphones or tablets). A risk is the proliferation of data on devices beyond the control of the enterprise. If a device is lost, stolen or discarded, its data may still be accessible. This data does not necessarily need to be structured data; it could well be a file containing sensitive information. In fact, the most common applications - and Excel - may also pose the highest risk as both applications are used heavily to distribute sensitive data beyond the control of an enterprise. Information management should go beyond enterprise applications with structured data. If data is stored on a user device, enterprises must implement proper controls to ensure the data is secured. Enterprise risks Compliance & Auditing User Low Medium Low Enterprise High Medium Medium Network Provider Cloud Provider Environment (natural, political) Medium Medium Low High Low Low Medium Low Low Most enterprises regard the infrastructure within their premises as more secure than the (public) cloud. But in reality, enterprises seldom operate industrial-grade data centers similar to those of largescale cloud providers, which are highly secure in terms of procedure and control. A data center s Power Usage Effectiveness (PUE) assesses how efficiently a data center uses energy - the lower the PUE the better, with a PUE of 1.0 being ideal. Most enterprise data centers operate at a level of 2.0 or higher, whereas Google s PUE, for example, is Efficiency can only be achieved by scaling up to an industrial level with robust processes and control. Apart from being cheaper and greener, large cloud providers are also likely to operate more comprehensive security procedures, resulting in less operational risk. Other key risks may well also be reduced by moving to the cloud. For example, internal events are often under-reported because they are resolved through informal networks of employees, so the enterprise has an inaccurate picture of its current exposure to risk. Moving to the cloud eliminates this as cloud providers have stringent security processes where all events are logged. Another critical area of concern is enterprise identity and access management (IAM), an area any enterprise considering a move to the cloud needs to take seriously. Typically, enterprises use software such as Microsoft Active Directory (AD) to control access and register users. It s not uncommon for 10-20% of registered identities to be ghosts as staff leave or access is revoked. Without good IAM governance processes, an enterprise will have an incomplete picture of its IAM status, which contributes to risk. This is critical as while a generic report on the technical security of a cloud provider may demonstrate excellent technology and processes, a move to that cloud provider may still result in lower security levels for some enterprises depending on the state of their IAM governance processes. To avoid this, a thorough and comprehensive assessment of different sources of risk must be undertaken before making a migration decision. Network provider risks Cloud services may significantly change network topology and bandwidth requirements. While 3

4 network availability is ubiquitous in some countries, in others it is not. There may be two legs of network connections: between the cloud provider and the enterprise, and between a cloud provider and a user. The first leg is more or less static and can be controlled; the second is mostly dynamic and therefore difficult to control. If the user is spread across different regions, it may be a challenge to control the quality of service, which can compromise the "Availability" component of the Cloud Risk Identification Matrix. For example, when a Mediterranean submarine cable was cut near Alexandria in 2012 it caused severe internet outages and disruption in the Middle East, India and Pakistan. In addition, a user may also be prone to session hijacks, such as Man in the Middle (MitM) attacks on wifi connections. Providers typically counter this risk by providing some form of encryption of the communication session, such as SSL. But these security measures can be breached and for enterprises and even cloud providers it can be difficult to identify, qualify and quantify such risks. Internet censorship may also cause disruption, again a risk difficult to qualify and quantify. Nevertheless, it and others should be accounted for under data integrity and confidentiality in the Cloud Risk Identification Matrix. When designing and implementing a solution, there should always be a thorough assessment of network topology, quality of service and risks. Indeed, it should be scheduled on a regular basis as it forms one of the building blocks of good governance for enterprise architecture. Cloud provider risks Enterprises often focus extensively on the risks of cloud providers when they choose a vendor. Many risks are related to the operations of the provider and are part of their service level agreement (SLA). But in reality these risks are small compared with those that would exist if the services were provided by the enterprise. Other risks, such as the continued existence of the