Assessing the Security Risks of Cloud Computing
Research
Publication Date: 3 June 2008 ID Number: G00157782
Assessing the Security Risks of Cloud Computing
Jay Heiser, Mark Nicolett
Organizations considering cloud-based services must understand the associated risks, defining acceptable use cases and necessary compensating controls before allowing them to be used for regulated or sensitive information. Cloud-computing environments have IT risks in common with any externally provided service. There are also some unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing. Key Findings
• • The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it. Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service. Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing. If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks.
• •
Recommendations
• • • • Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing. Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used. Demand transparency. Don 't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs. Develop a strategy for the controlled and secure use of
Publication Date: 3 June 2008 ID Number: G00157782
Assessing the Security Risks of Cloud Computing
Jay Heiser, Mark Nicolett
Organizations considering cloud-based services must understand the associated risks, defining acceptable use cases and necessary compensating controls before allowing them to be used for regulated or sensitive information. Cloud-computing environments have IT risks in common with any externally provided service. There are also some unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing. Key Findings
• • The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it. Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service. Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing. If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks.
• •
Recommendations
• • • • Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing. Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used. Demand transparency. Don 't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs. Develop a strategy for the controlled and secure use of