cloud, risk and security dr. chris roberts - ncsc€¦ · cloud, risk and security dr. chris...
TRANSCRIPT
-
Cloud, Risk and Security
Dr. Chris Roberts
10 12 September 2012, Wellington, New Zealand
-
Cloud, Risk and Security Page 2 of 65
Contents
Introduction ......................................................................................................................................... 5
The Cloud Computing Market .............................................................................................................. 6
Evolution from virtualisation to cloud .......................................................................................... 7
Adoption Patterns ......................................................................................................................... 9
Technology performance and maturity ............................................................................................... 10
Cloud as a technology ................................................................................................................ 10
Cloud Standards ......................................................................................................................... 11
Key Drivers ....................................................................................................................................... 13
The Risks and Benefits of Cloud Computing ...................................................................................... 17
The Risks of Cloud Services ....................................................................................................... 18
Changed Business Model ........................................................................................................... 19
The Benefits of Cloud Adoption ................................................................................................. 19
Cost Models and Investment Analysis ................................................................................................ 22
Identifying and Assessing Benefits ............................................................................................. 24
Security RoI ............................................................................................................................... 24
Return on Security Investment .................................................................................................... 24
Security Costs ............................................................................................................................ 26
Cloud RoI................................................................................................................................... 27
Challenges in Cloud Computing Benefit Analysis ...................................................................... 27
Operational Density .................................................................................................................... 28
Governance and Compliance .............................................................................................................. 31
Cloud Industry Forum, Code of Practice for Cloud Service Providers ......................................... 32
NZ Cloud Computing Code of Practice, ..................................................................................... 33
SAS70/SSAE-16/ISAE 3402 Standards ...................................................................................... 33
The Cloud Security Alliance ....................................................................................................... 33
CloudAudit................................................................................................................................. 33
CSA Cloud Control Matrix ......................................................................................................... 34
Consensus Assessments Initiative Questionnaire ........................................................................ 34
The CloudTrust Protocol ............................................................................................................ 34
The CSA Security, Trust & Assurance Registry (STAR) ............................................................ 34
FedRAMP .................................................................................................................................. 34
Australian Government Better Practice Checklist .................................................................... 34
DSD Cloud Computing Security Considerations ...................................................................... 35
-
Cloud, Risk and Security Page 3 of 65
NIST Guidelines on Security and Privacy in Public Cloud Computing .................................... 35
NIST Cloud Computing Synopsis and Recommendations ........................................................ 35
Security.............................................................................................................................................. 36
Location ..................................................................................................................................... 37
Jurisdiction and Sovereignty ....................................................................................................... 38
Service Level Agreements (SLAs) .............................................................................................. 39
Virtualisation.............................................................................................................................. 41
Authentication and Access ......................................................................................................... 44
Systems Management ................................................................................................................. 44
Incident Management ................................................................................................................. 45
Data Loss Prevention .................................................................................................................. 46
Cloud Specific Risks and Threats ............................................................................................... 47
Multi-Tenancy ............................................................................................................................ 47
Data Mobility and Control .......................................................................................................... 48
Data Remanence......................................................................................................................... 48
Data Privacy ............................................................................................................................... 49
Encryption .................................................................................................................................. 49
Staff ........................................................................................................................................... 52
Unwinding contracts & decommissioning................................................................................... 55
Archiving ................................................................................................................................... 56
Data destruction ......................................................................................................................... 57
Conclusion ................................................................................................................................. 58
Appendix A - A Brief History of Virtualisation and Cloud ................................................................. 59
Virtualisation.............................................................................................................................. 59
The Development of the Concept of Cloud ................................................................................. 61
Appendix B Acronyms and Abbreviations....................................................................................... 63
Appendix C Biography .................................................................................................................... 65
-
Cloud, Risk and Security Page 4 of 65
List of Tables
Table 1 - Services moving to the Cloud .............................................................................................. 16
Table 2 - Cloud Adoption Potential Benefits and Risks ...................................................................... 21
Table 2 - Cloud Adoption Potential Benefits and Risks (cont) ............................................................ 22
Table 3 - RoI Calculations .................................................................................................................. 23
Table 4 - Generic Cost Categories ...................................................................................................... 23
Table 5 - Cloud Computing Timeline ................................................................................................. 62
List of Figures
Figure 1 - Yankee Group 2011 Cloud Revenue Forecast ...................................................................... 6
Figure 2 - Virtualisation Challenges ..................................................................................................... 8
Figure 3 - IT Service Migration ............................................................................................................ 9
Figure 4 - The Five Types of Cloud Adopters....................................................................................... 9
Figure 5 - Cloud Computing Stack ..................................................................................................... 11
Figure 6 - The Extended Cloud Computing Stack ............................................................................... 12
Figure 7- Cloud Industry Forum: Vanson Bourne research poll .......................................................... 14
Figure 8 - Application Compatibility. ................................................................................................. 14
Figure 9 - Cloud Service Model Selection .......................................................................................... 17
Figure 10 - Cost Dimensions .............................................................................................................. 26
Figure 11 - Hosting Environment Analysis ......................................................................................... 29
Figure 12 - Workload Density ............................................................................................................ 30
Figure 13 - Control Boundaries .......................................................................................................... 31
Figure 14 - Service Level Expectations .............................................................................................. 40
Figure 15 - Attacks on Virtualised Environments ............................................................................... 42
Figure 16 - OSX.Crisis Digital Certificate .......................................................................................... 43
Figure 17 - OSX.Crisis Propagation ................................................................................................... 43
Figure 18 - Encryption Continuum ..................................................................................................... 51
Figure 19 - Cloud Archive and Backup Options ................................................................................. 57
-
Cloud, Risk and Security Page 5 of 65
Introduction There is much concern and a great deal of caution in the use of cloud services and the hosting of critical
data in the cloud. Gartner describes organisations using cloud services as early adopters and fast
followers, the terminology indicating the immaturity of cloud services. Many early adopters are driven
by the need for performance, scalability, resource sharing1 and cost saving.
It is not unusual for organisations to start with a small, private cloud, allowing technical and security
architectures, management processes and security controls to be developed and tested. These
organisations then use non-critical data, for example email services, and other similar applications in a
hybrid private and public cloud environment2.
While there has been some discussion on the technical risks of cloud computing, less attention has been
paid to the strategic, governance and management risks of cloud computing. The responsibility for
cloud security remains with the customer even though services may have been contracted to the cloud
service provider. Cloud service providers will invariably seek to limit liability and any compensation
or penalties through carefully worded service contracts.
Much has been made of the operational cost savings related to cloud, particularly the lower unit cost of
public cloud. Less obvious are the several risks and related cost of managing risk to an acceptable
level. While some valuable work in mapping the cloud risk landscape by such organisations as the
Cloud Security Alliance3, NIST
4 and the UKs Cloud Industry Forum
5, the extent of the risk landscape
continues to evolve and expand.
The subject of security architecture and security controls, while explored in this paper, is not analysed
or discussed in detail. This paper seeks to encapsulate aspects of cloud risk and related work in order
to present a comprehensive view of the benefits, issues and risks in cloud computing.
1 Securing the Cloud, F5 White Paper, Peter Silva, http://www.f5.com/pdf/white-papers/securing-the-cloud-wp.pdf 2 Gartner: Dont Trust Cloud Provider to Protect Your Corporate Assets, Brandon Butler, CIO,
http://www.cio.com/article/print/707053 3 Cloud Security Alliance, https://cloudsecurityalliance.org/ 4 National Institute of Standards and Technology, NIST Cloud Computing Program,
http://www.nist.gov/itl/cloud/index.cfm 5 Cloud Industry Forum, http://www.cloudindustryforum.org/
http://www.f5.com/pdf/white-papers/securing-the-cloud-wp.pdfhttps://cloudsecurityalliance.org/http://www.nist.gov/itl/cloud/index.cfmhttp://www.cloudindustryforum.org/
-
Cloud, Risk and Security Page 6 of 65
The Cloud Computing Market Cloud computing is an emerging market, although the underlying technologies are well known and
individually understood. It is the combination of these technologies that is new to the market. A brief
history of virtualisation and cloud is provided in Appendix A.
