cloud, risk and security dr. chris roberts - ncsc€¦ · cloud, risk and security dr. chris...

Cloud, Risk and Security

Dr. Chris Roberts

10 12 September 2012, Wellington, New Zealand

Cloud, Risk and Security Page 2 of 65

Contents

Introduction ......................................................................................................................................... 5

The Cloud Computing Market .............................................................................................................. 6

Evolution from virtualisation to cloud .......................................................................................... 7

Adoption Patterns ......................................................................................................................... 9

Technology performance and maturity ............................................................................................... 10

Cloud as a technology ................................................................................................................ 10

Cloud Standards ......................................................................................................................... 11

Key Drivers ....................................................................................................................................... 13

The Risks and Benefits of Cloud Computing ...................................................................................... 17

The Risks of Cloud Services ....................................................................................................... 18

Changed Business Model ........................................................................................................... 19

The Benefits of Cloud Adoption ................................................................................................. 19

Cost Models and Investment Analysis ................................................................................................ 22

Identifying and Assessing Benefits ............................................................................................. 24

Security RoI ............................................................................................................................... 24

Return on Security Investment .................................................................................................... 24

Security Costs ............................................................................................................................ 26

Cloud RoI................................................................................................................................... 27

Challenges in Cloud Computing Benefit Analysis ...................................................................... 27

Operational Density .................................................................................................................... 28

Governance and Compliance .............................................................................................................. 31

Cloud Industry Forum, Code of Practice for Cloud Service Providers ......................................... 32

NZ Cloud Computing Code of Practice, ..................................................................................... 33

SAS70/SSAE-16/ISAE 3402 Standards ...................................................................................... 33

The Cloud Security Alliance ....................................................................................................... 33

CloudAudit................................................................................................................................. 33

CSA Cloud Control Matrix ......................................................................................................... 34

Consensus Assessments Initiative Questionnaire ........................................................................ 34

The CloudTrust Protocol ............................................................................................................ 34

The CSA Security, Trust & Assurance Registry (STAR) ............................................................ 34

FedRAMP .................................................................................................................................. 34

Australian Government Better Practice Checklist .................................................................... 34

DSD Cloud Computing Security Considerations ...................................................................... 35


NIST Guidelines on Security and Privacy in Public Cloud Computing .................................... 35

NIST Cloud Computing Synopsis and Recommendations ........................................................ 35

Security.............................................................................................................................................. 36

Location ..................................................................................................................................... 37

Jurisdiction and Sovereignty ....................................................................................................... 38

Service Level Agreements (SLAs) .............................................................................................. 39

Virtualisation.............................................................................................................................. 41

Authentication and Access ......................................................................................................... 44

Systems Management ................................................................................................................. 44

Incident Management ................................................................................................................. 45

Data Loss Prevention .................................................................................................................. 46

Cloud Specific Risks and Threats ............................................................................................... 47

Multi-Tenancy ............................................................................................................................ 47

Data Mobility and Control .......................................................................................................... 48

Data Remanence......................................................................................................................... 48

Data Privacy ............................................................................................................................... 49

Encryption .................................................................................................................................. 49

Staff ........................................................................................................................................... 52

Unwinding contracts & decommissioning................................................................................... 55

Archiving ................................................................................................................................... 56

Data destruction ......................................................................................................................... 57

Conclusion ................................................................................................................................. 58

Appendix A - A Brief History of Virtualisation and Cloud ................................................................. 59

Virtualisation.............................................................................................................................. 59

The Development of the Concept of Cloud ................................................................................. 61

Appendix B Acronyms and Abbreviations....................................................................................... 63

Appendix C Biography .................................................................................................................... 65


List of Tables

Table 1 - Services moving to the Cloud .............................................................................................. 16

Table 2 - Cloud Adoption Potential Benefits and Risks ...................................................................... 21

Table 2 - Cloud Adoption Potential Benefits and Risks (cont) ............................................................ 22

Table 3 - RoI Calculations .................................................................................................................. 23

Table 4 - Generic Cost Categories ...................................................................................................... 23

Table 5 - Cloud Computing Timeline ................................................................................................. 62

List of Figures

Figure 1 - Yankee Group 2011 Cloud Revenue Forecast ...................................................................... 6

Figure 2 - Virtualisation Challenges ..................................................................................................... 8

Figure 3 - IT Service Migration ............................................................................................................ 9

Figure 4 - The Five Types of Cloud Adopters....................................................................................... 9

Figure 5 - Cloud Computing Stack ..................................................................................................... 11

Figure 6 - The Extended Cloud Computing Stack ............................................................................... 12

Figure 7- Cloud Industry Forum: Vanson Bourne research poll .......................................................... 14

Figure 8 - Application Compatibility. ................................................................................................. 14

Figure 9 - Cloud Service Model Selection .......................................................................................... 17

Figure 10 - Cost Dimensions .............................................................................................................. 26

Figure 11 - Hosting Environment Analysis ......................................................................................... 29

Figure 12 - Workload Density ............................................................................................................ 30

Figure 13 - Control Boundaries .......................................................................................................... 31

Figure 14 - Service Level Expectations .............................................................................................. 40

Figure 15 - Attacks on Virtualised Environments ............................................................................... 42

Figure 16 - OSX.Crisis Digital Certificate .......................................................................................... 43

Figure 17 - OSX.Crisis Propagation ................................................................................................... 43

Figure 18 - Encryption Continuum ..................................................................................................... 51

Figure 19 - Cloud Archive and Backup Options ................................................................................. 57


Introduction There is much concern and a great deal of caution in the use of cloud services and the hosting of critical

data in the cloud. Gartner describes organisations using cloud services as early adopters and fast

followers, the terminology indicating the immaturity of cloud services. Many early adopters are driven

by the need for performance, scalability, resource sharing1 and cost saving.

It is not unusual for organisations to start with a small, private cloud, allowing technical and security

architectures, management processes and security controls to be developed and tested. These

organisations then use non-critical data, for example email services, and other similar applications in a

hybrid private and public cloud environment2.

While there has been some discussion on the technical risks of cloud computing, less attention has been

paid to the strategic, governance and management risks of cloud computing. The responsibility for

cloud security remains with the customer even though services may have been contracted to the cloud

service provider. Cloud service providers will invariably seek to limit liability and any compensation

or penalties through carefully worded service contracts.

Much has been made of the operational cost savings related to cloud, particularly the lower unit cost of

public cloud. Less obvious are the several risks and related cost of managing risk to an acceptable

level. While some valuable work in mapping the cloud risk landscape by such organisations as the

Cloud Security Alliance3, NIST

4 and the UKs Cloud Industry Forum

5, the extent of the risk landscape

continues to evolve and expand.

The subject of security architecture and security controls, while explored in this paper, is not analysed

or discussed in detail. This paper seeks to encapsulate aspects of cloud risk and related work in order

to present a comprehensive view of the benefits, issues and risks in cloud computing.

1 Securing the Cloud, F5 White Paper, Peter Silva, http://www.f5.com/pdf/white-papers/securing-the-cloud-wp.pdf 2 Gartner: Dont Trust Cloud Provider to Protect Your Corporate Assets, Brandon Butler, CIO,

http://www.cio.com/article/print/707053 3 Cloud Security Alliance, https://cloudsecurityalliance.org/ 4 National Institute of Standards and Technology, NIST Cloud Computing Program,

http://www.nist.gov/itl/cloud/index.cfm 5 Cloud Industry Forum, http://www.cloudindustryforum.org/

http://www.f5.com/pdf/white-papers/securing-the-cloud-wp.pdfhttps://cloudsecurityalliance.org/http://www.nist.gov/itl/cloud/index.cfmhttp://www.cloudindustryforum.org/


The Cloud Computing Market Cloud computing is an emerging market, although the underlying technologies are well known and

individually understood. It is the combination of these technologies that is new to the market. A brief

history of virtualisation and cloud is provided in Appendix A.

