1. Risk Management for Cloud Computing
by Padma S. Jella

2. CLOUD COMPUTING AS AN
EVOLUTION OF ITO
 Cloud computing is an outsourcing decision as it gives organizations the
opportunity to externalize and purchase IT resources and capabilities from
another organization as a service
 How CC differs from ITO ? -“with outsourcing an existing function is moved
out of the department, enterprise, or geographic jurisdiction, whereas
with CC the home of an application originates in the cloud”
 CC offers many advantages that surpass the promises of traditional ITO
like easy scalability, access to new software and reliability
 Google, Microsoft, IBM and all other known and unknown cloud providers
offer today's CIO an array of major cost saving alternatives to the
traditional data center and IT department.
 But like everything that appears too good to be true, cloud computing
comes with a set of risks that CIOs and CTOs should do well to recognize
before making the decision quickly

3. ISACA’S Survey on cloud computing
 ISACA's (Information Systems Audit and Control Association) 2010 survey on cloud computing
adoption presents some interesting findings.
 45% of IT professionals think the risks far outweigh the benefits and only 10 percent of
those surveyed said they would consider moving mission critical applications to the cloud.
 In a nutshell, ISACA's statistics and other industry published numbers around cloud adoption
indicate that cloud computing is a mainstream choice but definitely not the primary choice.
 While some organizations have successfully moved part or all of their information assets into
some form of cloud computing infrastructure, the large majority still haven't done much with
this choice.
 In most organizations, there are definitely some areas that could be safely and profitably
moved to the cloud.
 The extent to which an organization should move it's information assets to the cloud and take
advantage of the tremendous benefits by doing so is determined by the application of a risk
assessment framework to all candidate information assets.
 For this, it's essential to understand the risks and then have a mitigation strategy.

4. Why use a risk approach for
cloud selection?
 Many organizations are embracing cloud computing, it’s a rage these days
 Data security risks- Do you trust an external third party with your sensitive
data?
 Prepared for cloud failure (cloud outages at Microsoft and Amazon) ??
 In March 2009, Microsoft Windows Azure was down for 22 hours
 In April 2011, a large scale outage hit Amazon, affecting Amazon’s Web
Services' Elastic Compute Cloud (EC2).
 The outage took out popular social networking services Foursquare,
FormSpring, Heroku, HootSuite, Quora and Reddit
 These outages prevent users from accessing applications or data stored in the
cloud and the financial cost of these outages can be quite high especially
when mission critical- such as accounting information systems are outsourced

5. • https://www.youtube.com/watch?v=m3wrBFuGK2A

6. 25th August 2013
 Amazon Web Services (AWS), one of the world's largest cloud provider,
stumbled over on Sunday for 59 minutes, due to issues with its U.S.-EAST
datacenter.
 The outage began at about 1 p.m. PT following connectivity issues in the
North Virginia datacenter, which led to elevated API error rates in the
region.
 This led to "degraded experience," resulted in a "small number of EC2
instances unreachable due to packet loss in a single"
 Last week, AWS suffered downtime that lasted around 25 minutes .
 Most websites running on the AWS cloud were unaffected. The biggest
casualty of the outage, however, was Amazon.com itself, which rejected
customers from accessing its site in the U.S. and Canada.
 Other Amazon-owned websites also suffered, including Audible.com, while
Netflix continued to power through the problems.
 While international sites were unaffected, some crunched the numbers,
and estimated that the company could have lost as much as $1,100 in net
sales per second.
 Users of Vine and Instagram, as well as others - Airbnb, Flipboard, just
to name a few — fell at the mercy of its cloud computing parent.
 Instagram alerted its users of a fault to its service almost as soon as
it occurred

7. Cloud Mission Risks
The main cloud-related mission risks to consider are:
 The solution does not meet its financial objectives.
 The solution does not work in the context of the user enterprise’s organization and culture.
 The solution cannot be developed due to the difficulty of integrating the cloud services involved.
 The solution does not comply with its legal, contractual, and moral obligations.
 A disaster occurs from which the solution cannot recover.
 An external cloud service used by the solution is inadequate.
 The system quality of the solution is inadequate, so that it does not meet its users’ needs.