A 2011 forecast by the Yankee Group6 provides a conservative view, excluding small businesses and
sole proprietors from infrastructure as a service and platform as a service because their analysts believe
the typical small business has little or no need for those services. An interesting aspect is the
domination of Software as a Service (SaaS) over Infrastructure as a Service (IaaS) and Platform as a
Service (PaaS).
Figure 1 - Yankee Group 2011 Cloud Revenue Forecast
More recently, the cloud computing market is forecast to represent an estimated US$240 billion in
revenue by 2016, up from an estimated US$77 billion in 20117. In March 2011, IBMs CEO speaking
at IBMs annual investor meeting stated that he expected the company to generate US$7 billion in
cloud computing revenues by 2015 as well as capturing 25% of the cloud services market.
There is a view that the small and medium-sized businesses (SMBs) provide the greatest opportunity
for public cloud offerings. McKinsey has predicted that the combined market for global cloud services
will be between US$65 billion and 85 billion by 2015, 60% of which will be SMBs8.
6 Global Cloud Computing Revenue Forecast, Gary Kim, IP Carrier, http://ipcarrier.blogspot.co.nz/2011/01/global-cloud-
computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.html 7 How Big Will Cloud Computing Revenues Be in 2016?, Gary Kim, December 19, 2011,
http://www.tmcnet.com/topics/articles/246856-how-big-will-cloud-computing-revenues-be-2016.htm 8 Winning in the SMB Cloud: Charting a path to success, Diamadi et al, McKinsey 7 Company, July 2011,
http://www.mckinsey.com/client_service/high_tech/latest_thinking/winning_in_the_smb_cloud
http://www.yankeegroup.com/ResearchDocument.do?id=55169http://ipcarrier.blogspot.co.nz/2011/01/global-cloud-computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.htmlhttp://ipcarrier.blogspot.co.nz/2011/01/global-cloud-computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.htmlhttp://www.tmcnet.com/topics/articles/246856-how-big-will-cloud-computing-revenues-be-2016.htmhttp://www.mckinsey.com/client_service/high_tech/latest_thinking/winning_in_the_smb_cloud
-
Cloud, Risk and Security Page 7 of 65
The growth in cloud computing is also likely to bring significant change to the industry. Gartner sees
low-cost cloud services disrupting traditional IT in the same way that low-cost air carriers, like Ryanair
and Southwest, disrupted the major commercial airlines. It is likely, however, that a large portion of
this anticipated revenue growth will be redirected and scavenged from other revenue streams. The
structure of the cloud market is also predicted to radically shift with Gartner forecasting that new, low-
cost cloud services will cannibalise up to 15 per cent of the current top outsourcing players revenue by
20159.
There are a number of publically available cloud service provider lists including those from
Microsoft10
, Cloud Computing Journal11
and the top 100 from Talkin Cloud12
. Some overseas
governments are also starting to provide lists of approved cloud service providers13,14,15
.
Evolution from virtualisation to cloud A common perception is that cloud naturally follows virtualisation and that cloud will make things
better, cheaper, faster! The perceived inevitability is common in business cases and vendor literature
and supported by the extolled benefits of agility, cost saving and efficiency. Unfortunately, while the
benefits are described in great detail, the related costs and risks are not as well described or analysed.
The complexity of cloud migration has also been described as being airbrushed16
to minimise the
risks and difficulties.
It is important that early steps are taken to manage the transition to virtualisation and then to cloud, in
order to avoid the creation of a substantially more complex, fragile and inflexible infrastructure. A
common outcome is that organisations reach a point where their skills, tools and operational processes
are overwhelmed by virtual machine sprawl, unpredictability and operational complexity. The key
challenges to virtualisation are highlighted in a recent survey and illustrated in Figure 2 below17
:
Clearly the move from legacy systems through virtualisation and then to cloud must be carefully
assessed, planned, understood and managed if the benefits of cloud computing are to be realised. A
useful guide to important questions on cloud migration is provided in the document 27 Tips for
Buying Cloud Services by Christopher Wilson18
.
9 Gartner's 2012 predictions: growing cloud, bursting social bubble, Ann Bednarz, 5 December 2011 , IT Busniess.ca,
http://www.itbusiness.ca/it/client/en/home/news.asp?id=65208 10 Microsoft Hosting, Cloud Service Providers List, http://www.microsoft.com/hosting/en/us/catalogs/cloud-
providers.aspx?page=1 11 Top Cloud Computing Enablers Gaining Mind Share in 3Q 2011, Ray Depena, 12 October 2011,
http://cloudcomputing.sys-con.com/node/2003354 12 Top 100 Cloud Services Providers (CSPs) List And Research, Talkin Cloud, http://www.talkincloud.com/tc100/ 13 Hong Kong releases list of accredited government public cloud services providers, eGov Innovation Editors,
01 June 2012, http://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-
cloud-services-providers 14 CloudBook Government Clouds, http://www.cloudbook.net/directories/gov-clouds/government-cloud-computing.php 15
Government launches G-Cloud store with 257 cloud computing suppliers, Rosalie Marshall, V3.co.uk,
20 February 2012, http://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-
suppliers 16 From virtualisation to private cloud, Andrew Buss, The Register 24 July 2012,
http://www.theregister.co.uk/2012/07/24/private_cloud_study 17 From virtualisation to private cloud - Small steps to big results, Andrew Buss, Freeform Dynamics Ltd, July 2012,
http://whitepapers.theregister.co.uk/paper/download/delayed/2520/from-virtualisation-to-private-cloud.pdf 18
27 Tips for Buying Cloud Services, Christopher Wilson, CloudProvider, April 2012, http://www.cloudproviderusa.com/wp-content/uploads/2012/04/27-Tips-for-buying-cloud-IaaS.pdf
http://www.itbusiness.ca/it/client/en/home/news.asp?id=65208http://www.microsoft.com/hosting/en/us/catalogs/cloud-providers.aspx?page=1http://www.microsoft.com/hosting/en/us/catalogs/cloud-providers.aspx?page=1http://cloudcomputing.sys-con.com/node/2003354http://www.talkincloud.com/tc100/http://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-cloud-services-providershttp://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-cloud-services-providershttp://www.cloudbook.net/directories/gov-clouds/government-cloud-computing.phphttp://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-suppliershttp://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-suppliershttp://www.theregister.co.uk/2012/07/24/private_cloud_studyhttp://whitepapers.theregister.co.uk/paper/download/delayed/2520/from-virtualisation-to-private-cloud.pdfhttp://www.cloudproviderusa.com/wp-content/uploads/2012/04/27-Tips-for-buying-cloud-IaaS.pdf
-
Cloud, Risk and Security Page 8 of 65
Figure 2 - Virtualisation Challenges
A move to cloud is also expected to fundamentally change the way that IT is managed and run within an
organisation. A recent report from Accenture identified five ways a move to cloud will change the way
organisations will run IT19
:
1. IT must evolve to secure its future in a cloud-enabled business; 2. IT must shift its focus from building bespoke systems to selecting and managing pre-configured
components;
3. IT must become the data custodian for the entire business; 4. IT must evolve into a role as a service director and integrator; and 5. IT must adopt a new operating model for the cloud era.