A 2011 forecast by the Yankee Group6 provides a conservative view, excluding small businesses and

sole proprietors from infrastructure as a service and platform as a service because their analysts believe

the typical small business has little or no need for those services. An interesting aspect is the

domination of Software as a Service (SaaS) over Infrastructure as a Service (IaaS) and Platform as a

Service (PaaS).

Figure 1 - Yankee Group 2011 Cloud Revenue Forecast

More recently, the cloud computing market is forecast to represent an estimated US$240 billion in

revenue by 2016, up from an estimated US$77 billion in 20117. In March 2011, IBMs CEO speaking

at IBMs annual investor meeting stated that he expected the company to generate US$7 billion in

cloud computing revenues by 2015 as well as capturing 25% of the cloud services market.

There is a view that the small and medium-sized businesses (SMBs) provide the greatest opportunity

for public cloud offerings. McKinsey has predicted that the combined market for global cloud services

will be between US$65 billion and 85 billion by 2015, 60% of which will be SMBs8.

6 Global Cloud Computing Revenue Forecast, Gary Kim, IP Carrier, http://ipcarrier.blogspot.co.nz/2011/01/global-cloud-

computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.html 7 How Big Will Cloud Computing Revenues Be in 2016?, Gary Kim, December 19, 2011,

http://www.tmcnet.com/topics/articles/246856-how-big-will-cloud-computing-revenues-be-2016.htm 8 Winning in the SMB Cloud: Charting a path to success, Diamadi et al, McKinsey 7 Company, July 2011,

http://www.mckinsey.com/client_service/high_tech/latest_thinking/winning_in_the_smb_cloud

http://www.yankeegroup.com/ResearchDocument.do?id=55169http://ipcarrier.blogspot.co.nz/2011/01/global-cloud-computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.htmlhttp://ipcarrier.blogspot.co.nz/2011/01/global-cloud-computing-revenue-forecast.html#!/2011/01/global-cloud-computing-revenue-forecast.htmlhttp://www.tmcnet.com/topics/articles/246856-how-big-will-cloud-computing-revenues-be-2016.htmhttp://www.mckinsey.com/client_service/high_tech/latest_thinking/winning_in_the_smb_cloud


The growth in cloud computing is also likely to bring significant change to the industry. Gartner sees

low-cost cloud services disrupting traditional IT in the same way that low-cost air carriers, like Ryanair

and Southwest, disrupted the major commercial airlines. It is likely, however, that a large portion of

this anticipated revenue growth will be redirected and scavenged from other revenue streams. The

structure of the cloud market is also predicted to radically shift with Gartner forecasting that new, low-

cost cloud services will cannibalise up to 15 per cent of the current top outsourcing players revenue by

20159.

There are a number of publically available cloud service provider lists including those from

Microsoft10

, Cloud Computing Journal11

and the top 100 from Talkin Cloud12

. Some overseas

governments are also starting to provide lists of approved cloud service providers13,14,15

.

Evolution from virtualisation to cloud A common perception is that cloud naturally follows virtualisation and that cloud will make things

better, cheaper, faster! The perceived inevitability is common in business cases and vendor literature

and supported by the extolled benefits of agility, cost saving and efficiency. Unfortunately, while the

benefits are described in great detail, the related costs and risks are not as well described or analysed.

The complexity of cloud migration has also been described as being airbrushed16

to minimise the

risks and difficulties.

It is important that early steps are taken to manage the transition to virtualisation and then to cloud, in

order to avoid the creation of a substantially more complex, fragile and inflexible infrastructure. A

common outcome is that organisations reach a point where their skills, tools and operational processes

are overwhelmed by virtual machine sprawl, unpredictability and operational complexity. The key

challenges to virtualisation are highlighted in a recent survey and illustrated in Figure 2 below17

:

Clearly the move from legacy systems through virtualisation and then to cloud must be carefully

assessed, planned, understood and managed if the benefits of cloud computing are to be realised. A

useful guide to important questions on cloud migration is provided in the document 27 Tips for

Buying Cloud Services by Christopher Wilson18

.

9 Gartner's 2012 predictions: growing cloud, bursting social bubble, Ann Bednarz, 5 December 2011 , IT Busniess.ca,

http://www.itbusiness.ca/it/client/en/home/news.asp?id=65208 10 Microsoft Hosting, Cloud Service Providers List, http://www.microsoft.com/hosting/en/us/catalogs/cloud-

providers.aspx?page=1 11 Top Cloud Computing Enablers Gaining Mind Share in 3Q 2011, Ray Depena, 12 October 2011,

http://cloudcomputing.sys-con.com/node/2003354 12 Top 100 Cloud Services Providers (CSPs) List And Research, Talkin Cloud, http://www.talkincloud.com/tc100/ 13 Hong Kong releases list of accredited government public cloud services providers, eGov Innovation Editors,

01 June 2012, http://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-

cloud-services-providers 14 CloudBook Government Clouds, http://www.cloudbook.net/directories/gov-clouds/government-cloud-computing.php 15

Government launches G-Cloud store with 257 cloud computing suppliers, Rosalie Marshall, V3.co.uk,

20 February 2012, http://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-

suppliers 16 From virtualisation to private cloud, Andrew Buss, The Register 24 July 2012,

http://www.theregister.co.uk/2012/07/24/private_cloud_study 17 From virtualisation to private cloud - Small steps to big results, Andrew Buss, Freeform Dynamics Ltd, July 2012,

http://whitepapers.theregister.co.uk/paper/download/delayed/2520/from-virtualisation-to-private-cloud.pdf 18

27 Tips for Buying Cloud Services, Christopher Wilson, CloudProvider, April 2012, http://www.cloudproviderusa.com/wp-content/uploads/2012/04/27-Tips-for-buying-cloud-IaaS.pdf

http://www.itbusiness.ca/it/client/en/home/news.asp?id=65208http://www.microsoft.com/hosting/en/us/catalogs/cloud-providers.aspx?page=1http://www.microsoft.com/hosting/en/us/catalogs/cloud-providers.aspx?page=1http://cloudcomputing.sys-con.com/node/2003354http://www.talkincloud.com/tc100/http://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-cloud-services-providershttp://www.enterpriseinnovation.net/content/hong-kong-releases-list-accredited-government-public-cloud-services-providershttp://www.cloudbook.net/directories/gov-clouds/government-cloud-computing.phphttp://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-suppliershttp://www.v3.co.uk/v3-uk/news/2153551/government-launches-cloud-store-257-cloud-computing-suppliershttp://www.theregister.co.uk/2012/07/24/private_cloud_studyhttp://whitepapers.theregister.co.uk/paper/download/delayed/2520/from-virtualisation-to-private-cloud.pdfhttp://www.cloudproviderusa.com/wp-content/uploads/2012/04/27-Tips-for-buying-cloud-IaaS.pdf


Figure 2 - Virtualisation Challenges

A move to cloud is also expected to fundamentally change the way that IT is managed and run within an

organisation. A recent report from Accenture identified five ways a move to cloud will change the way

organisations will run IT19

:

1. IT must evolve to secure its future in a cloud-enabled business; 2. IT must shift its focus from building bespoke systems to selecting and managing pre-configured

components;

3. IT must become the data custodian for the entire business; 4. IT must evolve into a role as a service director and integrator; and 5. IT must adopt a new operating model for the cloud era.

