Cloud Computing: Risk Assessment for the Cloud

Properly assessing your organizational risk tolerance is essential before adopting a cloud computing platform.

Vic Winkler

Adapted from “Securing the Cloud,” published by Syngress, an imprint of Elsevier (2011)

Is it safe to use a public cloud? That’s the prevailing question about cloud computing. The full answer, though, depends on a clear understanding of your organization’s level of risk acceptance. Understanding how much risk you can tolerate depends on assessing your security requirements and how you value your information assets like data, applications and processes.

Only when you fully understand these issues can you make an informed decision about which deployment models and service delivery models are appropriate for your needs and risk tolerance. Identifying your information assets is important before you adopt a public or hybrid model. Either choice will involve at least some degree of ceding control over how that information will be protected and where it might reside (location/jurisdiction). There’s increased organizational control for an internally hosted and internally operated private cloud versus other combinations.

And don’t forget the sum total of your information assets isn’t limited to information or data. Your applications and processes can easily be as sensitive or proprietary as your information. In many realms such as intelligence and finance, the algorithms or programs you use are often proprietary and highly secret to the organization. Their exposure can constitute a dramatic loss to the organization.

Assess Your Risk

Begin with a brief risk analysis. You should ask the following questions:

  • Threat Categorization: What can happen to your information assets?
  • Threat Impact: How severe could that be?
  • Threat Frequency: How often might that happen?
  • Uncertainty Factor: How certain are you in answering these three questions?

The central issue with risk is uncertainty expressed in terms of probability. What you really want to know is what to do about it (countermeasures or risk mitigation). Once you’ve analyzed and addressed risks, you can ask several further questions:

  • Mitigation: What can you do to reduce the risk?
  • Mitigation Cost: What does risk mitigation incur?
  • Mitigation Cost/Benefit: Is mitigation cost effective?

To be clear, these three questions are more rhetorical for a public cloud than for a private or hybrid cloud. In a public cloud, you get what you pay for. The cloud provider is the party responsible for answering those three questions. Similarly, these questions are also less relevant for Software as a Service (SaaS) than they are for Platform as a Service (PaaS), but more relevant yet for Infrastructure as a Service (IaaS).

Information Assets and Risk

The central issue with risk is uncertainty. Applying that factor to your question, you must examine your information assets in a bit more detail. Identifying information assets can be elusive, especially with the “create-once, copy-often” aspect of digital content.

The typical organization rarely has sufficient control over its information. This is often minimal assurance that there are no other copies of any given piece of data. From the standpoint of protecting digital data, that might be the worst aspect. Most organizations have many other problems managing their information assets, though.

When you’re considering moving your information assets to the cloud, you need to be satisfied with the process of categorizing classes of information versus specific bits of information. Unfortunately, here, too, there’s generally a problem. This might not be so bad if our computing systems enforced information labeling, but they usually don’t. Information labeling on most computer systems is based on real-world processes of individuals having a need to know and the appropriate clearance for information.

This is organizationally controlled along the lines of information classification and additional handling caveats (such as Project X Only). The appropriate controls are usually insufficient to prevent digital duplication and intended or unintended information hemorrhaging.

Remembering the triad of security factors (confidentiality, integrity and availability), you can ask a series of targeted questions around information assets along the lines of what would the consequence be if:

  • The information asset was exposed?
  • The information asset was modified by an external entity?
  • The information asset was manipulated?
  • The information asset became unavailable?

If these questions raise concerns about unacceptable risk, you might want to approach the overall problem by limiting risk-sensitive processing to a private cloud (avoiding the introduction of new risk). Use the public cloud for non-risk-sensitive data. Adopting a private cloud doesn’t obviate the need for appropriate controls.

With that in mind, you might want to consider the outcomes of:

  • By mixing outsourcing in a public cloud for non-sensitive data and reserving internal systems for sensitive data, you might gain some cost advantages without assuming new risk.
  • Where use of a private cloud would pose no new risks to your information assets, use of a hybrid or public cloud model might.
  • Switching from a traditional IT model for internal processing to a private cloud model might reduce risk.

These are reasonable statements that move toward aligning the importance of our information assets toward both deployment models and service models.

Privacy and Confidentiality Concerns

Beyond these risks to information assets, you might be processing, storing or transmitting data that’s subject to regulatory and compliance requirements. When data falls under regulatory or compliance restrictions, your choice of cloud deployment (whether private, public or hybrid) hinges on being convinced that the provider is fully compliant. Otherwise, you risk violating privacy, regulatory or other legal requirements.

This obligation for confirming secure data management usually falls on the tenant or user. The implications for maintaining information security are significant when it comes to privacy, business and national security.

Privacy violations occur frequently enough within cloud computing infrastructures for you to be concerned about any system—cloud-based or traditional. This is especially true when you’re storing, processing or transmitting particularly sensitive information such as financial or health-care data.

In 2010, there were several cloud privacy information exposures that occurred with a number of cloud-based services, including Facebook, Twitter Inc. and Google Inc. So, privacy concerns with the cloud model are not fundamentally new.

As a cloud tenant with legal privacy obligations, the manner in which you handle privacy information isn’t going to be different whether you use cloud or traditional storage. Just as you wouldn’t store such information on a server that lacked adequate controls, you wouldn’t select any cloud provider without verifying that they meet the same benchmarks for how they protect data at rest, in transmission or while it’s processed.

That’s not to say your policy might reasonably exclude any external provider managing such information for you, cloud included. And while there might be a perception that the computer on your desk is safer than one that’s in a public cloud, unless you’re taking unusual technical and procedural precautions with your desktop computer, it’s more apt to be the one with the weaker security.

Data Governance

You must recognize that the safety of confidential data and its governance are two separate issues. As part of due diligence, you’ll need to fully understand a provider’s privacy governance along with their security practices and guidelines.

Personal information is subject to privacy laws. Other classes of business information and anything related to national security is subject to much more stringent regulations and laws. National security information and processes benefit from a strong and developed corpus of law, regulation and guidance.

Although the cloud is a relatively new model, a studied examination of the available guidance should be ample to absolutely restrict any classified information from residing in a public cloud. The area of probable concern lies with other government functions that don’t process sensitive or classified data.

Suffice it to say, when you examine the opportunity for use of public clouds, there are many distinct and separate lines of business from national government down to local jurisdictions. Given the size of government and the number of levels and jurisdictions, it seems as though government itself could operate a series of community clouds for its exclusive use, thereby obtaining the benefits and avoiding the issues with cohabitation in a public cloud.

On the other hand, if government is to use a public cloud, then that service must fully meet the interests of the tenant and all applicable regulations and laws. It’s possible that a tenant can implement additional security controls that meet regulatory or legal requirements even when an underlying public IaaS or PaaS doesn’t fully meet those same requirements.

However, you have to understand that the range of additional controls that can be added by a tenant are limited and can’t overcome many gaps in some public cloud services. Keeping your eye on the ball when it comes to security is essential, whichever cloud model you choose or whichever suits your organizational needs.

Vic (J.R.) Winkler

Vic (J.R.) Winkler is a senior associate at Booz Allen Hamilton, providing technical consultation to primarily U.S. government clients. He’s a published information security and cyber security researcher, as well as an expert in intrusion/anomaly detection.

©2011 Elsevier Inc. All rights reserved. Printed with permission from Syngress, an imprint of Elsevier. Copyright 2011. “Securing the Cloudby Vic (J.R.) Winkler. For more information on this title and other similar books, please visit