This evolution of services is depicted in Figure 3 below:
19 High Performance IT Insights: Five ways the cloud will change the way you run IT, Accenture , 2012,
http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Five-Ways-Cloud-Change-Way-You-Run-IT.pdf
http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Five-Ways-Cloud-Change-Way-You-Run-IT.pdf
-
Cloud, Risk and Security Page 9 of 65
Figure 3 - IT Service Migration
A key point is that use of cloud services is likely to create fundamental change in organisational
structures, technology management and risk management and will encompass the entire organisation
from users to executives.
Adoption Patterns With the growth in interest and adoption of cloud technologies, patterns of adoption are starting to
emerge. A 2011 analysis by Bain and Company20
identified five types of cloud adopters, illustrated in
Figure 4 below:
Figure 4 - The Five Types of Cloud Adopters
20 The five faces of the cloud, Michael Heric, Ron Kermisch and Stephen Bertrand, Bain and Company, 2011,
http://www.bain.com/Images/BAIN_BRIEF_The_five_faces_of_the_cloud.pdf
http://www.bain.com/Images/BAIN_BRIEF_The_five_faces_of_the_cloud.pdf
-
Cloud, Risk and Security Page 10 of 65
Bain holds the view that all types will fully adopt cloud technologies at some time, although the rate of
adoption and service model will vary significantly. While Transformational organisations currently
have the highest adoption rates, Heterogeneous organisations are expected to match that rate within
three years. Safety-conscious organisations will adopt more slowly, but at twice the size. Price-
conscious organisations are forecast to have adoption rates quadruple as prices fall, with a focus on
cheaper public cloud offerings. Finally, Slow and Steady organisations, will see meaningful adoption
over the next three years.
Technology performance and maturity
Cloud as a technology Although Cloud is a relatively immature technology, there have been many predictions over the last
few years on the fundamental shift in computing paradigms Cloud will bring. For example a 2008
report from The Economist predicted Computing power will become more and more disembodied and
will be consumed where and when it is needed21
. This report also predicted cloud computing is more
than just another platform shift. It will undoubtedly transform the IT industry, but it will also
profoundly change the way people work and companies operate.
Early in 2010, Gartner predicted that by 2012, 20 percent of businesses will own no IT assets22
.
Gartner has reported the cloud services market grew to US$68.3 billion in 2010, a 16.6 percent increase
on 2009 revenues. Gartner also predicts that by 2014, cloud services revenue will grow to US$148.8
billion worldwide. While Gartners 2012 prediction may now be seen as overstated, the growth in
cloud services is apparent.
Computer World forecasts that IT organisations will find achieving the full benefits of Cloud requires
new architectures. They also predict that IT operations will be challenged with essential process re-
engineering, managing the dynamic application topologies and managing the total number of
applications an organisation wants to run23
.
The commercialisation of cloud services can be traced to 1998 when CloudProvider offered an early
form of Infrastructure as a Service (IaaS). Since then there has been steady growth in the number of
service providers albeit with most offering IaaS.
Many of the larger technology organisations are now offering commercial cloud services and IBM,
Microsoft, Oracle and HP all offer cloud products and services. This is a strong indication that today,
cloud computing has become mainstream24
, although can still be considered as an emerging
technology.
21 A survey of corporate IT - Let it rise, The Economist, 23 October 2008, http://www.economist.com/node/12411882 22 Gartner Highlights Key Predictions for IT Organizations and Users in 2010 and Beyond, 13 January 2010, Gartner,
http://www.gartner.com/it/page.jsp?id=1278413 23 Cloud Computing: 2011 predictions, Bernard Golden, 13 December 2010, http://www.computerworlduk.com/in-
depth/cloud-computing/3253266/cloud-computing-2011-predictions/ 24 A Brief History of Cloud Computing, Rick Blaisdell, Cloud Tweaks, http://www.cloudtweaks.com/2011/10/a-brief-
history-of-cloud-computing/
http://www.gartner.com/it/page.jsp?id=1389313http://www.economist.com/node/12411882http://www.gartner.com/it/page.jsp?id=1278413http://www.computerworlduk.com/in-depth/cloud-computing/3253266/cloud-computing-2011-predictions/http://www.computerworlduk.com/in-depth/cloud-computing/3253266/cloud-computing-2011-predictions/http://www.cloudtweaks.com/2011/10/a-brief-history-of-cloud-computing/http://www.cloudtweaks.com/2011/10/a-brief-history-of-cloud-computing/
-
Cloud, Risk and Security Page 11 of 65
Cloud Standards Many technology and technology management standards exist and there is continuing work on the
convergence and coherence of ISO, ITU and respective national standards. There is still complexity
and some confusion and with the many forecasts and prognostications on Cloud, it became apparent
that some standardisation, at least of the description and definition of Cloud, was essential.
In January 2011, NIST defined cloud computing in terms of five essential characteristics, three service
models, and four deployment models25
. The essential characteristics are:
On-demand self-service;
Broad network access;
Resource pooling;
Rapid elasticity; and
Measured service.
The four deployment models are:
Private cloud;
Community cloud;
Public cloud; and
Hybrid cloud.
The service models are is often likened to a stack with three generally accepted components26
: This
is illustrated in Figure 5 below.
Figure 5 - Cloud Computing Stack
25 The NIST Definition of Cloud Computing (Draft), Special Publication 800-145 (Draft), National Institute of Standards
and Technology, http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf 26
Understanding The Cloud Computing Stack: SaaS, PaaS, IaaS, Ben Kepes, Diversity Limited, http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf
http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdfhttp://broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf
-
Cloud, Risk and Security Page 12 of 65
In general terms the cloud computing stack can be described as:
Software as a Service (SaaS): applications are designed for end-users, often delivered using web technologies or over the Internet;
Platform as a Service (PaaS): tools and services designed for the quick and efficient coding and deployment of applications; and
Infrastructure as a Service (IaaS): the underlying hardware and software, such as servers, storage, networks and operating systems. Virtualisation exists at the IaaS layer.
Buzzwords are widely used in IT and, in addition to the terms described in the published standards,
vendors have created a further layer to described specific services. For example, Identity as a Service
(IdaaS), Security as a Service (SecaaS) and Business Process as a Service (BpaaS). Australias
Defence Signals Directorate (DSD) have noted that A vendor adding the words cloud or as a
Service to the names of their products and services does not automatically mean that the vendor is
selling cloud computing as per the NIST definition27
. It is also important to note that the additional
terms and acronyms are contextual and may have limited acceptance. This hierarchy is illustrated in
Figure 6 below28
:
Figure 6 - The Extended Cloud Computing Stack
27 Cloud Computing Security Considerations Initial Guidance 6/2011 Cyber Security Operations Centre, Australian
Government department of Defence, 12 April 2011,
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf 28 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-
en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-
_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdfhttp://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396
-
Cloud, Risk and Security Page 13 of 65
Key Drivers In todays environment of financial constraint, partly triggered by an economic downturn, organisations
are closely examining operational costs, system utilisation, efficiency and availability and the means to
grow and expand business. Changes in the economic and regulatory environment are also driving a
need for improved security and greater data storage capacity.
Almost all organisations have a high dependency on technology and information systems and
operational efficiency and availability are fundamental to the success of an organisation. They are
seeking IT services and an architecture that is reliable, flexible, responsive and low-cost. As a business
imperative, the apparent operational effectiveness of cloud computing is compelling.