This evolution of services is depicted in Figure 3 below:

19 High Performance IT Insights: Five ways the cloud will change the way you run IT, Accenture , 2012,

http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Five-Ways-Cloud-Change-Way-You-Run-IT.pdf

http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Five-Ways-Cloud-Change-Way-You-Run-IT.pdf


Figure 3 - IT Service Migration

A key point is that use of cloud services is likely to create fundamental change in organisational

structures, technology management and risk management and will encompass the entire organisation

from users to executives.

Adoption Patterns With the growth in interest and adoption of cloud technologies, patterns of adoption are starting to

emerge. A 2011 analysis by Bain and Company20

identified five types of cloud adopters, illustrated in

Figure 4 below:

Figure 4 - The Five Types of Cloud Adopters

20 The five faces of the cloud, Michael Heric, Ron Kermisch and Stephen Bertrand, Bain and Company, 2011,

http://www.bain.com/Images/BAIN_BRIEF_The_five_faces_of_the_cloud.pdf

http://www.bain.com/Images/BAIN_BRIEF_The_five_faces_of_the_cloud.pdf


Bain holds the view that all types will fully adopt cloud technologies at some time, although the rate of

adoption and service model will vary significantly. While Transformational organisations currently

have the highest adoption rates, Heterogeneous organisations are expected to match that rate within

three years. Safety-conscious organisations will adopt more slowly, but at twice the size. Price-

conscious organisations are forecast to have adoption rates quadruple as prices fall, with a focus on

cheaper public cloud offerings. Finally, Slow and Steady organisations, will see meaningful adoption

over the next three years.

Technology performance and maturity

Cloud as a technology Although Cloud is a relatively immature technology, there have been many predictions over the last

few years on the fundamental shift in computing paradigms Cloud will bring. For example a 2008

report from The Economist predicted Computing power will become more and more disembodied and

will be consumed where and when it is needed21

. This report also predicted cloud computing is more

than just another platform shift. It will undoubtedly transform the IT industry, but it will also

profoundly change the way people work and companies operate.

Early in 2010, Gartner predicted that by 2012, 20 percent of businesses will own no IT assets22

.

Gartner has reported the cloud services market grew to US$68.3 billion in 2010, a 16.6 percent increase

on 2009 revenues. Gartner also predicts that by 2014, cloud services revenue will grow to US$148.8

billion worldwide. While Gartners 2012 prediction may now be seen as overstated, the growth in

cloud services is apparent.

Computer World forecasts that IT organisations will find achieving the full benefits of Cloud requires

new architectures. They also predict that IT operations will be challenged with essential process re-

engineering, managing the dynamic application topologies and managing the total number of

applications an organisation wants to run23

.

The commercialisation of cloud services can be traced to 1998 when CloudProvider offered an early

form of Infrastructure as a Service (IaaS). Since then there has been steady growth in the number of

service providers albeit with most offering IaaS.

Many of the larger technology organisations are now offering commercial cloud services and IBM,

Microsoft, Oracle and HP all offer cloud products and services. This is a strong indication that today,

cloud computing has become mainstream24

, although can still be considered as an emerging

technology.

21 A survey of corporate IT - Let it rise, The Economist, 23 October 2008, http://www.economist.com/node/12411882 22 Gartner Highlights Key Predictions for IT Organizations and Users in 2010 and Beyond, 13 January 2010, Gartner,

http://www.gartner.com/it/page.jsp?id=1278413 23 Cloud Computing: 2011 predictions, Bernard Golden, 13 December 2010, http://www.computerworlduk.com/in-

depth/cloud-computing/3253266/cloud-computing-2011-predictions/ 24 A Brief History of Cloud Computing, Rick Blaisdell, Cloud Tweaks, http://www.cloudtweaks.com/2011/10/a-brief-

history-of-cloud-computing/

http://www.gartner.com/it/page.jsp?id=1389313http://www.economist.com/node/12411882http://www.gartner.com/it/page.jsp?id=1278413http://www.computerworlduk.com/in-depth/cloud-computing/3253266/cloud-computing-2011-predictions/http://www.computerworlduk.com/in-depth/cloud-computing/3253266/cloud-computing-2011-predictions/http://www.cloudtweaks.com/2011/10/a-brief-history-of-cloud-computing/http://www.cloudtweaks.com/2011/10/a-brief-history-of-cloud-computing/


Cloud Standards Many technology and technology management standards exist and there is continuing work on the

convergence and coherence of ISO, ITU and respective national standards. There is still complexity

and some confusion and with the many forecasts and prognostications on Cloud, it became apparent

that some standardisation, at least of the description and definition of Cloud, was essential.

In January 2011, NIST defined cloud computing in terms of five essential characteristics, three service

models, and four deployment models25

. The essential characteristics are:

On-demand self-service;

Broad network access;

Resource pooling;

Rapid elasticity; and

Measured service.

The four deployment models are:

Private cloud;

Community cloud;

Public cloud; and

Hybrid cloud.

The service models are is often likened to a stack with three generally accepted components26

: This

is illustrated in Figure 5 below.

Figure 5 - Cloud Computing Stack

25 The NIST Definition of Cloud Computing (Draft), Special Publication 800-145 (Draft), National Institute of Standards

and Technology, http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf 26

Understanding The Cloud Computing Stack: SaaS, PaaS, IaaS, Ben Kepes, Diversity Limited, http://broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf

http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdfhttp://broadcast.rackspace.com/hosting_knowledge/whitepapers/Understanding-the-Cloud-Computing-Stack.pdf


In general terms the cloud computing stack can be described as:

Software as a Service (SaaS): applications are designed for end-users, often delivered using web technologies or over the Internet;

Platform as a Service (PaaS): tools and services designed for the quick and efficient coding and deployment of applications; and

Infrastructure as a Service (IaaS): the underlying hardware and software, such as servers, storage, networks and operating systems. Virtualisation exists at the IaaS layer.

Buzzwords are widely used in IT and, in addition to the terms described in the published standards,

vendors have created a further layer to described specific services. For example, Identity as a Service

(IdaaS), Security as a Service (SecaaS) and Business Process as a Service (BpaaS). Australias

Defence Signals Directorate (DSD) have noted that A vendor adding the words cloud or as a

Service to the names of their products and services does not automatically mean that the vendor is

selling cloud computing as per the NIST definition27

. It is also important to note that the additional

terms and acronyms are contextual and may have limited acceptance. This hierarchy is illustrated in

Figure 6 below28

:

Figure 6 - The Extended Cloud Computing Stack

27 Cloud Computing Security Considerations Initial Guidance 6/2011 Cyber Security Operations Centre, Australian

Government department of Defence, 12 April 2011,

http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf 28 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-

en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-

_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396

http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdfhttp://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396


Key Drivers In todays environment of financial constraint, partly triggered by an economic downturn, organisations

are closely examining operational costs, system utilisation, efficiency and availability and the means to

grow and expand business. Changes in the economic and regulatory environment are also driving a

need for improved security and greater data storage capacity.

Almost all organisations have a high dependency on technology and information systems and

operational efficiency and availability are fundamental to the success of an organisation. They are

seeking IT services and an architecture that is reliable, flexible, responsive and low-cost. As a business

imperative, the apparent operational effectiveness of cloud computing is compelling.

There have been several cyclical trends in seeking cost savings and improved performance including

centralisation of data operations and outsourcing. Outsourcing has often failed to deliver promised cost

savings and service quality and operational responsiveness has also degraded. In seeking to effectively

manage outsourced services, many organisations have employed IT Service Management and other

best practices to reduce risk. Unfortunately, a consequence is often an increased overhead and reduced

flexibility and agility29

.

