Managing Risk in the Cloud

The differing approaches in the three service models

If you ask a security executive for an elevator pitch about risk management in the cloud, some will defer to IT-literate subordinates who quickly immerse you in techno-babble about multi-tenant databases, identity and access, or a lecture about the dangers of online computing.

While this information is relevant, it frequently lacks a strategic business context to adequately frame what the cloud really is, the types of cloud that are available as a service (no offense intended to product marketers), and an overview of the different approaches required to manage risk depending on the service type being contemplated.

This article is a primer to understand the three different cloud service models — SaaS, PaaS and IaaS — and the fundamentally different balances required to effectively manage enterprise risk. The article outlines these options and examines the end-user approach to managing risk relevant to each service model.

To quantify the degree of risk, it is essential to first understand the choices that exist within the framework of “the Cloud.” The approach to managing risk will vary, depending on choice.


Understanding the Business Implications

As Enterprise Security Risk Management (ESRM) continues to emerge as a more mature contributor to Enterprise Risk Management (ERM), an understanding of the three service model options for cloud computing (Software, Platform and Infrastructure) becomes essential for security executives to understand, in order to bring business value to the equation. Business value can exist in many forms; such as enhanced service and reduced cost, monetization of a company’s services, or a reduced risk ratio to the required technology investment.

This is achieved by understanding the goals of the business and subsequently analyzing how security will align and contribute to those goals. As an opening example, a CSO would generally not want to submit an Infrastructure-as-a-Service (IaaS) proposition for a new security system — which requires heavy investment in that organization’s technical resources — if the goal of the business is to to shed and partner, rather than invest in technical expertise. Understanding the business implications of cloud service model differences, and relevant terminology becomes vital to enable sound analysis and formation of an effective strategy.

There is a lot of discussion about whether using the cloud is a risky proposition. The answer, as always, is that “it depends.” An essential step to gauging risk is to understand the service and deployment models, the characteristics, and how these apply to services and applications. For example, will existing, custom applications be placed in the cloud, or will new ones be adopted? How much risk is considered risky? Our job as security professionals is to present options to the business, in order to enable effective decision making.


What is the Cloud?

The National Institute of Standards and Technology (NIST) provides an excellent definition of Cloud Computing in its publication which is found at

To simplify the framework, think of the cloud as a “3-4-5 model” and a series of choices, namely:

• 3 service models: Software, Platform or Infrastructure (“SPI”);

• 4 deployment models: Private, Community, Public and Hybrid; and

• 5 characteristics: Broad Access, Rapid Elasticity, Measured Service, On-Demand Self Service and Resource Pooling.

The framework allows you to consider three broad questions:

1. How much technical participation (direct engineering control) does the organization require?

2. Which type of cloud(s) will we use, and why?

3. What quantifiable benefits will cloud characteristics deliver to meet the functional needs that security has, and how will they deliver business value?

This content continues onto the next page...