There have been several cyclical trends in seeking cost savings and improved performance including
centralisation of data operations and outsourcing. Outsourcing has often failed to deliver promised cost
savings and service quality and operational responsiveness has also degraded. In seeking to effectively
manage outsourced services, many organisations have employed IT Service Management and other
best practices to reduce risk. Unfortunately, a consequence is often an increased overhead and reduced
flexibility and agility29
.
Organisations have also explored virtualisation, only to find increased complexity and the phenomenon
of virtual sprawl. Virtual sprawl is a generic term used to describe unplanned and uncontrolled
proliferation of virtual machines in a virtualised environment. Some of these characteristics are a result
of poor establishment processes and poor virtual machine (VM) management. This can result in
unnecessary power consumption, misallocation of physical machine resources, and increased cost of
VM and software application licenses. There are several aspects to virtual sprawl including30
:
Underutilised or unused VMs
Offline VMs
Orphan or unauthorised VMs
Out of Inventory VMs (Invisible Inventory)
Resource Sprawl (Over-Provisioning)
Excess Snapshots
A 2011 UK poll of 450 organisations, conducted by Vanson Bourne on behalf of the Cloud Industry
Forum31
, indicated that flexibility was the principal driver for the adoption of cloud technologies,
followed by cost savings. Key findings are illustrated in Figure 7 below.
29 Private Cloud A Technical Perspective, Microsoft Corporation, 2012, http://technet.microsoft.com/en-
us/cloud/hh147296.aspx 30 Virtual Sprawl Is Not the Real Problem, David M. Lynch09 February 2010, Virtualization Journal,
http://virtualization.sys-con.com/node/1278730 31 Primary Drivers for Cloud Adoption in the UK, onestopclick researching hosting solutions, Cloud Industry Forum:
Vanson Bourne research poll, July 19, 2011, http://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.html
http://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://davidmlynch.sys-con.com/http://virtualization.sys-con.com/node/1278730http://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.htmlhttp://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.html
-
Cloud, Risk and Security Page 14 of 65
The poll also found that larger organisations were more likely to name cost savings than small
organisations (22 % and 10% respectively), and public sector organisations were more likely to name
cost savings as a primary driver than those in the private sector (22% and 14% respectively). It is
interesting to note that, in spite of economic drivers, Return on Investment (RoI) was reported by only
three percent of respondents as a principal driver. It is also interesting to note that 73% of respondents
indicated an expected increase in cloud adoption over the next twelve months but the adoption was
spread across a wide range of applications and functions. No respondents indicated a complete move
to cloud in the foreseeable future. Table 1 below provides the detail of the areas in which cloud
services are expected to increase.
Figure 7- Cloud Industry Forum: Vanson Bourne research poll
A fundamental of cloud adoption is that not all legacy applications are suitable or should be moved to a
cloud environment. Many smaller applications will have been developed internally and assume direct
access to resources. As such these smaller applications are rarely suitable for use in a virtualised
environment. Some specialist applications require software protection dongles to run. The dongle
software protection model is seldom compatible with a virtualised or cloud environment. Application
compatibility has been raised in several discussions on cloud, illustrated by findings of the May 2012
survey32
conducted by Freeform Dynamics, Figure 8 below.
Figure 8 - Application Compatibility.
32 Private Cloud in Context,Whats it for and where does it fit?,Dale Vile, Freeform Dynamics Ltd, May 2012,
http://www.freeformdynamics.com/fullarticle.asp?aid=1534
52%
16%
14%
7% 6%
3% 2% Flexibility
Cost Saving
Low Cost of Adoption
New Service Offering
Skills Gap
RoI
Other
-
Cloud, Risk and Security Page 15 of 65
These findings are also supported by a Microsoft Operators Channel analysis of cloud adoption by
small and medium-sized businesses (SMBs)33
. Published in 2012, this research report was based on
survey data collected by Edge Strategies Inc. The survey questioned 3,000 SMBs that employing
between 2 and 250 employees across 13 countries (including Australia but not New Zealand)
worldwide. The Microsoft research identified the following key drivers:
Economic uncertainty;
Increasing costs of materials;
Customer demand;
Increasing costs of labour;
Cash flow shortage; and
Regulatory uncertainty.
There is some additional evidence that the initial focus on cost savings as a primary driver is being
superseded by an acknowledgement that the strategic drivers are of greater importance in the longer
term. A report from Accenture on cloud computing in Australia34
commented that while the promise of
expanded capabilities and significant savings the strategic potential is gaining ground. Examples
provided include:
Converged information and communications technology (ICT) services in the communications industry.
A smart grid/automated meter infrastructure solution in the utilities industry.
Expanded multichannel retailing and key business operations, including online content, search, point of sale (POS) and data analytics, in the retail industry.
33
Drivers & Inhibitors to Cloud Adoption for Small and Midsize Businesses, Microsoft Operators Channels, 2012, Microsoft Corporation, http://www.microsoft.com/en-us/news/presskits/telecom/docs/SMBCloud.pdf
34 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-
en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-
_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396
http://www.microsoft.com/en-us/news/presskits/telecom/docs/SMBCloud.pdfhttp://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396
-
Cloud, Risk and Security Page 16 of 65
Table 1 - Services moving to the Cloud
-
Cloud, Risk and Security Page 17 of 65
The Risks and Benefits of Cloud Computing The drivers for cloud adoption often describe the benefits but pay little attention to risks and costs. As
with all benefits, however, associated risks should be identified and assessed in order to avoid
situations where the value of benefits is outweighed by the cost of managing and mitigating risk and
dealing with consequences of any threat materialising. The adoption of cloud may not be the solution
to all organisational requirements and the degree of cloud adoption will also be influenced by the
organisations risk appetite35
.
A key factor in identifying benefits and risks is the service and deployment model adopted by
organisations. Service and deployment models are continuing to evolve as service offerings are
developed by vendors and knowledge of pragmatic, robust and secure solutions grows. Irrespective of
the combination of service offerings and deployment models, organisations will make basic choices
between out-sourced and in-sourced technologies and between buying and building services. This is
illustrated in Figure 9 below36
:
Figure 9 - Cloud Service Model Selection
35 Calculating Cloud RoI: From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-RoI-From-the-Customer-Perspective.aspx 36 Private Cloud A Technical Perspective, Microsoft Corporation, 2012, http://technet.microsoft.com/en-
us/cloud/hh147296.aspx
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspx
-
Cloud, Risk and Security Page 18 of 65
An additional factor in the choice of service model is the required degree of growth and scalability.
Inevitably this will come at a cost. Many public clouds use metering of resource as a basis for
charging. Conversely a private cloud service model will provide greater scalability than a legacy
environment, without the public cloud metering charges37
. The trade-off is that private clouds are,
theoretically, limited in capacity compared with public clouds.
The Risks of Cloud Services While the cost savings have been the most visible and best promoted perceived benefit of cloud
services, the risks of cloud have not been comprehensively identified and are less well understood. As
with all technologies, informed risk decisions are fundamental to rational adoption and safeguarding
the interests of the organisation and its stakeholders. In 2010, the Cloud Security Alliance (CSA)
published a summary of the top threats to cloud computing38
. This summary listed mainly technical
threats and vulnerabilities. A more detailed publication from CSA, Security Guidance for Critical
Areas of Focus in Cloud Computing39
, deals with architectural, governance and operational risks and
challenges. Taking these and other sources into account, the principal categories of risks of cloud
services include:
Technology performance and maturity;
Organisational requirements;
Poor architectural design;
Cost models;
Multi-domain nature of cloud;
Governance and compliance;
Security;
Privacy;
Staff; and
Unwinding contracts & decommissioning.