Organisations have also explored virtualisation, only to find increased complexity and the phenomenon

of virtual sprawl. Virtual sprawl is a generic term used to describe unplanned and uncontrolled

proliferation of virtual machines in a virtualised environment. Some of these characteristics are a result

of poor establishment processes and poor virtual machine (VM) management. This can result in

unnecessary power consumption, misallocation of physical machine resources, and increased cost of

VM and software application licenses. There are several aspects to virtual sprawl including30

:

Underutilised or unused VMs

Offline VMs

Orphan or unauthorised VMs

Out of Inventory VMs (Invisible Inventory)

Resource Sprawl (Over-Provisioning)

Excess Snapshots

A 2011 UK poll of 450 organisations, conducted by Vanson Bourne on behalf of the Cloud Industry

Forum31

, indicated that flexibility was the principal driver for the adoption of cloud technologies,

followed by cost savings. Key findings are illustrated in Figure 7 below.

29 Private Cloud A Technical Perspective, Microsoft Corporation, 2012, http://technet.microsoft.com/en-

us/cloud/hh147296.aspx 30 Virtual Sprawl Is Not the Real Problem, David M. Lynch09 February 2010, Virtualization Journal,

http://virtualization.sys-con.com/node/1278730 31 Primary Drivers for Cloud Adoption in the UK, onestopclick researching hosting solutions, Cloud Industry Forum:

Vanson Bourne research poll, July 19, 2011, http://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.html

http://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://davidmlynch.sys-con.com/http://virtualization.sys-con.com/node/1278730http://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.htmlhttp://hosting.onestopclick.com/topic/145/439/primary-drivers-for-cloud-adoption-in-the-uk.html


The poll also found that larger organisations were more likely to name cost savings than small

organisations (22 % and 10% respectively), and public sector organisations were more likely to name

cost savings as a primary driver than those in the private sector (22% and 14% respectively). It is

interesting to note that, in spite of economic drivers, Return on Investment (RoI) was reported by only

three percent of respondents as a principal driver. It is also interesting to note that 73% of respondents

indicated an expected increase in cloud adoption over the next twelve months but the adoption was

spread across a wide range of applications and functions. No respondents indicated a complete move

to cloud in the foreseeable future. Table 1 below provides the detail of the areas in which cloud

services are expected to increase.

Figure 7- Cloud Industry Forum: Vanson Bourne research poll

A fundamental of cloud adoption is that not all legacy applications are suitable or should be moved to a

cloud environment. Many smaller applications will have been developed internally and assume direct

access to resources. As such these smaller applications are rarely suitable for use in a virtualised

environment. Some specialist applications require software protection dongles to run. The dongle

software protection model is seldom compatible with a virtualised or cloud environment. Application

compatibility has been raised in several discussions on cloud, illustrated by findings of the May 2012

survey32

conducted by Freeform Dynamics, Figure 8 below.

Figure 8 - Application Compatibility.

32 Private Cloud in Context,Whats it for and where does it fit?,Dale Vile, Freeform Dynamics Ltd, May 2012,

http://www.freeformdynamics.com/fullarticle.asp?aid=1534

52%

16%

14%

7% 6%

3% 2% Flexibility

Cost Saving

Low Cost of Adoption

New Service Offering

Skills Gap

RoI

Other


These findings are also supported by a Microsoft Operators Channel analysis of cloud adoption by

small and medium-sized businesses (SMBs)33

. Published in 2012, this research report was based on

survey data collected by Edge Strategies Inc. The survey questioned 3,000 SMBs that employing

between 2 and 250 employees across 13 countries (including Australia but not New Zealand)

worldwide. The Microsoft research identified the following key drivers:

Economic uncertainty;

Increasing costs of materials;

Customer demand;

Increasing costs of labour;

Cash flow shortage; and

Regulatory uncertainty.

There is some additional evidence that the initial focus on cost savings as a primary driver is being

superseded by an acknowledgement that the strategic drivers are of greater importance in the longer

term. A report from Accenture on cloud computing in Australia34

commented that while the promise of

expanded capabilities and significant savings the strategic potential is gaining ground. Examples

provided include:

Converged information and communications technology (ICT) services in the communications industry.

A smart grid/automated meter infrastructure solution in the utilities industry.

Expanded multichannel retailing and key business operations, including online content, search, point of sale (POS) and data analytics, in the retail industry.

33

Drivers & Inhibitors to Cloud Adoption for Small and Midsize Businesses, Microsoft Operators Channels, 2012, Microsoft Corporation, http://www.microsoft.com/en-us/news/presskits/telecom/docs/SMBCloud.pdf

34 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-


_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396

http://www.microsoft.com/en-us/news/presskits/telecom/docs/SMBCloud.pdfhttp://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396


Table 1 - Services moving to the Cloud


The Risks and Benefits of Cloud Computing The drivers for cloud adoption often describe the benefits but pay little attention to risks and costs. As

with all benefits, however, associated risks should be identified and assessed in order to avoid

situations where the value of benefits is outweighed by the cost of managing and mitigating risk and

dealing with consequences of any threat materialising. The adoption of cloud may not be the solution

to all organisational requirements and the degree of cloud adoption will also be influenced by the

organisations risk appetite35

.

A key factor in identifying benefits and risks is the service and deployment model adopted by

organisations. Service and deployment models are continuing to evolve as service offerings are

developed by vendors and knowledge of pragmatic, robust and secure solutions grows. Irrespective of

the combination of service offerings and deployment models, organisations will make basic choices

between out-sourced and in-sourced technologies and between buying and building services. This is

illustrated in Figure 9 below36

:

Figure 9 - Cloud Service Model Selection

35 Calculating Cloud RoI: From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-

Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-RoI-From-the-Customer-Perspective.aspx 36 Private Cloud A Technical Perspective, Microsoft Corporation, 2012, http://technet.microsoft.com/en-

us/cloud/hh147296.aspx

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspxhttp://technet.microsoft.com/en-us/cloud/hh147296.aspx


An additional factor in the choice of service model is the required degree of growth and scalability.

Inevitably this will come at a cost. Many public clouds use metering of resource as a basis for

charging. Conversely a private cloud service model will provide greater scalability than a legacy

environment, without the public cloud metering charges37

. The trade-off is that private clouds are,

theoretically, limited in capacity compared with public clouds.

The Risks of Cloud Services While the cost savings have been the most visible and best promoted perceived benefit of cloud

services, the risks of cloud have not been comprehensively identified and are less well understood. As

with all technologies, informed risk decisions are fundamental to rational adoption and safeguarding

the interests of the organisation and its stakeholders. In 2010, the Cloud Security Alliance (CSA)

published a summary of the top threats to cloud computing38

. This summary listed mainly technical

threats and vulnerabilities. A more detailed publication from CSA, Security Guidance for Critical

Areas of Focus in Cloud Computing39

, deals with architectural, governance and operational risks and

challenges. Taking these and other sources into account, the principal categories of risks of cloud

services include:

Technology performance and maturity;

Organisational requirements;

Poor architectural design;

Cost models;

Multi-domain nature of cloud;

Governance and compliance;

Security;

Privacy;

Staff; and

Unwinding contracts & decommissioning.

The organisations business model may encompass consideration of authentication, data security,

privacy, availability, continuity, connection to internal systems and ownership issues. The Cloud

Security Alliance has defined security categories of service, providing ten categories of security service

in a cloud environment and identifying core functionalities, challenges (risks) and threats40

.