Example: is probably amongst the most business critical and widely used enterprise applications. Many processes and management control will simply cease to exist without . , or more widely grouped as business productivity tools have been an early adopter of cloud. Microsoft and Google compete fiercely on this market. A large, global enterprise adopted Google Apps for business productivity (such as Gmail). It was cheaper and more secure than what it could achieve in-house. What it did not realize is that by adopting Google Apps, it became exposed to risks out of control of both the enterprise and Google. In 2012, during the Chinese Party Congress, the Chinese government shut down all access to Google services to prevent any possible political unrest. As a result, the enterprises using Gmail was shut off too, which caused significant disruption of its Chinese operations. The enterprise could have prevented or limited the impact if it had identified this risk and planned a mitigation. provider itself, may be small, but could have an impact that is difficult to mitigate. What happens if a provider defaults financially and service is discontinued? The market is currently so fragmented that we can expect some providers to fail as well as consolidation as it matures. The risks of consolidation or bankruptcy among service providers are difficult to identify and it is hard to predict their timing and (expected) frequency. Obviously, scale is important and large providers such as Microsoft, Google and Amazon, are less likely to fail than small niche cloud providers. This risk should either be a selection criterion or risk mitigation scenarios should be available. Another common misconception is that operational risks can be solved through SLAs. An SLA is a contractual or financial incentive for the provider to prevent the occurrence of an event. The event and the impact can be well understood, but the expected occurrence can hardly ever be reliably determined. SLAs can impose an incentive on the provider to manage frequent, but low impact events. They cannot help prevent low frequency, high impact events. In fact, many small, start-up cloud providers may neglect such low frequency, high impact events because they operate with a different appetite for risk. For instance, a cloud provider may have server redundancy in its infrastructure within one data center, but may not have a mirrored infrastructure at hot stand-by available for disaster recovery. At the other end of the risk spectrum, a cloud provider may offer protection from risks so extreme that they are inconsequential. For example, a data center in Finland was built in a former military nuclear bunker complex and marketed its infrastructure as nuclear-bomb proof. Not many businesses care about the risk of such an event. Environmental risks While many risks can be controlled or mitigated, there remains a group that cannot; they are political or caused by natural disasters. Political risk comes in all shapes and sizes, from dictatorial to legislative. For example, when the Chinese government blocked Google in November 2012, many enterprise users with Google Docs were denied service. Yet to be resolved, and clearly a potential risk, is the lack of clarity concerning the impact of the US Patriot Act on data privacy. While the United States demands that its security 4

5 agencies have access to corporate data, even overseas, the European Union forbids such access. Enterprises could find themselves caught in the middle, in a very uncomfortable position. Natural disasters can also affect service availability, mostly due to internet or power outages. The 2011 tsunami in Japan and the subsequent failure of the Fukushima nuclear energy plants resulted in a severe shortage of power, while Hurricane Sandy in 2012 in the US showed that natural disasters can disrupt services in highly developed areas, and with some regularity. These events cannot be controlled. An enterprise can only ensure it has adequate disaster recovery procedures for those services that require high availability. Governance of risks The risks of cloud are diverse and broad. But the process of managing those risks does not fundamentally differ from general risk management. When considering risk mitigation strategies, the options are: 1. Avoid - prevent it from happening 2. Reduce - actively plan and manage to limit occurrence and severity 3. Outsource - hand over to other parties such as the provider 4. Accept - because the cost of mitigation outweighs the risk itself or simply because you cannot control it. The risk strategies of all risks combined and for all cloud solutions determine the risk profile of cloud for an enterprise. The framework below illustrates one approach to managing cloud risks. Such a process may have various permutations as risks are driven by demand (business process needs, cultural and people needs) and by supply (IT infrastructure, IT management and organization). The effectiveness of risk management is determined by the balance between supply and Figure 2: Risk Management demand & supply model demand. Figure 3: Risk Management