Winning Manufacturing Strategies

« Is it really going to take away everything??? :( :( | Main | Significance of Digital Transformation for an Enterprise and the Latest Trends. »

Cloud Computing: Types of Risks associated and their Mitigation Procedures..

Guest Post by

Jitendra Kumar Singh, Senior Associate Consultant, MFGADT Online, Infosys

Cloud Computing has been at the Peak of Gartner Hype Cycle. So much has been discussed about the Deployment and Delivery Model. But we still notice the Enterprises are reluctant to apply it. Let us try to explore the Risks associated with Cloud Deployment and what are the mitigation plans. If these risks are addressed with proper mitigation plan, then Cloud Computing adoption will be smoother and faster. In this blog, the risks have been categorized as-

1. Technical Risks

2. Legal Risks

3. Organizational Risks

Risk

Description

Impact

Mitigation control

TECHNICAL RISKS

Cloud isolation failure

The service offered to the customer by the CP could be hampered if redundancy is not built in the cloud network

Service interruption or unavailability leading to loss of customer trust and reputational damage unavailability of services, loss of data confidentiality, integrity and availability, economic and reputational losses due to failure to meet customer demand, violation of SLA, cascading service failure

Implement hardware and logical redundancy in the network infrastructure supporting the cloud

Ineffective capacity management or resource exhaustion


No policies in place for resource capping. Lack of redundancy. Inability to provide current agreed capacity level. Inability to provide additional capacity in times of crisis or emergencies.

Service interruption and resource unavailability to end users due to load on the infrastructure. Customer dissatisfaction leading to reputational damage

Process to be established for capacity management. Effective real time monitoring and reporting in place. Analysis and study to carried out by the CP on a regular basis.

Malicious activities or attack due to multi-tenancy use of shared resources between various customers of the CP

Failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure leading to attacks such as guest-hopping attacks, SQL injection attacks , Cloud Service Hijack, DoS attacks

Expose customers' critical and sensitive data stored in the cloud infrastructure. Unavailability or services or resource to customers leading to customer dissatisfaction and damage to reputation

Prohibit the sharing of account credentials between users and
services.
· Leverage strong two-factor authentication techniques where possible.
· Employ proactive monitoring to detect unauthorized activity

Presence of malicious insider in the cloud

Cloud architectures necessitates certain roles which are extremely high-risk. These personnel with the privileges they have can have direct or indirect access to customer data

confidentiality, integrity and availability of all kind of data and services which therefore indirectly impacts organization's reputation, customer trust and the experiences of employees

Implement controls for AAA
Identity and Access Management
Sign NDA with CC provider
Setup incident management process which is robust and transparent
Effective provisioning and de-provisioning of user ids. Define clear roles n responsibilities.

Intercepting data in transit within the cloud

Sniffing, spoofing, man-in-the-middle attacks, side channel and replay attacks are considered as possible sources by which customer data can be intercepted in the cloud

Unauthorized access to customer data thereby stealing sensitive customer information and providing to competitors

Implement strong API access control.
Encrypt and protect integrity of data in transit. Analyze data protection at both design and run time. Implement strong key generation, storage and management and destruction practices.

Data leakage or loss due to storage in backup media

Backup media used by CP could be shared among other customers of the CP. As a result, there is a possibility of data being leaked or lost if the media management is not effective

Leakage or loss of sensitive customer data leading to reputational damage and customer confidence.
Applicable Data privacy laws will also be affected leading to legal issues

Contractually demand providers wipe persistent media before if it is used as a shared backup media. Contractually specify provider backup and retention strategies. Encrypt data when stored on backup media

 

 

 

 

Legal Risks

No virtual boundaries or jurisdiction for data stored in the cloud

Customer data may be held or stored virtually anywhere in the world including data centers that are located in high-risk countries,

Due to this, regulatory issues will arise as. As per law, no customer data within the country can be sent or stored outside the Indian borders

The solution will be provided by the service provider. Also a check needs to be made on the security controls that they will apply.

Lack of data protection by the CP

effectively check the data processing that the cloud provider carries out, and thus be sure that the data is handled in a lawful way

Failure to comply with data protection law may lead to administrative, civil and also criminal sanctions, which vary from country to country

Ensure effective data processing and data security activities and the data controls are in place
SAS70 certification for cloud providers

Licensing

 

 

 

 

Organization  Risks

Loss of Governance due to direct control by CP

 SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defenses.
Lack of completeness and transparency in terms of use

Non adherence to customers business processes leading to compliance issues. Service outages and untimely support leading to customer service getting affected

Include certifications with the CP
Policies and process must be defined and put in  place
NDA to be signed with the SP
standard technologies and solutions to be implemented
Ensure completeness and transparency in terms of use
Strong SLAs to be defined

Lock In with the CP

there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability.  This introduces a dependency on a particular CP for service provision, especially data portability,

Potential dependency for service provision on a particular CP, depending on the CP's commitments, may lead to a catastrophic business failure should the cloud provider go bankrupt or acquired and is not able to match the services provided before

The solution will be provided by the service provider. Also a check needs to be made on the security controls that they will apply.

Noncompliance to customer defined policies and procedures

The CP may not consider or implement the policies or procedures defined by its customer for the service provided as it may affect or hinder the policies set by them on the cloud.
Lack of standard technologies and solutions

This may lead to conflicting issues with compliance as the customer adheres to some standards which the CP may not. For e.g.: PCI DSS may not be achieved in a public cloud infrastructure
Storage of data in multiple jurisdictions may lead to legal and regulatory issues

Implement and follow industry standard certifications and processes

Cloud service termination or failure

The CP may not deliver as per the customer expectations due to number of outages, deterioration in services and unavailability of resources

Loss or deterioration of service delivery performance, and quality of service, as well as a loss of investment due to poor CP selection. Failures by the cloud provider may also result in liability by the customer to its employees

Contractual agreements must clearly state terms on service termination or failure and penalties that would apply in the event of occurrence. Contract must also state the alternate option which the CP must provide till the time a permanent solution is in place.

Presence of shared resource technology and co-tenant activities

Resource sharing means that malicious activities carried out by one tenant may affect the reputation of another tenant

The impact can be deterioration in service delivery and data loss, as well as problems for the organization's reputation

Implement security best practices for installation/configuration.
· Monitor environment for unauthorized changes/activity.
· Promote strong authentication and access control for
administrative access and operations.
· Enforce service level agreements for patching and vulnerability
remediation.
· Conduct vulnerability scanning and configuration audits

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.