8. How to evaluate your cloud vendor
Risk Management
 Prior to engaging in a partnership with a cloud vendor an organization should
request appropriate documentation and perform a comprehensive review
 Investigate the reputation and background of the provider, and the number of
years the provider has been in business.
 Request a SSAE 16 report.
 In addition, several important steps that an organization should consider
addressing regulatory compliance, privacy, and business continuity are detailed.

9. How to evaluate your cloud vendor
Regulatory Compliance
 Customer organizations are ultimately responsible for the security and integrity of their own
data, even when that data is managed/maintained by a service provider. Therefore, the
customer needs to ensure that the provider has adequate security controls in place and
request evidence of these controls, such as a SSAE 16 report and/or a PCI compliance
attestation.
 If the provider has not performed a SSAE 16, the customer will need to gather as much
information as possible about the security controls in place with particular focus on the
people that will manage the data.
 The customer should investigate the provider’s hiring process and ensure that it includes
criminal and credit background screenings. It is highly recommended to include in the
contract the level of security expected and the right to audit and/or request audit reports.
 Those organizations who decide to use providers located internationally should request the
provider make a contractual commitment to obey local privacy requirements on behalf of
their customers.

10. How to evaluate cloud vendor
Privacy
 Data in the cloud is typically in a shared environment alongside with data from
other customers.
 Encryption becomes crucial to protect the confidentiality and privacy of the data
while in transit and in storage. Therefore, the client should know whether or not
encryption is utilized.
 Also, the client should know the user access and monitoring controls in place,
especially for privileged accounts.
Business Continuity Plan
 Should a disaster occur, organizations must ascertain what steps the provider will
take to protect data and continue service.
 Does the provider have the ability to do a complete restoration of all data, and
how long it will take? Customers should evaluate the provider’s business continuity
capabilities and ensure they meet the requirements specified in the service level
agreement.

11. How to evaluate cloud vendor
Conclusions
 Cloud computing offers organizations a cost effective, competitive and flexible
opportunity to perform their operations.
 Nevertheless, cloud computing involves some risks that can be mitigated by taking
two key steps:
(1) Doing due diligence when selecting the provider, and
(2) negotiating a service agreement that covers critical aspects such as
payment, warranty, liability, protection, and security.
 The first step should be founded on a methodical approach that addresses policies
and procedures in selecting and overseeing providers. In regards to the second
step, legal advice becomes essential during the contract stipulation

12. A framework for evaluating cloud
computing risk
• Effectiveness of controls
• Auditing and oversight
• Technical security architecture
• Data integrity
• Data encryption
• Operations security
• Standardized procedures
• Business stability
• Intellectual property
• Contractual language

13. Points to be thought of
• Who accesses your sensitive data: The physical, logical and personnel controls that were put in
place when the data was in-house in your data center are no longer valid when you move your
organization's information on the cloud. The cloud provider maintains its own hiring practices,
rotation of individuals, and access control procedures. It's important to ask and understand the
data management and hiring practices of the cloud provider you choose. Large providers like IBM
will walk their clients through the process, how sensitive data moves around the cloud and who
gets to see what.
• Regulatory compliance: Just because your data is now residing on a provider's cloud; you are not
off the hook, you are still accountable to your customers for any security and integrity issues that
may affect your data. The ability of the cloud provider to mitigate your risk is typically done through
a process of regular external audits, PEN tests, compliance with PCI standards, ensuring SAS 70
Type II standards to name a few. You are responsible to weigh the risks to your organization's
information and ensure that the cloud provider has standards and procedures in place to mitigate
them.
• Geographical spread of your data: You may be surprised to know that your data may not be
residing in the same city, state or for that matter country as your organization. While the provider
may be contractually obliged to you to ensure the privacy of your data, they may be even more
obliged to abide by the laws of the state, and or country in which your data resides. So your
organization's rights may get marginalized. Ask the question and weigh the risk.

