Managing Risks in the Cloud

Cloud computing is the technique of using multiple server computers which are connected via a real time communication network as if they were one. To understand this concept further, consider a scenario where you have to onboard many resources from different countries for a large scale project. Now all of these resources would need applications / softwares specific to this project and also documents will have to be shared with them. Email services provide constraints in such case where there is a limit to the file size you can send. The solution to all this is using a cloud computing service where all the files can be shared and can be accessed from any computer in the world. So with the use of a single service, many different files can be accessed from multiple locations.

What are the risks in Cloud Computing?

Though cloud computing seems and in many ways is a very feasible and efficient option, there are many risks involved which must be highlighted.

Below mentioned are some of the risks identified:

• Physical data / Logical security threats: The physical setup of the server as well as the logical system security is dependent on the service provider. The responsibility and control of the data is with the cloud computing provider and hence this may serve as a risk for organizations with sensitive data on cloud. Since the data is stored with the external provider, the security of the data is not guaranteed. This would depend on the control measures implemented by the service provider

• Dependency on cloud computing provider: The organization may become dependent upon the provider. Disaster recovery and business continuity of the organization will be in the hands of the provider.

• Difficulty in migrating data: If the organization decides to change the cloud computing provider for some reason, then to migrate all the data to another provider is an additional effort and may be difficult.

• Cloud computing provider goes out of business: The organization must consider a rather rare scenario where the provider goes out of business.

How to manage risk in Cloud Computing?

The above risks may give an impression of Cloud Computing being a very unsafe option, but if appropriate measures are taken, these risks can be mitigated as Cloud Computing is very widely used today and we do not foresee this changing. Listed below are a few measures to mitigate the risks:

• Before considering various providers for Cloud Computing, it is important to perform a thorough risk assessment in order to understand the risks involved in migrating your organization’s data to a third party.

• It is important to have suitable agreements in place with the service provider in order to safeguard against certain risks (for eg. An SLA must be signed to list down the responsibilities of each party). These agreements must have details such as how the data is protected and who can access it.

• The organization needs to know the physical location of the data, the access controls in place and which data encryption technologies are being utilized. The organization must ensure that the provider has certain authentication and authorization techniques in place. Preferably, sensitive data must have multiple layers of security.

• If the data is stored in another country, then regional or other laws might apply.

• Organizations must make sure that vulnerability assessment practices are implemented and performed.

• The cloud provider’s disaster recovery capabilities must be known and also tested by the provider himself.

• To verify all the above points are adhered to by the provider is not always practically possible. Hence organizations must consult third party audits to verify the same. The audit clause must also be included in the contract.

Cloud Computing is a thrilling development for IT ventures with many benefits, but it also brings many challenges in picture for protecting organization’s data. The risks involved must be accurately identified and managed, hence striking a perfect balance between taking advantage of the opportunities offered by Cloud Computing and protecting organization’s data.

About Author:

Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: kintu.r@spluspl.com