The organisations business model may encompass consideration of authentication, data security,
privacy, availability, continuity, connection to internal systems and ownership issues. The Cloud
Security Alliance has defined security categories of service, providing ten categories of security service
in a cloud environment and identifying core functionalities, challenges (risks) and threats40
.
Ownership is an important consideration in a Cloud or virtualised environment covering aspects such
as:
Data ownership at each stage of processing, storage and retrieval;
Data recovery, for example with changes in ownership of the service provider and more particularly if the service provider ceases trading;
Data remanence, no clear standard for recycling of memory/disk or where copies of data may remain in the cloud service providers backups;
37 The Benefits of Private Clouds, CDW VMware, http://resources.itworld.com/ccd/assets/26090/detail 38 Top Threats to Cloud Computing V1.0, Cloud Security Alliance March 2010,
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf 39 Security Guidance for Critical Areas of Focus in Cloud Computing V 3.0, Cloud Security Alliance, 2011,
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf 40 SecaaS, Security as a Service, Defined Categories of Service 2011, Cloud Security Alliance,
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
http://resources.itworld.com/ccd/assets/26090/detailhttps://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdfhttps://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttps://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
-
Cloud, Risk and Security Page 19 of 65
Jurisdiction governing the data at each stage of processing, storage and retrieval;
Ownership and licensing of the applications;
Responsibility for security services;
Responsibility for managing and reporting data breaches; and
Access to network data for management purposes.
Changed Business Model Adoption of cloud technologies will fundamentally change organisational IT services, service delivery,
customer service models and how organisations will use IT. Organisations must change their business
operating model and organisational leadership must become conversant with cloud, its risk and how to
manage those risks, if the benefits are to be realised. The complexity of a move to cloud must also be
understood by business leaders as this will have a significant effect on risk, cost and the business model
itself. Given that a move to cloud is a game-changer in relation to the business operating model, this
is a key strategic decision that business owners and senior executive must carefully consider.
The Benefits of Cloud Adoption The potential advantages of and risks related to the adoption of cloud technologies are summarised in
Table 2 below41,42,43,44,45,46,47,48. These can be categorised into five key areas:
1. Financial; 2. Operations; 3. Security; 4. Regulatory and Legal; and 5. Staff.
Associated with each group are a series of risks. It should be noted, however, that the cloud service
model selected will have a significant influence on the risk profile where some risk can be avoided by
judicious selection of the cloud service model.
41 The Pro's and Con's of Cloud, Geni, http://www.gen-i.co.nz/Solutions/Cloud/Pages/What-is-Cloud.aspx 42 Gartner Says Location Is Critical For the Sustainable Future of Outsourced Data Storage and Cloud Services, Gartner
research, http://na2.www.gartner.com/it/page.jsp?id=1732714 43 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-
en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-
_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396 44 Addressing Data Security Challenges in the Cloud, The Need for Cloud Computing Security, A Trend Micro White
Paper, July 2010, http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-
challenges-in-the-cloud.pdf 45 IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, ISACA, 2011,
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx
46 The RoI of Cloud Apps, Liz Herbert and Jon Erickson, Forrester Research, 23 June 2011,
http://resources.idgenterprise.com/original/AST-0062511_The_RoI_Of_Cloud_Apps.pdf 47 An Essential Guide to Possibilities and Risks of Cloud Computing, Maria Spinola, June 2009,
http://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-
A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdf 48 Calculating Cloud RoI: From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-RoI-From-the-Customer-Perspective.aspx
http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-challenges-in-the-cloud.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-challenges-in-the-cloud.pdfhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspxhttp://resources.idgenterprise.com/original/AST-0062511_The_ROI_Of_Cloud_Apps.pdfhttp://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdfhttp://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdfhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspx
-
Cloud, Risk and Security Page 20 of 65
Quantifying and monetising risk is more challenging, particularly as there is likely to be little historical
data and any analogues are notoriously organisation specific and therefore unreliable indicators when
applied to other organisations or industry sectors.
Cost models and modelling should, therefore, be carefully examined to ensure they are rational,
pragmatic, complete as possible and will support executive decision making.
Cloud specific cost benefits may include:
1. Cost reduction by reducing lost opportunities caused by delays in market responsiveness and the lack of flexibility. Flexibility allows organisations to create new capabilities to take
advantage of opportunities in a faster and more cost effective manner.
2. Reducing Total Cost of Ownership (TOC) by commoditising IT requirements and reducing the levels of expertise necessary to manage and run IT system within an organisation.
3. Cost savings through consolidation of infrastructure and reducing total support costs. 4. Cost Savings from labour and application development, support and licensing costs. 5. Improved margin and cost control through more accurate right-sizing of IT resources. 6. Flexibility to enable rapid and dynamic provisioning and retirement as operational needs
change.
7. Flexibility and dymanic provisioning can foster process improvement by allowing low-cost investment in new processes.
8. Reduction in capital investment.
While a great deal has been made of the cost savings of cloud, much will depend on the service model
adopted. A 2011 benchmark study by the Aberdeen Group reported that private cloud saves a total of
twelve percent combined annual costs savings over public cloud on a per-application basis49
. There is
great reliance on the cost modelling as a basis for decision making so it is vital that the cost analysis is
as complete as possible dealing with both cost savings (operational efficiency) and cost avoidance
(better security, resilience and compliance).
49 Security and Cloud: Private, or Public?, Derek Brink, Aberdeen Group, September 2011,
http://www.aberdeen.com/aberdeen-library/6832/RA-private-public-cloud.aspx
http://www.aberdeen.com/aberdeen-library/6832/RA-private-public-cloud.aspx
-
Cloud, Risk and Security Page 21 of 65
Table 2 - Cloud Adoption Potential Benefits and Risks Category Advantages Risks
Financial Opex vs Capex Bandwidth cost
Lower total operating cost Cost model and RoI
Pay as you go Incomplete financial and cost data
Reduced investment in data centre and/or technology assets
Operations Flexibility Limited scope for customisation
Scalability Bandwidth/capacity
Agility Application performance/sprawl
Technology performance and maturity Data fragmentation/replication
Self-provisioning capability Poor technology performance and maturity
Efficiency through Automation Organisational requirements
Reducing waste/energy consumption Rapid adoption
Improved availability System resilience
Reduction in manual processes DRP/BCP
Service sizing (operational density)
Service orchestration
Incident response and forensics
Vendor lock-in
Interoperability/integration with legacy systems
Legacy application compatibility with cloud
Database load costs/data ingestion
Cloud integration testing
Insecure applications programming interfaces (APIs)
Security Consolidation Multi-tenancy/separation/isolation management
Comprehensive security architecture Co-mingling of data
Improved system monitoring Multi-domain nature of cloud
Endpoint security overhead reduced & consolidated in the cloud
Data location/residency
Cloud provider security model
Data remanence (operational and backup)
No physical control of data
Increased attack surface
Cloud service provider subcontractors
Security architecture
Access and authentication mechanisms
Communications security
Malicious insiders
Account/service/traffic hijack
Maintenance of confidentiality, integrity and availability
-
Cloud, Risk and Security Page 22 of 65
Table 2 - Cloud Adoption Potential Benefits and Risks (cont)
Category Advantages Risks
Regulatory Environmentally friendly Data retention and control
and legal Improved compliance Privacy and export legislation
Governance and compliance
Data ownership
Jurisdiction and sovereignty
Accountability
Auditability
Ability to respond to audit reports
Unwinding contracts & decommissioning
Staff Reduced helpdesk and technical support requirement
Reliance on external support
Loss of internal IT expertise that provided competitive differentiation
Staff education and buy-in
Cost Models and Investment Analysis In most investment and project initiation stages, stakeholders will want some form of utility analysis.