maturity model Although the risk management and governance frameworks are not fundamentally different, cloud will affect how risk management is implemented. The experiences of employees with consumer IT has increased the demand for usability, flexibility and agility at lower cost and the informal use of cloud applications in enterprise is proof of this. Meanwhile, risk management has become more complex because many risks that were internal may now have external implications, such as insufficient identity and access management. Because many services that were previously in-house and onpremise are now provided by a cloud vendor, possibly on an informal basis, control over those risks has become indirect. Demand has grown while the complexity of supply has changed. Cloud computing has therefore led to a need for a new balance of demand and supply of risk management. A rigid risk governance framework is not sufficient to meet this new model. If an enterprise has very restrictive security measures in place, users may revert to informal cloud use. Although an enterprise may have a tightly implemented risk governance framework, the realities of cloud may still increase risk. Should enterprises embrace cloud? 5

6 As with any shift to a new model, there are uncertainties that need to be resolved. The business economics, rationale and user experiences are so compelling that the transformation into the cloud paradigm will happen regardless of enterprise policy. Informal use of public cloud in the enterprise is probably far more widespread than is visible to IT. Restricting rather than facilitating cloud computing will not lead to more security and may lead to inflexibility and competitive disadvantage. An appropriate response is a proactive one in which a clear migration roadmap which includes a clear and robust security plan is defined and managed across IT. Such a policy starts with a honest look at current risk of legacy, on-premise infrastructure. The alternative is a reactive response to demands that will only result in crisis management or repression. Summary Canopy s assessment of risks associated with the use of cloud computing in the enterprise provides us with three important lessons: 1) Cloud is not necessarily less secure. Many cloud providers offer better security than enterprises could manage internally, due to better scale and focus. There are, however, new risks to consider. 2) Risk management in enterprises does not necessarily require a different framework, but an enterprise must ensure that supply and demand are balanced. Enterprises must also ensure that the maturity is sufficient and adjusted to cloud. 3) If enterprises do not embrace cloud, informal IT will increase, and with this comes unmanaged risk. A reactive approach will not only increase risk, but also will exclude many business opportunities that cloud may bring. The message is clear. The risks of failing to plan for cloud computing are real. And so is the risk of missed benefits. Don t fear the cloud; embrace it. 6

7 About Canopy Cloud Canopy ( is a one-stop-cloud-shop for enterprises. It provides strategic consultancy; development, migration and test environments; secure on- and offpremise private cloud implementation; and access to a growing eco-system of business solutions and processes through a SaaS Enterprise Application Store. Canopy is an independent company, founded by Atos, EMC and VMware. Headquartered in London, Canopy is global in scope, with consultancy teams operating across Europe, North America and Asia Pacific. Canopy Consulting is a trusted cloud computing advisor to leading private and public sector organizations around the world. Staffed almost exclusively with professionals trained at tier one strategic advisory firms, we focus on helping senior executives achieve business objectives by leveraging cloud technologies. About the Authors Reinout Schotman is Associate Partner at Canopy Cloud - Consulting and leader in the field of cloud computing. Prior to joining Canopy Cloud in 2013, Reinout worked at Accenture and several international telecom firms. Reinout holds a MSc in Applied Physics of Delft University of Technology. Abbas Shahim is Partner at Atos Consulting and the Global Lead of Information Security and Risk Management. He is also Associate Professor at the VU University Amsterdam and the Vice President of Information Systems Audit and Control Association (ISACA) chapter in the Netherlands. Ahmed Mitwalli is Managing Partner, Canopy Cloud - Consulting. Prior to Canopy, he was with McKinsey & Company for 12 years where he was a Partner and a leader in the Business Technology Office. He has a PhD in Electrical Engineering and Computer Science from MIT, and is a holder of five US technology patents. For more information on how Canopy Cloud helps organizations to benefit from the cloud, please contact: Reinout Schotman reinout.schotman@atos.net Abbas Shahim abbas.shahim@atos.net Ahmed Mitwalli ahmed.mitwalli@atos.net Copyright 2013 Canopy Cloud Ltd Canopy - The Open Cloud Company and its logo are trademarks of Canopy Cloud Ltd. All rights reserved. 7