Ownership is an important consideration in a Cloud or virtualised environment covering aspects such

as:

Data ownership at each stage of processing, storage and retrieval;

Data recovery, for example with changes in ownership of the service provider and more particularly if the service provider ceases trading;

Data remanence, no clear standard for recycling of memory/disk or where copies of data may remain in the cloud service providers backups;

37 The Benefits of Private Clouds, CDW VMware, http://resources.itworld.com/ccd/assets/26090/detail 38 Top Threats to Cloud Computing V1.0, Cloud Security Alliance March 2010,

https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf 39 Security Guidance for Critical Areas of Focus in Cloud Computing V 3.0, Cloud Security Alliance, 2011,

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf 40 SecaaS, Security as a Service, Defined Categories of Service 2011, Cloud Security Alliance,

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf

http://resources.itworld.com/ccd/assets/26090/detailhttps://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdfhttps://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdfhttps://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf


Jurisdiction governing the data at each stage of processing, storage and retrieval;

Ownership and licensing of the applications;

Responsibility for security services;

Responsibility for managing and reporting data breaches; and

Access to network data for management purposes.

Changed Business Model Adoption of cloud technologies will fundamentally change organisational IT services, service delivery,

customer service models and how organisations will use IT. Organisations must change their business

operating model and organisational leadership must become conversant with cloud, its risk and how to

manage those risks, if the benefits are to be realised. The complexity of a move to cloud must also be

understood by business leaders as this will have a significant effect on risk, cost and the business model

itself. Given that a move to cloud is a game-changer in relation to the business operating model, this

is a key strategic decision that business owners and senior executive must carefully consider.

The Benefits of Cloud Adoption The potential advantages of and risks related to the adoption of cloud technologies are summarised in

Table 2 below41,42,43,44,45,46,47,48. These can be categorised into five key areas:

1. Financial; 2. Operations; 3. Security; 4. Regulatory and Legal; and 5. Staff.

Associated with each group are a series of risks. It should be noted, however, that the cloud service

model selected will have a significant influence on the risk profile where some risk can be avoided by

judicious selection of the cloud service model.

41 The Pro's and Con's of Cloud, Geni, http://www.gen-i.co.nz/Solutions/Cloud/Pages/What-is-Cloud.aspx 42 Gartner Says Location Is Critical For the Sustainable Future of Outsourced Data Storage and Cloud Services, Gartner

research, http://na2.www.gartner.com/it/page.jsp?id=1732714 43 Cloud computing in Australia - An evolution, not a revolution, Accenture, 2012, http://www.accenture.com/au-


_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396 44 Addressing Data Security Challenges in the Cloud, The Need for Cloud Computing Security, A Trend Micro White

Paper, July 2010, http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-

challenges-in-the-cloud.pdf 45 IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, ISACA, 2011,

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx

46 The RoI of Cloud Apps, Liz Herbert and Jon Erickson, Forrester Research, 23 June 2011,

http://resources.idgenterprise.com/original/AST-0062511_The_RoI_Of_Cloud_Apps.pdf 47 An Essential Guide to Possibilities and Risks of Cloud Computing, Maria Spinola, June 2009,

http://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-

A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdf 48 Calculating Cloud RoI: From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-

Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-RoI-From-the-Customer-Perspective.aspx

http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.accenture.com/au-en/Pages/insight-cloud-computing-australia.aspx?c=tek_nzcldpsgs&n=g_Cloud_Services_-_Adoption-_NZ/a_0_k/cloud_adoption&KW_ID=sqyKw33uH|pcrid|13149252396http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-challenges-in-the-cloud.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_addressing-security-challenges-in-the-cloud.pdfhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspxhttp://resources.idgenterprise.com/original/AST-0062511_The_ROI_Of_Cloud_Apps.pdfhttp://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdfhttp://www.mariaspinola.com/whitepapers/An_Essential_Guide_to_Possibilities_and_Risks_of_Cloud_Computing-A_Pragmatic_Effective_and_Hype_Free_Approach_For_Strategic_Enterprise_Decision_Making.pdfhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspxhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspx


Quantifying and monetising risk is more challenging, particularly as there is likely to be little historical

data and any analogues are notoriously organisation specific and therefore unreliable indicators when

applied to other organisations or industry sectors.

Cost models and modelling should, therefore, be carefully examined to ensure they are rational,

pragmatic, complete as possible and will support executive decision making.

Cloud specific cost benefits may include:

1. Cost reduction by reducing lost opportunities caused by delays in market responsiveness and the lack of flexibility. Flexibility allows organisations to create new capabilities to take

advantage of opportunities in a faster and more cost effective manner.

2. Reducing Total Cost of Ownership (TOC) by commoditising IT requirements and reducing the levels of expertise necessary to manage and run IT system within an organisation.

3. Cost savings through consolidation of infrastructure and reducing total support costs. 4. Cost Savings from labour and application development, support and licensing costs. 5. Improved margin and cost control through more accurate right-sizing of IT resources. 6. Flexibility to enable rapid and dynamic provisioning and retirement as operational needs

change.

7. Flexibility and dymanic provisioning can foster process improvement by allowing low-cost investment in new processes.

8. Reduction in capital investment.

While a great deal has been made of the cost savings of cloud, much will depend on the service model

adopted. A 2011 benchmark study by the Aberdeen Group reported that private cloud saves a total of

twelve percent combined annual costs savings over public cloud on a per-application basis49

. There is

great reliance on the cost modelling as a basis for decision making so it is vital that the cost analysis is

as complete as possible dealing with both cost savings (operational efficiency) and cost avoidance

(better security, resilience and compliance).

49 Security and Cloud: Private, or Public?, Derek Brink, Aberdeen Group, September 2011,

http://www.aberdeen.com/aberdeen-library/6832/RA-private-public-cloud.aspx

http://www.aberdeen.com/aberdeen-library/6832/RA-private-public-cloud.aspx


Table 2 - Cloud Adoption Potential Benefits and Risks Category Advantages Risks

Financial Opex vs Capex Bandwidth cost

Lower total operating cost Cost model and RoI

Pay as you go Incomplete financial and cost data

Reduced investment in data centre and/or technology assets

Operations Flexibility Limited scope for customisation

Scalability Bandwidth/capacity

Agility Application performance/sprawl

Technology performance and maturity Data fragmentation/replication

Self-provisioning capability Poor technology performance and maturity

Efficiency through Automation Organisational requirements

Reducing waste/energy consumption Rapid adoption

Improved availability System resilience

Reduction in manual processes DRP/BCP

Service sizing (operational density)

Service orchestration

Incident response and forensics

Vendor lock-in

Interoperability/integration with legacy systems

Legacy application compatibility with cloud

Database load costs/data ingestion

Cloud integration testing

Insecure applications programming interfaces (APIs)

Security Consolidation Multi-tenancy/separation/isolation management

Comprehensive security architecture Co-mingling of data

Improved system monitoring Multi-domain nature of cloud

Endpoint security overhead reduced & consolidated in the cloud

Data location/residency

Cloud provider security model

Data remanence (operational and backup)

No physical control of data

Increased attack surface

Cloud service provider subcontractors

Security architecture

Access and authentication mechanisms

Communications security

Malicious insiders

Account/service/traffic hijack

Maintenance of confidentiality, integrity and availability


Table 2 - Cloud Adoption Potential Benefits and Risks (cont)

Category Advantages Risks

Regulatory Environmentally friendly Data retention and control

and legal Improved compliance Privacy and export legislation

Governance and compliance

Data ownership

Jurisdiction and sovereignty

Accountability

Auditability

Ability to respond to audit reports

Unwinding contracts & decommissioning

Staff Reduced helpdesk and technical support requirement

Reliance on external support

Loss of internal IT expertise that provided competitive differentiation

Staff education and buy-in

Cost Models and Investment Analysis In most investment and project initiation stages, stakeholders will want some form of utility analysis.