This analysis can provide a number of benefits by building stakeholder support, identify additional
opportunities and can be used to prioritise initiatives50
. The debate on the economics of a move to the
cloud is intense and invariably is focused on cost saving, without recognising other important elements
in the cost model, including the operational vs. the capital expenditure discussion.
Traditionally an investment analysis has been a monetised although other measures, such as time saved,
have been used in analyses. The basis of cost analysis is often a calculation of return on investment
(RoI) using one of the commonly used methods outlined in Table 3 below51,52,53,54,55
.
50 Calculating RoI to Realize Project Value, Chris Schweighardt , March 27, 2010, Six Sigma, ,
http://www.isixsigma.com/operations/finance/calculating-roi-realize-project-value 51
Performance-Based RoI, Karl M. Kapp and Nancy Vasta, Institute for Interactive Technologies, 2003, http://www.karlkapp.com/materials/roi_whitepaper.pdf
52 Computing The RoI for IT Projects and Other Investments, 2010 IT Economics Corporation.,
http://iteconcorp.com/RoICalc.html 53 Methods For Calculating RoI And Bottom-Line Impact, Paul Bernthal, DDI Center For Applied Behavioral Research,
http://66.179.232.89/pdf/ddi_methodsforcalculatingroi_wp.pdf 54 Calculating Return-On Investment, Version 4.0, Kenneth H. Silber, 04/03/02, www.silberperformance.com 55 Calculating CMMI_Based RoI, Reitzig et al, Software Engineering Institute, Carnegie Mellon University, 2007,
http://www.sei.cmu.edu/library/assets/reitzig_07.pdf
http://www.isixsigma.com/members/chrissch9674/http://www.isixsigma.com/operations/finance/calculating-roi-realize-project-valuehttp://iteconcorp.com/ROICalc.htmlhttp://66.179.232.89/pdf/ddi_methodsforcalculatingroi_wp.pdfhttp://www.silberperformance.com/http://www.sei.cmu.edu/library/assets/reitzig_07.pdf
-
Cloud, Risk and Security Page 23 of 65
Table 3 - RoI Calculations RoI Formula Calculation
Net Benefit Demonstrates the benefit after considering the cost.
Maintains the quantum of cost and benefit.
Benefit Cost
Cost Benefit Ratio (CBR) Demonstrates the return for every dollar invested.
The quantum of cost and benefit is hidden by the
calculation.
Benefits / Costs
Payback/Break Even A measure of when expenditure and revenue
equate.
The point at which benefits (revenue) equals
cost/expenditure
RoI % Demonstrates the percentage of return for every
dollar invested when considering cost. The
quantum of cost and benefit is hidden by the calculation.
Net Benefits / Cost as a percentage
Discounted RoI Similar to RoI% but also takes into account the
time value of money using an agreed discount rate. The quantum of cost and benefit is hidden by the
calculation.
Net Present Value (NPV) of Benefits / Total
Present Value of Cost
Can also use internal rate of return (IRR) or
discounted cash flow (DCF) in place of NPV
There are some generally accepted categories of cost which are included in RoI calculations. There are,
however, some additional categories, such as opportunity cost, which may also appear. The lack of
standardisation can create difficulties when comparing results with similar organisations or industry norms.
Generic categories of cost are outlined in Table 4 below:
Table 4 - Generic Cost Categories
Category Description
Personnel Staff, training, recruitment.
Equipment Capital purchase and commissioning costs.
Operating Overhead/operating costs including outsourcing.
Transition Any switch-over, parallel running and
decommissioning costs.
Project Costs Design, Consultants and other one-time costs which
would not otherwise be incurred.
Opportunity Costs Any lost opportunities through commitment of funds,
availability of staff etc.
-
Cloud, Risk and Security Page 24 of 65
Identifying and Assessing Benefits Identifying and assessing benefits can be the most difficult and controversial part of an RoI calculation.
RoI models are inherently deterministic in that the underlying assumptions are that all or most key
values will be identified and measured. As benefits can be tangible (reduced cost of operating) and
intangible (improved customer satisfaction), it should be remembered that benefit assessment is not
precise. Often there is little quantitative data to support a benefits assessment and, in some cases,
historical data and precedent may be of little value. There are also likely to be several subjective
elements and estimates included in the overall assessment, which are difficult to monetise.
It is important to be pragmatic as invariably time and resources are limited, as may be the available
data. Rational assumptions are often part of such analyses but it is important to validate these
assumptions and ensure that they do not outweigh the available data.
Security RoI The RoI of security is often difficult to determine as security is a cost of doing business but security
does not, in and of itself, generate revenue or returns. It can, however, deliver significant benefits in
the form of cost savings in not having to deal with the consequences of security and privacy breaches,
information and intellectual property loss (and so lost opportunities) and recovery.
Return on Security Investment The concept of Return on Security Investment (RoSI) has been proposed as a variation of the RoI
concept to more accurately deal with the benefits of security investment and the lack of direct revenue
generation. RoSI is defined in terms of the value of the risk mitigation, less the cost of the security
measure, therefore deriving and monetising the benefit. The investment in security is judged to be
profitable, if the value of the risk mitigation is greater than the expected cost56
.
RoSI = monetary risk mitigation - cost of security control
Alternatively RoSI can be expressed using the following formula57
:
((Risk Exposure x %Risk Mitigated) Cost of Security) Solution Cost
A simple example is illustrated below. Assuming:
Estimated cost of damage $25,000 per successful malware attack
4 malware attacks annually
Cost of security measure is $25,000
Effectiveness of security measure = 75 % (3 out of 4 malware attacks)
Then the risk exposure is: 25,000 x 4 = 100,000. Applying the formula:
((100,000 x 75%) 25,000) 25,000 = 200%
56 Methodologies For Evaluating Information Security Investments - What Basel Ii Can Change In The Financial
Industry, Christian Locher, University of Regensburg, http://is2.lse.ac.uk/asp/aspecis/20050136.pdf 57 Return On Security Investment (ROSI): A Practical Quantitative Model, Wes Sonnenreich, SageSecure, LLC,
http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf
http://is2.lse.ac.uk/asp/aspecis/20050136.pdfhttp://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf
-
Cloud, Risk and Security Page 25 of 65
While this approach has some limitations in that security risks cannot be viewed in isolation, it does
provide a more rational view of the benefit to an organisation, compared with traditional RoI
approaches. It must also be recognised that security elements are invariably interactive and no one
element is completely effective in isolation. They all rely, to some degree, on the effectiveness of
complementary security measures. In addition, security measures must be dynamic and able to respond
to a changing technology and threat environment or risk becoming less effective over time. Security
risk assessments are therefore, invariably based on short timeframes. It is difficult to calculate all the
costs related to the potential damage of an incident because of the complexity of effect which may
include58
:
The scope of the potential incident and which locations, business units and processes would be affected;
The cost of purchasing of equipment, goods and materials that were damaged by the incident;
The staff cost of investigating resolving the incident.
Any consequential legal and/or contractual penalties or consequences, e.g. a privacy breach; and
Lost revenues, from your existing and potential clients.
Of greater difficulty, however, is the ability to estimate the likelihood of such incidents because there is
rarely any useful historical data to support such estimates.
Researchers at MIT and Stanford have reported that returns on security investment are higher when
incorporated early into design and development59
. The implication is that early incorporation of
security can significantly affect the RoSI calculation. For example in systems development there is a:
21% return on your security investment at the software design phase
15% return at the implementation stage; and
12% return at the testing stage.
It is clear from these findings that early inclusion of security into overall design is beneficial.
