Monday

3 Risk Management Functions for Secure Cloud Governance.....

CC™ Technocrat

The method of managing risks on cloud has witnessed a big shift as the pressure on governance model to track variants of risk has become high.

While risk formats have changed in the industry, business continuity is said to be affected with the ushering in of cloud model. The pressure on cloud service providers is increasing in terms of identifying and tracking new risks emerging out of this trend, which sometimes has an adverse impact on the business. 


Sethu Seetaraman, VP/Chief Risk Officer, Mphasis, says that risk management basics do not change with cloud. However, the way in which a control is implemented and monitored is what has changed. “As far as BCP/DR is concerned, the organisation owns BCP/DR in case of Infrastructure as a Service and Platform as a Service. Service providers will own BCP/DR in case of Software as a Service. 


You must build or take these services from the cloud service provider based on the availability risk,” avers Seetharaman. 


Why 3 functions of Risk Management are Key to Governance.....


Just as with IT governance, risk management in cloud governance must fulfill three functions argue most CISOs.

Atul Pandey, The ICT Rainmaker: GRC, GSD, PMO & BPM, mentions the three functions: a) Assessing risk b) mitigating risk, and c) measuring the success of that assessment and mitigation.

Pandey says that this is not a static scenario. Risk shifts continually, and the cloud governance model must be able to track these shifts.

Stating facts established by Thomas J. Betcher in his report on a clear analysis of risk and cloud in Cloud Computing: Key IT-Related Risks and Mitigation Strategies for Consideration by IT Security Practitioners,’ Pandey puts forth the type of risks to be managed under the cloud model. 

They include:
  • Policy and Organisational risks: Lock-in, loss of governance, compliance challenges, loss of business reputation, cloud service termination or failure.
  • Technical Risks: Availability of service, resource exhaustion, intercepting data in transit, data transfer bottlenecks, distributed denial of service.
  • Legal Risk: Subpoena and e-discovery, changes of jurisdiction, data privacy, licensing.

According to Pandey, one particularly important observation in the Betcher report relates to risk and frequency. Many traditional IT governance models are designed around IT life-cycles of around three years. 

Within these cycles, IT audit leaves a detailed trail of version and upgrade information.

With the cloud, this changes. Not only does the cycle shrink massively (change can now be measured in hours and weeks rather than in years), the actual versioning of the technology behind the service can remain completely hidden from the consumer. 

As a result, cloud governance models must be able to assess risk from this entirely new perspective.

How Continuity is affected.....

Pandey believes that continuity in itself is solicited as the USP of cloud, at least in comparison with traditional infra.

Business continuity management (BCM) is the result of critical functions and processes assuring that a system performs its mission without incidence, and that the entity responds to all acts or events in a planned, consistent manner. 

Business continuity planning is rehearsed through scenario analysis which:
  • Targets new, evolving or projected risks affecting business operations.
  • Simulates and evaluates the effect of disruptions in information systems support and response time delays.
  • Provides the ground for experimenting on effective solutions to every type of BCM disruption entering into the scenario.
“The analysis to which reference is made is instrumental in elaborating BCM clauses in service level agreements (SLAs) with cloud computing providers,” says Pandey and adds, “Sound governance assures that business continuity studies are part of the evaluation process preceding any top management decision in adopting cloud computing; it also constitutes a factor in choosing a cloud provider.”

Reprinted/Republished with permission from: www.csoforum.in