This analysis can provide a number of benefits by building stakeholder support, identify additional

opportunities and can be used to prioritise initiatives50

. The debate on the economics of a move to the

cloud is intense and invariably is focused on cost saving, without recognising other important elements

in the cost model, including the operational vs. the capital expenditure discussion.

Traditionally an investment analysis has been a monetised although other measures, such as time saved,

have been used in analyses. The basis of cost analysis is often a calculation of return on investment

(RoI) using one of the commonly used methods outlined in Table 3 below51,52,53,54,55

.

50 Calculating RoI to Realize Project Value, Chris Schweighardt , March 27, 2010, Six Sigma, ,

http://www.isixsigma.com/operations/finance/calculating-roi-realize-project-value 51

Performance-Based RoI, Karl M. Kapp and Nancy Vasta, Institute for Interactive Technologies, 2003, http://www.karlkapp.com/materials/roi_whitepaper.pdf

52 Computing The RoI for IT Projects and Other Investments, 2010 IT Economics Corporation.,

http://iteconcorp.com/RoICalc.html 53 Methods For Calculating RoI And Bottom-Line Impact, Paul Bernthal, DDI Center For Applied Behavioral Research,

http://66.179.232.89/pdf/ddi_methodsforcalculatingroi_wp.pdf 54 Calculating Return-On Investment, Version 4.0, Kenneth H. Silber, 04/03/02, www.silberperformance.com 55 Calculating CMMI_Based RoI, Reitzig et al, Software Engineering Institute, Carnegie Mellon University, 2007,

http://www.sei.cmu.edu/library/assets/reitzig_07.pdf

http://www.isixsigma.com/members/chrissch9674/http://www.isixsigma.com/operations/finance/calculating-roi-realize-project-valuehttp://iteconcorp.com/ROICalc.htmlhttp://66.179.232.89/pdf/ddi_methodsforcalculatingroi_wp.pdfhttp://www.silberperformance.com/http://www.sei.cmu.edu/library/assets/reitzig_07.pdf


Table 3 - RoI Calculations RoI Formula Calculation

Net Benefit Demonstrates the benefit after considering the cost.

Maintains the quantum of cost and benefit.

Benefit Cost

Cost Benefit Ratio (CBR) Demonstrates the return for every dollar invested.

The quantum of cost and benefit is hidden by the

calculation.

Benefits / Costs

Payback/Break Even A measure of when expenditure and revenue

equate.

The point at which benefits (revenue) equals

cost/expenditure

RoI % Demonstrates the percentage of return for every

dollar invested when considering cost. The

quantum of cost and benefit is hidden by the calculation.

Net Benefits / Cost as a percentage

Discounted RoI Similar to RoI% but also takes into account the

time value of money using an agreed discount rate. The quantum of cost and benefit is hidden by the

calculation.

Net Present Value (NPV) of Benefits / Total

Present Value of Cost

Can also use internal rate of return (IRR) or

discounted cash flow (DCF) in place of NPV

There are some generally accepted categories of cost which are included in RoI calculations. There are,

however, some additional categories, such as opportunity cost, which may also appear. The lack of

standardisation can create difficulties when comparing results with similar organisations or industry norms.

Generic categories of cost are outlined in Table 4 below:

Table 4 - Generic Cost Categories

Category Description

Personnel Staff, training, recruitment.

Equipment Capital purchase and commissioning costs.

Operating Overhead/operating costs including outsourcing.

Transition Any switch-over, parallel running and

decommissioning costs.

Project Costs Design, Consultants and other one-time costs which

would not otherwise be incurred.

Opportunity Costs Any lost opportunities through commitment of funds,

availability of staff etc.


Identifying and Assessing Benefits Identifying and assessing benefits can be the most difficult and controversial part of an RoI calculation.

RoI models are inherently deterministic in that the underlying assumptions are that all or most key

values will be identified and measured. As benefits can be tangible (reduced cost of operating) and

intangible (improved customer satisfaction), it should be remembered that benefit assessment is not

precise. Often there is little quantitative data to support a benefits assessment and, in some cases,

historical data and precedent may be of little value. There are also likely to be several subjective

elements and estimates included in the overall assessment, which are difficult to monetise.

It is important to be pragmatic as invariably time and resources are limited, as may be the available

data. Rational assumptions are often part of such analyses but it is important to validate these

assumptions and ensure that they do not outweigh the available data.

Security RoI The RoI of security is often difficult to determine as security is a cost of doing business but security

does not, in and of itself, generate revenue or returns. It can, however, deliver significant benefits in

the form of cost savings in not having to deal with the consequences of security and privacy breaches,

information and intellectual property loss (and so lost opportunities) and recovery.

Return on Security Investment The concept of Return on Security Investment (RoSI) has been proposed as a variation of the RoI

concept to more accurately deal with the benefits of security investment and the lack of direct revenue

generation. RoSI is defined in terms of the value of the risk mitigation, less the cost of the security

measure, therefore deriving and monetising the benefit. The investment in security is judged to be

profitable, if the value of the risk mitigation is greater than the expected cost56

.

RoSI = monetary risk mitigation - cost of security control

Alternatively RoSI can be expressed using the following formula57

:

((Risk Exposure x %Risk Mitigated) Cost of Security) Solution Cost

A simple example is illustrated below. Assuming:

Estimated cost of damage $25,000 per successful malware attack

4 malware attacks annually

Cost of security measure is $25,000

Effectiveness of security measure = 75 % (3 out of 4 malware attacks)

Then the risk exposure is: 25,000 x 4 = 100,000. Applying the formula:

((100,000 x 75%) 25,000) 25,000 = 200%

56 Methodologies For Evaluating Information Security Investments - What Basel Ii Can Change In The Financial

Industry, Christian Locher, University of Regensburg, http://is2.lse.ac.uk/asp/aspecis/20050136.pdf 57 Return On Security Investment (ROSI): A Practical Quantitative Model, Wes Sonnenreich, SageSecure, LLC,

http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf

http://is2.lse.ac.uk/asp/aspecis/20050136.pdfhttp://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf


While this approach has some limitations in that security risks cannot be viewed in isolation, it does

provide a more rational view of the benefit to an organisation, compared with traditional RoI

approaches. It must also be recognised that security elements are invariably interactive and no one

element is completely effective in isolation. They all rely, to some degree, on the effectiveness of

complementary security measures. In addition, security measures must be dynamic and able to respond

to a changing technology and threat environment or risk becoming less effective over time. Security

risk assessments are therefore, invariably based on short timeframes. It is difficult to calculate all the

costs related to the potential damage of an incident because of the complexity of effect which may

include58

:

The scope of the potential incident and which locations, business units and processes would be affected;

The cost of purchasing of equipment, goods and materials that were damaged by the incident;

The staff cost of investigating resolving the incident.

Any consequential legal and/or contractual penalties or consequences, e.g. a privacy breach; and

Lost revenues, from your existing and potential clients.

Of greater difficulty, however, is the ability to estimate the likelihood of such incidents because there is

rarely any useful historical data to support such estimates.

Researchers at MIT and Stanford have reported that returns on security investment are higher when

incorporated early into design and development59

. The implication is that early incorporation of

security can significantly affect the RoSI calculation. For example in systems development there is a:

21% return on your security investment at the software design phase

15% return at the implementation stage; and

12% return at the testing stage.

It is clear from these findings that early inclusion of security into overall design is beneficial.

These points have been emphasised in ISACAs G41 Return On Security Investment (ROSI), IT Audit

and Assurance Guideline60

in describing the requirements for a security metrics programme to support

any investment modelling and decision making. In particular:

Metrics must yield quantifiable information such as percentages, averages and numbers;

Data supporting metrics must be readily available;

Only a repeatable process must be considered for measurement;

Metrics must be useful for tracking performance and directing resources; and

Metrics should not be expensive or laborious to gather.