These points have been emphasised in ISACAs G41 Return On Security Investment (ROSI), IT Audit
and Assurance Guideline60
in describing the requirements for a security metrics programme to support
any investment modelling and decision making. In particular:
Metrics must yield quantifiable information such as percentages, averages and numbers;
Data supporting metrics must be readily available;
Only a repeatable process must be considered for measurement;
Metrics must be useful for tracking performance and directing resources; and
Metrics should not be expensive or laborious to gather.
58 Is it possible to calculate the Return on Security Investment (ROSI)? 'Dejan Kosutic, 13 June 2011,
http://blog.iso27001standard.com/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/ 59 Calculating Return on Security Investment, Scott Berinato , 15, February, 2002, CIO Magazine,
http://www.cio.com/article/30856/Calculating_Return_on_Security_Investment_ 60 G41 Return On Security Investment (ROSI), 05 February 2010, ISACA, http://www.isaca.org/Knowledge-
Center/Standards/Documents/G41-ROSI-5Feb10.pdf
http://blog.iso27001standard.com/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/http://www.cio.com/article/30856/Calculating_Return_on_Security_Investment_http://www.isaca.org/Knowledge-Center/Standards/Documents/G41-ROSI-5Feb10.pdfhttp://www.isaca.org/Knowledge-Center/Standards/Documents/G41-ROSI-5Feb10.pdf
-
Cloud, Risk and Security Page 26 of 65
Security metrics may include several characteristics such as:
Implementation metrics Measure the implementation of the security policy;
Effectiveness/efficiency metrics Measure results of security solutions; and
Impact metrics Measure impact on business due to security events.
The ISO/IEC ISO/IEC 2700x suite of Information Technology standards are widely accepted and have
been developed and refined over a number of years. In general terms the standards are risk-based and
require a management system approach for information security61. This includes the determination and
collection of security metrics, which is supportive of benchmarking and benefit analysis, as well as
providing a consolidated view of an organisations information security. The difficulty of examining
security measures in isolation remains because of the complex interaction of such measures.
In spite of the difficulties, there are some clear advantages in using RoSI over RoI to support
investment decisions in that it is risk based; it recognises that security investments rarely generate
direct returns and it presents results in a manner that can be easily understood.
Security Costs There are a number of aspects to security costs that should be recognised when compiling cost data for
RoSI calculations in addition to the cost of the security initiative itself. These can also be divided into
direct and indirect costs as illustrated in Figure 10 below62
.
Figure 10 - Cost Dimensions
61 Information Technology Security Techniques, various standards in the ISO/IEC 2700x series,
http://www.iso.org/iso/home/search.htm?qt=27001&published=on&active_tab=standards&sort_by=rel 62 A Closer Look at Information Security Costs,Matthias Brecht, University of Regensburg, Germany and Thomas
Nowey, Krones AG, Neutraubling, Germany, http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf
http://www.iso.org/iso/home/search.htm?qt=27001&published=on&active_tab=standards&sort_by=relhttp://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf
-
Cloud, Risk and Security Page 27 of 65
There may also be consequential costs such as those:
Caused by information security incidents;
Of managing information security;
Related to information security measures; and
Costs of capital that are induced by information security risks.
In order to provide a comprehensive view of the cost and benefit of the security initiative, it is
important that these several aspects of cost are recognised. In a risk-based analysis, such as RoSI, this
is a distinct advantage as the avoidance of significant consequential cost increases the benefit value.
Cloud RoI Virtualisation is often a first step in a move to private cloud and requires careful planning. In common
with many IT projects it has the potential to impact an entire organisation. The effect of poor planning
and funding is described as virtualisation stall. What is often not factored into benefit calculations is
that the ratio of cost related to virtualisation software and virtualisation infrastructure is a little over
10:1. In other words, for every dollar spent on software, another ten to twelve dollars is required for
the necessary infrastructure63
.
Cloud Computing introduces some additional difficulties and nuances in the preparation of RoI
analyses. It may identify cost reduction, productivity enhancement and revenue transformation benefits
although there may be a large intangible portion to these benefits. Intangibles are difficult to measure
and typically manifest over time, rather than being immediately apparent and measurable64
. Another
aspects that is often ignored is the sunk cost of IT infrastructure particularly where the expected
economic life of the assets have several years to run.
Challenges in Cloud Computing Benefit Analysis As well as challenges in identifying and quantifying cloud benefits, there are particular challenges in
analysing the RoI of cloud investment. These can be summarised as:
1. The cost model in often incomplete, there is little supporting data and there is often a narrow interpretation and poor understanding of the limitations of such cost analyses.
2. The cost of connectivity, particularly international traffic, can be difficult to determine without some experimentation.
3. Operational density can be a significant cost determinant. 4. Asset reduction and consolidation can be difficult to measure and may be time-bound 5. Aligning costs and benefits. 6. Apparent one-time costs that can extend over the life of the initiative. 7. Some costs and benefits will relate to the larger organisation, rather than a specific project. 8. Double counting, for example productivity improvement and the reduction in sales order
processing time.
9. Ensuring cloud security provides the requisite degree of assurance, confidentiality, availability and integrity in an organisations IT systems and data.
63 How to Avoid the Perils of Virtualization and Cloud Stall, Thor Olavsrud, CIO.com, 10 April 2012,
http://www.cio.com/article/703956/How_to_Avoid_the_Perils_of_Virtualization_and_Cloud_Stall 64 5 Ways To Compute Cloud Computing RoI, Cloud Tweaks, 08 August 2012,
http://www.cloudtweaks.com/2012/08/5-ways-to-compute-cloud-computing-roi/
http://www.cio.com/article/703956/How_to_Avoid_the_Perils_of_Virtualization_and_Cloud_Stallhttp://www.cloudtweaks.com/2012/08/5-ways-to-compute-cloud-computing-roi/
-
Cloud, Risk and Security Page 28 of 65
In addition to these challenges, five hidden costs have been identified by ISACA in their white paper
Calculating Cloud RoI: From the Customer Perspective 65
. These are:
1. Cost of bringing services back in-house due to regulatory change (e.g., stricter data privacy laws).
2. Cost of implementing and operating countermeasures to mitigate risk. 3. Unexpected expenses involved in initial migration of systems. 4. Loss of internal IT knowledge providing competitive differentiation. 5. Lock-in with specific cloud provider or proprietary service model, which may slow down future
adoption of open standards-based services.
Where regulatory changes occur, an organisation may have to recover data from the cloud and process
in-house. The recovery will require validation of the datas accuracy; shredding or sanitising data
stored in the cloud; configuring in-house systems to replace cloud services; payment of early
termination penalties and reallocating IT resources to support services and equipment purchase to host
services.
Migration costs are likely to apply in addition to software licensing and support, cloud provider, cloud
system administration and data communication fees. These migration costs may include the costs of
conversion or recoding application interfaces to work in a cloud environment, reformatting data or
creating data conversion APIs, establishing a federated identity and access management schema, and
developing organisational processes to manage the cloud and cloud service provider relationship66
. Not
all public cloud service providers formally offer data ingestion services, leaving the problem of moving
large data sets to the customer67
.
While RoI is an acknowledged means of benefit analysis, the complexity of cloud may require other
methods, such as total cost of ownership (TCO) in order to provide a basis of comparison. There is
also the need to include sufficient detail to facilitate decision making but overly complex calculations
may be an impediment, rather than an aid to decision making.
Given the difficulty of RoI calculation in a cloud environment, the alternative RoSI approach is
considered to provide greater utility, pragmatism and support faster decision making.
Operational Density All operations have peaks and troughs. Failure to anticipate these operational variances can lead to
under or over provisioning68
. Fundamental to understanding requirements is an analysis of the
application and business requirements mapped against the hosting environment. This is illustrated in
Figure 11 below69
.