14. Points to be thought of
• Data loss and recovery: Data on the cloud is almost always encrypted; this is to ensure security of
the data. However, this comes with a price — corrupted encrypted data is always harder to recover
than unencrypted data. It's important to know how your provider plans to recover your data in a
disaster scenario and more importantly how long it will take. The provider must be able to
demonstrate bench-marked scenarios for data recovery in a disaster scenario.
• What happens when your provider gets acquired: A seamless merger/acquisition on the part of
your cloud provider is not always business as usual for you, the client. The provider should have
clearly acknowledged and addressed this as one of the possible scenarios in their contract with you.
Is there an exit strategy for you as the client — and what are the technical issues you could face to
get your data moved someplace else? In short, what is your exit strategy?
• Availability of data: The cloud provider relies on a combination of network, equipment, application,
and storage components to provide the cloud service. If one of these components goes down, you
won't be able to access your information. Therefore, it is important to understand how much you
can do without a certain kind of information before you make a decision to put it on the cloud. If
you are an online retailer, and your customer order entry system cannot be accessed because your
application resides on the cloud that just went down, that would definitely be unacceptable. It's
important to weigh your tolerance level for unavailability of your information against the vendors
guaranteed uptime.

15. AWS Risk Assessment by IVK
Major Risks
 Amazon’s EC2 model is an IaaS (Infrastructure as a Service) which requires systems between companies to
be linked up so data may pass from Amazon’s (rented) servers to IVK’s.
 A common fear for this type of IaaS is that this transfer of data weakens security and opens a company
up to a data breach or loss of consumer data.
Privacy Risks
 IVK handles 2.2 million customer inquiries, processed in excess of 530,000 applications, and funded
180,000 loans. With this much information being stored on a server, the likelihood of that information
being hacked increases
 There is also a greater opportunity for persons to sell the information from the company.
Security Risks
 Since the servers are in the cloud, not in a data center, the back end is accessed through application
programming interfaces.
 The servers can be launched and shut down through the interface. Hackers could gain access to this
interface and shut down all the servers if they wanted to. This would in turn bring the whole company
down causing major outages and chaos to bring the servers back up.
 Even worse than just shutting down the servers is when hackers can delete or change things. Hackers
can do what is called an account hijacking attack.

16. Risk Management- The Amazon
Way!!!
 Risk Management AWS management has developed a strategic business plan which includes
risk identification and the implementation of controls to mitigate or manage risks.
 AWS management re-evaluates the strategic business plan at least biannually.
 AWS’s Compliance and Security teams have established an information security framework
and policies based on the Control Objectives for Information and related Technology (COBIT)
framework and have effectively integrated the ISO 27001 certifiable framework based on
ISO 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust Services
Principles, the PCI DSS v3.0, and the National Institute of Standards and Technology (NIST)
Publication 800-53 Rev 3 (Recommended Security Controls for Federal Information Systems).
 AWS maintains the security policy, provides security Amazon Web Services Risk and
Compliance training to employees, and performs application security reviews.
 These reviews assess the confidentiality, integrity, and availability of data, as well as
conformance to the information security policy.
 AWS Security regularly scans all Internet facing service endpoint IP addresses for
vulnerabilities (these scans do not include customer instances).
 AWS Security notifies the appropriate parties to remediate any identified vulnerabilities.
 In addition, external vulnerability threat assessments are performed regularly by
independent security firms.
 Findings and recommendations resulting from these assessments are categorized and
delivered to AWS leadership.

17. Risk Management- The Amazon
Way!!!
AWS has implemented a formal information
security program designed to protect the
confidentiality, integrity, and availability of
customers’ systems and data.
AWS publishes a security whitepaper that is
available on the public website that addresses
how AWS can help customers secure their data.

18.  Applying cloud computing solutions without the proper care, due diligence, and
controls is bound to cause unforeseen problems.
 Used appropriately with the necessary precautions and controls in place, cloud
computing could yield a multitude of benefits, some unheard of until now and
some yet to be discovered.
 By being aware of the risks and other issues related to cloud computing,
executives are more likely to achieve their organization’s objectives as they
manage the risks in this dynamic and evolving environment that likely will
become the most popular computing model of the future.
 Cloud computing is relatively new in its current form, given that, it is best applied
to specific low to medium risk business areas.