58 Is it possible to calculate the Return on Security Investment (ROSI)? 'Dejan Kosutic, 13 June 2011,

http://blog.iso27001standard.com/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/ 59 Calculating Return on Security Investment, Scott Berinato , 15, February, 2002, CIO Magazine,

http://www.cio.com/article/30856/Calculating_Return_on_Security_Investment_ 60 G41 Return On Security Investment (ROSI), 05 February 2010, ISACA, http://www.isaca.org/Knowledge-

Center/Standards/Documents/G41-ROSI-5Feb10.pdf

http://blog.iso27001standard.com/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/http://www.cio.com/article/30856/Calculating_Return_on_Security_Investment_http://www.isaca.org/Knowledge-Center/Standards/Documents/G41-ROSI-5Feb10.pdfhttp://www.isaca.org/Knowledge-Center/Standards/Documents/G41-ROSI-5Feb10.pdf


Security metrics may include several characteristics such as:

Implementation metrics Measure the implementation of the security policy;

Effectiveness/efficiency metrics Measure results of security solutions; and

Impact metrics Measure impact on business due to security events.

The ISO/IEC ISO/IEC 2700x suite of Information Technology standards are widely accepted and have

been developed and refined over a number of years. In general terms the standards are risk-based and

require a management system approach for information security61. This includes the determination and

collection of security metrics, which is supportive of benchmarking and benefit analysis, as well as

providing a consolidated view of an organisations information security. The difficulty of examining

security measures in isolation remains because of the complex interaction of such measures.

In spite of the difficulties, there are some clear advantages in using RoSI over RoI to support

investment decisions in that it is risk based; it recognises that security investments rarely generate

direct returns and it presents results in a manner that can be easily understood.

Security Costs There are a number of aspects to security costs that should be recognised when compiling cost data for

RoSI calculations in addition to the cost of the security initiative itself. These can also be divided into

direct and indirect costs as illustrated in Figure 10 below62

.

Figure 10 - Cost Dimensions

61 Information Technology Security Techniques, various standards in the ISO/IEC 2700x series,

http://www.iso.org/iso/home/search.htm?qt=27001&published=on&active_tab=standards&sort_by=rel 62 A Closer Look at Information Security Costs,Matthias Brecht, University of Regensburg, Germany and Thomas

Nowey, Krones AG, Neutraubling, Germany, http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf

http://www.iso.org/iso/home/search.htm?qt=27001&published=on&active_tab=standards&sort_by=relhttp://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf


There may also be consequential costs such as those:

Caused by information security incidents;

Of managing information security;

Related to information security measures; and

Costs of capital that are induced by information security risks.

In order to provide a comprehensive view of the cost and benefit of the security initiative, it is

important that these several aspects of cost are recognised. In a risk-based analysis, such as RoSI, this

is a distinct advantage as the avoidance of significant consequential cost increases the benefit value.

Cloud RoI Virtualisation is often a first step in a move to private cloud and requires careful planning. In common

with many IT projects it has the potential to impact an entire organisation. The effect of poor planning

and funding is described as virtualisation stall. What is often not factored into benefit calculations is

that the ratio of cost related to virtualisation software and virtualisation infrastructure is a little over

10:1. In other words, for every dollar spent on software, another ten to twelve dollars is required for

the necessary infrastructure63

.

Cloud Computing introduces some additional difficulties and nuances in the preparation of RoI

analyses. It may identify cost reduction, productivity enhancement and revenue transformation benefits

although there may be a large intangible portion to these benefits. Intangibles are difficult to measure

and typically manifest over time, rather than being immediately apparent and measurable64

. Another

aspects that is often ignored is the sunk cost of IT infrastructure particularly where the expected

economic life of the assets have several years to run.

Challenges in Cloud Computing Benefit Analysis As well as challenges in identifying and quantifying cloud benefits, there are particular challenges in

analysing the RoI of cloud investment. These can be summarised as:

1. The cost model in often incomplete, there is little supporting data and there is often a narrow interpretation and poor understanding of the limitations of such cost analyses.

2. The cost of connectivity, particularly international traffic, can be difficult to determine without some experimentation.

3. Operational density can be a significant cost determinant. 4. Asset reduction and consolidation can be difficult to measure and may be time-bound 5. Aligning costs and benefits. 6. Apparent one-time costs that can extend over the life of the initiative. 7. Some costs and benefits will relate to the larger organisation, rather than a specific project. 8. Double counting, for example productivity improvement and the reduction in sales order

processing time.

9. Ensuring cloud security provides the requisite degree of assurance, confidentiality, availability and integrity in an organisations IT systems and data.

63 How to Avoid the Perils of Virtualization and Cloud Stall, Thor Olavsrud, CIO.com, 10 April 2012,

http://www.cio.com/article/703956/How_to_Avoid_the_Perils_of_Virtualization_and_Cloud_Stall 64 5 Ways To Compute Cloud Computing RoI, Cloud Tweaks, 08 August 2012,

http://www.cloudtweaks.com/2012/08/5-ways-to-compute-cloud-computing-roi/

http://www.cio.com/article/703956/How_to_Avoid_the_Perils_of_Virtualization_and_Cloud_Stallhttp://www.cloudtweaks.com/2012/08/5-ways-to-compute-cloud-computing-roi/


In addition to these challenges, five hidden costs have been identified by ISACA in their white paper

Calculating Cloud RoI: From the Customer Perspective 65

. These are:

1. Cost of bringing services back in-house due to regulatory change (e.g., stricter data privacy laws).

2. Cost of implementing and operating countermeasures to mitigate risk. 3. Unexpected expenses involved in initial migration of systems. 4. Loss of internal IT knowledge providing competitive differentiation. 5. Lock-in with specific cloud provider or proprietary service model, which may slow down future

adoption of open standards-based services.

Where regulatory changes occur, an organisation may have to recover data from the cloud and process

in-house. The recovery will require validation of the datas accuracy; shredding or sanitising data

stored in the cloud; configuring in-house systems to replace cloud services; payment of early

termination penalties and reallocating IT resources to support services and equipment purchase to host

services.

Migration costs are likely to apply in addition to software licensing and support, cloud provider, cloud

system administration and data communication fees. These migration costs may include the costs of

conversion or recoding application interfaces to work in a cloud environment, reformatting data or

creating data conversion APIs, establishing a federated identity and access management schema, and

developing organisational processes to manage the cloud and cloud service provider relationship66

. Not

all public cloud service providers formally offer data ingestion services, leaving the problem of moving

large data sets to the customer67

.

While RoI is an acknowledged means of benefit analysis, the complexity of cloud may require other

methods, such as total cost of ownership (TCO) in order to provide a basis of comparison. There is

also the need to include sufficient detail to facilitate decision making but overly complex calculations

may be an impediment, rather than an aid to decision making.

Given the difficulty of RoI calculation in a cloud environment, the alternative RoSI approach is

considered to provide greater utility, pragmatism and support faster decision making.

Operational Density All operations have peaks and troughs. Failure to anticipate these operational variances can lead to

under or over provisioning68

. Fundamental to understanding requirements is an analysis of the

application and business requirements mapped against the hosting environment. This is illustrated in

Figure 11 below69

.