65 Calculating Cloud RoI:From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-
Center/Research/Documents/CalculatingCloudRoI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9 66
5 Hidden Costs Of Cloud Migration, Jack McCarthy, CRN 06 August, 2012, http://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2
67 Cloud mega-uploads aren't easy, Simon Sharwood, APAC Editor, The Register,
http://www.theregister.co.uk/2012/05/21/cloud_ingestion/ 68 Part the Clouds: Learn the Basics, Dell, May 2011, http://resources.idgenterprise.com/original/AST-
0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdf 69 Capacity reservation System for Virtual & Cloud Environments, Andrew Hiller, CiRBA Inc.
http://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvi
ronments_CiRBA2012_2.pdf
http://www.isaca.org/Knowledge-Center/Research/Documents/CalculatingCloudROI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9http://www.isaca.org/Knowledge-Center/Research/Documents/CalculatingCloudROI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9mailto:[email protected]://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2http://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2http://forms.theregister.co.uk/mail_author/?story_url=/2012/05/21/cloud_ingestion/http://www.theregister.co.uk/2012/05/21/cloud_ingestion/http://resources.idgenterprise.com/original/AST-0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdfhttp://resources.idgenterprise.com/original/AST-0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdfhttp://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvironments_CiRBA2012_2.pdfhttp://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvironments_CiRBA2012_2.pdf
-
Cloud, Risk and Security Page 29 of 65
Figure 11 - Hosting Environment Analysis
Operational density can be described as the consolidation of operations for maximum efficiency, taking
into account pipeline management and operational supply and demand peaks and troughs. In other
words, workload density in virtual and cloud environments is a balance between too much and too little
infrastructure. This is illustrated in Figure 12 below:
-
Cloud, Risk and Security Page 30 of 65
Figure 12 - Workload Density
Cost/Risk
Batch &
Development
Non-Critical
Workloads
Workload Density in Virtual and
Cloud EnvironmentsHigh
High
Low
LowDensity
Unit Cost Risk
Critical
Production
Workloads
In this illustration the unit cost of operation is balanced against the criticality of the workloads and
allowable delays in processing. Where critical workloads are in production, a greater capacity
allowance and lower workload density is necessary to manage the risk of production delays. Non-
critical workloads can afford a higher level of processing delay and the workload density can,
therefore, be higher, thus lowering the operational unit cost.
Any decision on workload density is a decision on the level of risk an organisation is willing to take.
In high density systems delays are unacceptable and costly. Security must, therefore minimise any
processing delay as well as preventing security incidents becoming a source of delay.
Among the advantages of cloud computing are flexibility, pay as you go and responsiveness to
demand and peak loads. These cannot operate in isolation, however, as critical production workloads
must be guaranteed the necessary resources. Inevitably this means some degree of capacity
redundancy and associated costs. For resources that require high availability, pay as you go may not
be a cost effective option and enterprises can often leverage other service models (such as private or
hybrid cloud), to reduce or contain costs70
.
70 Looking Back at Joe Weinmans 10 Laws of Cloudonomics, Sourya, CloudTweaks, 16 March 2011,
http://www.cloudtweaks.com/2011/03/looking-back-at-joe-weinman%E2%80%99s-10-laws-of-cloudonomics/
http://www.cloudtweaks.com/2011/03/looking-back-at-joe-weinman%E2%80%99s-10-laws-of-cloudonomics/
-
Cloud, Risk and Security Page 31 of 65
Governance and Compliance
Seeking business advantage, organisations are experimenting with cloud services. With the move from
private to hybrid and public cloud offerings, complexity and vulnerabilities change and may increase71
.
There is a corresponding requirement that governance, management, risk, security, continuity and
operational concerns are identified and addressed. Compliance is complex in a cloud environment and
costs can be significant as legislation and regulation are still developing, technology is rapidly evolving
and processes to safely use cloud are still developing72
. In addition, the issues of transparency, service
levels and indemnification add to the complexity of cloud governance73
. A move to the cloud, in itself,
does not change fundamental information assurance requirements. As organisations explore and invest
in cloud computing, control boundaries74 will change which will, in turn, change the risk profile and
introduce new risk factors requiring new strategies and processes to manage governance, risk and
compliance75
. The changed control boundaries are illustrated in Figure 13 below:
Figure 13 - Control Boundaries
71 Evolution to Cloud: Hybrid Cloud Drivers. Challenges and Benefits, Melinda Ballou, IDC Analyst Connection, April
2012, http://visit.collab.net/rs/collabnet/images/IDC_EvolutiontoCloud_analyst.pdf 72 Securing Cloud-Based Communications, Technology Blueprint, Quinton Jones, McAfee, 2011,
http://resources.csoonline.com/ccd/assets/24450/detail? 73 Cloud governance is about more than security, Gordon Haff , CNET, 09 February, 2011 , http://news.cnet.com/8301-
13556_3-20031137-61.html 74 K. Scott Morrison's Blog, Visualizing the Boundaries of Control in the Cloud, 01 December 2009, ,
http://kscottmorrison.com/2009/12/ 75 Information Governance Strategies in the Cloud, Susan Nunziata, CIO Insight, 22 November
2010http://www.cioinsight.com/c/a/Latest-News/Information-Governance-Strategies-in-the-Cloud-303229/
http://visit.collab.net/rs/collabnet/images/IDC_EvolutiontoCloud_analyst.pdfhttp://resources.csoonline.com/ccd/assets/24450/detailhttp://kscottmorrison.com/http://kscottmorrison.com/2009/12/01/visualizing-the-boundaries-of-control-in-the-cloud/http://kscottmorrison.com/2009/12/http://www.cioinsight.com/cp/bio/Susan-Nunziata/http://www.cioinsight.com/c/a/Latest-News/Information-Governance-Strategies-in-the-Cloud-303229/
-
Cloud, Risk and Security Page 32 of 65
The responsibility for governance and regulatory compliance remains with an organisation and the
responsibility cannot be contracted out to a cloud service provider. In particular, responsibility for
security, privacy, access, key management, financial and related policies remain with an organisation.
Cloud providers have responsibility for securing their data centres and the services that run within
them, but ownership of data processed and stored in the cloud remains with the customer
organisation76,77
. Because the cloud is designed to be agile, dynamic and flexible by nature, traditional
governance process are less effective and have difficulty in displaying the same agility and dynamism.
In these circumstances automated governance systems, based on robust rule sets and requiring little
human intervention, are becoming a necessity78
.
Gartner has predicted that by 2016, 40 percent of enterprises will make proof of independent security
testing a precondition for using any type of cloud service79
. While enterprises are evaluating the
potential cloud benefits in terms of management simplicity, economies of scale and workforce
optimisation, it is equally important that they carefully evaluate cloud services for their ability to resist
security threats and attacks. Independent Inspectors certifications are predicted to become a viable
alternative or complement to third-party testing. This means that instead of requesting that a third-
party security vendor conduct testing on the enterprises behalf, the enterprise will be satisfied by a
cloud providers certificate stating that a reputable third-party security vendor has already tested its
applications.
Given the wide reaching effects on an organisation, it is a fundamental part of good governance that
due diligence is carried out on all aspects of engagement with a cloud service provider. To assist
organisations in establishing a rational cloud governance structure and processes, a number of tools and
codes of conduct are emerging. The alignment of aspects of cloud governance with recognised
standards was also explored in published research80
. Some key guidance is briefly described below.
Cloud Industry Forum, Code of Practice for Cloud Service Providers The Cloud Industry Forum
81 is UK based and was established in 2009 to provide transparency through
certification to a Code of Practice for Cloud service provide