Managing Cloud Computing risk factors

Cloud computing risk factors Part 2: The bogeymen continue

Thursday, October 20, 2011 | Dan Blacharski

Cloud computing risk factors, both real and imagined, continue to lurk around every corner. But rather than running in the opposite direction as fast as one possibly can, the more appropriate response is to acknowledge that there are risk factors in the cloud, as there are with any other business computing model; to weigh those risks against potential rewards, and to exercise due diligence and best practices in mitigating those risks.
[ Cloud computing has fuelled renewed interest in outsourcing, this is resulting in enterprises reassessing their IT service sourcing strategies. The Cloud, Managed Hosting, Colo or In-house?research outlines some interesting considerations helping you to understand who has control and the costs associated with In-house Vs External hosting. ]
"As a business model, the cloud is more than just a methodology. It's the biggest game-changer since the Industrial Revolution," says Cary Landis, CEO of cloud platform provider Virtual Global. "What's even more exciting are the cloud-based innovations that are yet to come. But at the same time, we must acknowledge the real and imagined risks involved in deploying the cloud - and implement a realistic strategy that takes full advantage of the cloud model while ensuring the most secure operating environment possible."

The low-hanging fruit of cloud computing FUD are issues relating to the shared environment. If my data is on a shared platform, and my applications derive from a common code base, the argument goes that there are inherent risks that go with that multi-tenant environment. And yes, the lack of strong compartmentalisation has led to some risks and real attacks. Cybercriminals see the cloud as a vast storehouse of potential targets - if they manage to penetrate the cloud environment, they can attack not just one, but hundreds of companies.
[ Cloud Services are becoming an integral part of daily operations for Small and Medium Sized Enterprises (SMEs). The Cloud Services - Mobile & Remote Working in 2011 white paper outlines some of the ways that successful SMEs are using cloud-based services and business tools to their advantage to drive their business forward. ]
Simple multi-tenant provisioning on its own is never a good idea, though most cloud providers do make use of virtualisation to create a virtual wall between each tenant. Assuming that a client is taking advantage of a virtualized, multi-tenant environment, the cloud provider must undertake a defense in-depth strategy, strong compartmentalisation and strict access controls. For clients with high-end security needs however, virtualised environments aren’t necessarily the only solution; dedicated server options or colocation are also quite affordable, while also offering the secure environment of the cloud data centre and the managed services they provide.

Still more risk factors revolve around the potential for data loss, though in reality, this is more of an imagined threat than reality. Cloud data centres, if they want to survive competitively, create a data centre that protects against loss with redundant backup, allows for automatic failover, and implements a disaster recovery strategy. A top realistic threat however, is account or service hijacking, which according to the Cloud Security Alliance, remains a major threat. If an attacker manages to steal credentials, they will be able to access the owner’s cloud services. The mitigation for that lies within the end user for the most part rather than the cloud provider; with remediation solutions revolving mainly around policy: No shared account credentials, use two-factor authentication, monitor proactively, and understand the cloud provider’s service level agreement.

Lastly, the unknown risk profile. The advantage of the cloud lies in reduced hardware and software ownership and reduced management overhead; but “out of sight, out of mind” must not rule the day. Continued monitoring, good policy, and a strong understanding of the cloud provider’s policies and procedures will bring a renewed level of assurance to the end user of cloud services. 
  • Print
  • Send to a friend