Skip to main content

Potential Risks and Issues of Cloud Computing


What caracterizes the Australia cloud computing strategy when I was studying it; is the risk-based approche followed by the government to define the cloud strategic direction paper.


Many governments are interested to know the potential risks and issues of cloud computing.


Government agencies were designed to operate in a secure environment,so they need to fully understand the risks associated with cloud computing both from end-user and agency prespective.

Cloud computing is a new ICT sourcing and delivery model not a new technology, many of the risks and issues associated with cloud are also not new.

Depending upon the cloud model adopted, bellow some issue that shoud be understand and mitigate:

Issue
Explanation
Application design
·         There may be less opportunity for customization of applications and services. This may increase complexity when integrating cloud services with existing legacy environments;
·         Applications (could be either SaaS or Line of Business applications, etc) will need to be treated at arms length from the infrastructure layer (IaaS);
·         Applications will need to be designed to accommodate latency; and
·         Existing software licensing models may not facilitate a cloud deployment.

Architecture
·         Moving to a cloud environment will require more emphasis on business design where cloud services will interface/impact business systems;
·         Prior to making a decision to move to a cloud computing environment, agencies must address the impact on business processes and eliminate any technical barriers; and
·     Finance recommends agencies use an architectural framework to assist in identifying potential opportunities to deliver common and shared cloud services across agencies.
Business continuity
·         Because the cloud is dependent on internet technologies, any internet service loss may interrupt cloud services;
·         Due to the dynamic nature of the cloud, information may not be immediately located in the event of a disaster; and
·         Business continuity and disaster recovery plans must be well documented and tested.

Data location and retrieval
·         The dynamic nature of the cloud may result in confusion as to where information actually resides (or is transitioning through) at a given point in time;
·         When information retrieval is required, there may be delays impacting agencies that frequently submit to audits and inspections; and
·         Due to the high availability nature of the cloud, there is potential for co-location of information assets with other cloud customers.
Funding model
·         Due to the cloud’s pay-per-use model, some part of ICT capital budgeting will need to be translated into operating expenses (OPEX), as opposed to capital expenditure (CAPEX), which may have different levels of authorizations to commit expenses and procure services.
Legal & regulatory
·         Need to have the ability to discover information under common law;
·         Need to be aware of Australian legislative and regulatory requirements including Archives Act, FOI Act and Privacy Act;
·         Need to be aware of data sovereignty requirements;
·         Need to be aware of legislative and regulatory requirements in other geographic regions, as compliance may be a challenge for agencies;. and
·         Little legal precedent exists regarding liability in the cloud and because of this, service agreements need to specify those areas the cloud provider is responsible for.
Performance and conformance
·         Need to ensure that guaranteed service levels are achieved. This includes environments where multiple service providers are employed (e.g. combined agency and cloud environments). Examples include:
o     Instances of slower performance when delivered via internet technologies;
o    Applications may require modification;
o    Monitoring and reporting are adequately delivered for the period between service introduction and exit; and
o     Failure of service provider to perform to agreed-upon service levels.
Privacy
·         Risk of compromise to confidential information through third party access to sensitive information. This can pose a significant threat to ensuring the protection of intellectual property (IP), and personal information.
Reputation
·         Damage to an agency’s reputation resulting from a privacy or security breach, or a failure to deliver an essential service because risk was inadequately addressed must be considered for cloud computing applications.

Skills requirements
·         A direct result of transitioning to a cloud environment means:
o    Less demand for hardware and system management software product-specific skills; and
o    More demand for business analysts, architects, portfolio and program and change managers, and vendor/contract managers.
Security
·         Must ensure cloud service providers and their service offerings meet the requirements of the Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM) and the Privacy Act 1988; and
·         With cloud computing, an agency may have limited ability to prescribe the protective security of the cloud environment. Yet agencies will remain ultimately responsible for the information that is stored and/or processed in the cloud. Management must maintain assurance that the security of the cloud service provider is in accordance with the PSPF.
Service provision
·         Reputation, history and sustainability should all be factors to consider when choosing a service provider;
·         Agencies should take into consideration the volatility of the growing cloud computing market; and
·         Agencies should ensure they address portability of data in the case of service provider failure.
Standards
Strategies for open standards, interoperability, data portability, and use of commercial off the shelf (COTS) products are required for reducing the risk of vendor lock-in and inadequate data portability. Examples include:
·         A cloud provider decides to no longer stay in business, an agency’s data/application/processes must be able to be moved to another provider; and
·         Certification of projects by vendors for prescribed platforms and versions.




Comments

Post a Comment

Popular posts from this blog

What You Must Know Before Establishing a Recovery Plan ?

In today's rapidly evolving digital landscape, organizations are increasingly adopting the zero trust model, primarily due to the expanding attack surface that leaves critical systems and data exposed. This shift is also fueled by the heightened sophistication of cyber-attacks, which have become more complex and harder to detect, surpassing traditional security measures. Additionally, the existing operating models within organizations are often inconsistent, typically characterized by distributed and siloed environments.    This fragmentation creates vulnerabilities and makes it challenging to implement uniform security protocols. The zero trust model addresses these challenges by assuming that threats exist both inside and outside the network, necessitating continuous verification of all users and devices. Its adoption represents a proactive stance in the ongoing battle against cyber threats, ensuring a more robust and resilient organizational security posture. The Evolution ...
Post a Comment
Read more

A comprehensive guide to ransomware distribution in VMware environments

In a virtualized on-premises environment based on VMware, ransomware distribution scenarios can be somewhat unique due to the nature of virtualization technology. However, many of the traditional attack vectors still apply. Here are some ransomware distribution scenarios specific to a VMware-based virtualized environment: Phishing Attacks Targeting Administrators: Administrators with access to the VMware environment might receive phishing emails. If they fall for these and their credentials are compromised, attackers can gain access to the virtualized environment. Exploiting Vulnerabilities in VMware Software: If VMware software or the underlying operating system is not kept up-to-date with security patches, vulnerabilities can be exploited by attackers to deliver ransomware into the virtualized environment. Compromised Remote Management Tools: Tools used for remote management of the virtualized environment, such as vSphere, can be a target. If these tools are compromised, attackers ca...
Post a Comment
Read more

Edge Computing Demystified Book

After a while I'm back and pleased  to share in this post my first book around Edge computing Technologies. Edge computing has been a very hot and interesting topic nowadays for communication service provider and Enterprise so far. Augmented Reality / Virtual Reality, Smart cities, Healthcare, industrial IoT and many others use cases require a change in the way we operate and host application in the cloud.  IA, Big Data and analytics are often used today to understand the behavior of the customer and even the health of services. Real-time and high throughput demand are the characteristic of the new business services. Edge computing technology promises to resolve different challenges and brings compute, storage and bandwidth close to the data source. I tried in ‘the Edge Computing Demystified’ book to explain Edge computing technology referring to different use cases from communication service provider and enterprise industry. I h...
Post a Comment
Read more