65 Calculating Cloud RoI:From the Customer Perspective, ISACA, July 2012, http://www.isaca.org/Knowledge-

Center/Research/Documents/CalculatingCloudRoI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9 66

5 Hidden Costs Of Cloud Migration, Jack McCarthy, CRN 06 August, 2012, http://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2

67 Cloud mega-uploads aren't easy, Simon Sharwood, APAC Editor, The Register,

http://www.theregister.co.uk/2012/05/21/cloud_ingestion/ 68 Part the Clouds: Learn the Basics, Dell, May 2011, http://resources.idgenterprise.com/original/AST-

0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdf 69 Capacity reservation System for Virtual & Cloud Environments, Andrew Hiller, CiRBA Inc.

http://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvi

ronments_CiRBA2012_2.pdf

http://www.isaca.org/Knowledge-Center/Research/Documents/CalculatingCloudROI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9http://www.isaca.org/Knowledge-Center/Research/Documents/CalculatingCloudROI-WP.pdf?id=444c2009-e0a8-455a-ae1c-4bbe0d098eb9mailto:[email protected]://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2http://www.crn.com/slide-shows/cloud/240004991/5-hidden-costs-of-cloud-migration.htm?pgno=2http://forms.theregister.co.uk/mail_author/?story_url=/2012/05/21/cloud_ingestion/http://www.theregister.co.uk/2012/05/21/cloud_ingestion/http://resources.idgenterprise.com/original/AST-0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdfhttp://resources.idgenterprise.com/original/AST-0062581_Cloud_Solutions_Mini_Whitepaper_Learn_the_Basics.pdfhttp://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvironments_CiRBA2012_2.pdfhttp://whitepaper.idgconnect.co.uk/cmsdata/whitepapers/3355861/CapacityReservationSystemforVirtualandCloudEnvironments_CiRBA2012_2.pdf


Figure 11 - Hosting Environment Analysis

Operational density can be described as the consolidation of operations for maximum efficiency, taking

into account pipeline management and operational supply and demand peaks and troughs. In other

words, workload density in virtual and cloud environments is a balance between too much and too little

infrastructure. This is illustrated in Figure 12 below:


Figure 12 - Workload Density

Cost/Risk

Batch &

Development

Non-Critical

Workloads

Workload Density in Virtual and

Cloud EnvironmentsHigh

High

Low

LowDensity

Unit Cost Risk

Critical

Production

Workloads

In this illustration the unit cost of operation is balanced against the criticality of the workloads and

allowable delays in processing. Where critical workloads are in production, a greater capacity

allowance and lower workload density is necessary to manage the risk of production delays. Non-

critical workloads can afford a higher level of processing delay and the workload density can,

therefore, be higher, thus lowering the operational unit cost.

Any decision on workload density is a decision on the level of risk an organisation is willing to take.

In high density systems delays are unacceptable and costly. Security must, therefore minimise any

processing delay as well as preventing security incidents becoming a source of delay.

Among the advantages of cloud computing are flexibility, pay as you go and responsiveness to

demand and peak loads. These cannot operate in isolation, however, as critical production workloads

must be guaranteed the necessary resources. Inevitably this means some degree of capacity

redundancy and associated costs. For resources that require high availability, pay as you go may not

be a cost effective option and enterprises can often leverage other service models (such as private or

hybrid cloud), to reduce or contain costs70

.

70 Looking Back at Joe Weinmans 10 Laws of Cloudonomics, Sourya, CloudTweaks, 16 March 2011,

http://www.cloudtweaks.com/2011/03/looking-back-at-joe-weinman%E2%80%99s-10-laws-of-cloudonomics/

http://www.cloudtweaks.com/2011/03/looking-back-at-joe-weinman%E2%80%99s-10-laws-of-cloudonomics/


Governance and Compliance

Seeking business advantage, organisations are experimenting with cloud services. With the move from

private to hybrid and public cloud offerings, complexity and vulnerabilities change and may increase71

.

There is a corresponding requirement that governance, management, risk, security, continuity and

operational concerns are identified and addressed. Compliance is complex in a cloud environment and

costs can be significant as legislation and regulation are still developing, technology is rapidly evolving

and processes to safely use cloud are still developing72

. In addition, the issues of transparency, service

levels and indemnification add to the complexity of cloud governance73

. A move to the cloud, in itself,

does not change fundamental information assurance requirements. As organisations explore and invest

in cloud computing, control boundaries74 will change which will, in turn, change the risk profile and

introduce new risk factors requiring new strategies and processes to manage governance, risk and

compliance75

. The changed control boundaries are illustrated in Figure 13 below:

Figure 13 - Control Boundaries

71 Evolution to Cloud: Hybrid Cloud Drivers. Challenges and Benefits, Melinda Ballou, IDC Analyst Connection, April

2012, http://visit.collab.net/rs/collabnet/images/IDC_EvolutiontoCloud_analyst.pdf 72 Securing Cloud-Based Communications, Technology Blueprint, Quinton Jones, McAfee, 2011,

http://resources.csoonline.com/ccd/assets/24450/detail? 73 Cloud governance is about more than security, Gordon Haff , CNET, 09 February, 2011 , http://news.cnet.com/8301-

13556_3-20031137-61.html 74 K. Scott Morrison's Blog, Visualizing the Boundaries of Control in the Cloud, 01 December 2009, ,

http://kscottmorrison.com/2009/12/ 75 Information Governance Strategies in the Cloud, Susan Nunziata, CIO Insight, 22 November

2010http://www.cioinsight.com/c/a/Latest-News/Information-Governance-Strategies-in-the-Cloud-303229/

http://visit.collab.net/rs/collabnet/images/IDC_EvolutiontoCloud_analyst.pdfhttp://resources.csoonline.com/ccd/assets/24450/detailhttp://kscottmorrison.com/http://kscottmorrison.com/2009/12/01/visualizing-the-boundaries-of-control-in-the-cloud/http://kscottmorrison.com/2009/12/http://www.cioinsight.com/cp/bio/Susan-Nunziata/http://www.cioinsight.com/c/a/Latest-News/Information-Governance-Strategies-in-the-Cloud-303229/


The responsibility for governance and regulatory compliance remains with an organisation and the

responsibility cannot be contracted out to a cloud service provider. In particular, responsibility for

security, privacy, access, key management, financial and related policies remain with an organisation.

Cloud providers have responsibility for securing their data centres and the services that run within

them, but ownership of data processed and stored in the cloud remains with the customer

organisation76,77

. Because the cloud is designed to be agile, dynamic and flexible by nature, traditional

governance process are less effective and have difficulty in displaying the same agility and dynamism.

In these circumstances automated governance systems, based on robust rule sets and requiring little

human intervention, are becoming a necessity78

.

Gartner has predicted that by 2016, 40 percent of enterprises will make proof of independent security

testing a precondition for using any type of cloud service79

. While enterprises are evaluating the

potential cloud benefits in terms of management simplicity, economies of scale and workforce

optimisation, it is equally important that they carefully evaluate cloud services for their ability to resist

security threats and attacks. Independent Inspectors certifications are predicted to become a viable

alternative or complement to third-party testing. This means that instead of requesting that a third-

party security vendor conduct testing on the enterprises behalf, the enterprise will be satisfied by a

cloud providers certificate stating that a reputable third-party security vendor has already tested its

applications.

Given the wide reaching effects on an organisation, it is a fundamental part of good governance that

due diligence is carried out on all aspects of engagement with a cloud service provider. To assist

organisations in establishing a rational cloud governance structure and processes, a number of tools and

codes of conduct are emerging. The alignment of aspects of cloud governance with recognised

standards was also explored in published research80

. Some key guidance is briefly described below.

Cloud Industry Forum, Code of Practice for Cloud Service Providers The Cloud Industry Forum

81 is UK based and was established in 2009 to provide transparency through

certification to a Code of Practice for Cloud service provide