Risks and Consequences Tutorial

6.2 Risk and Consequences

Hello and Welcome to Module No. 6 of Cloud computing course offered by Simplilearn. In the previous module we discussed about the successful adoption of cloud computing by an organization. This module discusses several risks and consequences that an organization faces after adopting cloud computing. Before we begin with this module, let’s look into the agenda for this module.

6.3 Agenda

In today’s module we will discuss various risk factors that are associated with cloud computing and the issues that arise from integrating cloud into an organization which already has a set of built-in compliance and regulations. We will also look into the cost factor associated with cloud computing and identify how senior management in every organization allocates cost. Lastly, we will look at the different strategic options available to an organization in a scenario in which a vendor fails. The next slide introduces us to the concept of risk management.

6.4 Risk Management

The Institute of Risk Management defines risk as, the proactive identification, analysis, and control of those risks that can threaten the assets or the earning capacity of an enterprise. In other words, it is identifying and mitigating the risks that can have an effect on the business value of an organization. Risks can be due to multiple reasons such as, not complying with regulations of an industry or a company; security breaches which eventually lead to data leakage; risks associated with vendor, licensing, etc. The factors that we take into consideration when we address the issue of risk are compliance, security, privacy, reputation, legal, and licensing. We will discuss the idea of compliance in the next slide.

6.5 Compliance

All organizations have to adhere to or comply with a set of regulations or legalities of their respective industry. This is very crucial for larger organizations, especially, the ones that are publicly listed. Inability to adhere to these laws might result in the infringement of law which can be detrimental to interest of the company. In order to mitigate risk due to non-compliance, organizations should follow stringent measures. Having direct control over the IT assets indicates that we can have access rights to several IT applications. Again, yearly audits reveal the identity management process and how access control is organized among the employees in the organization. Cloud, however, has the ability complicate this entire process. In cloud, there is very less visibility and when our applications are hosted on cloud, service providers can issue and manage or use identities and rights associated with these applications. In the next slide, we will discuss the relative advantages and disadvantages of in-house system management and cloud computing.

6.6 In house Systems Management versus Cloud Computing

Control over all the assets means there is visibility and the current state of the assets is available at any given time. This directly links to the change management process. Let us now look at the pros and cons of using cloud and when compared to in-house systems management. In cloud, using Infrastructure as a Service (IaaS) can be a beneficial option as we can have older versions running. This means change management process can be less complicated. Cloud vendors build features suitable to the client’s release schedule and this is extremely helpful for the end-user. For instance, a Platform as a Service (PaaS) provider can still keep an older version alive on request from the end-user. Therefore, the end-user is not forced to upgrade to a newer version. On other hand, using cloud also has some disadvantages. The end-user has very limited control over the way the system is managed. Besides, service providers have their own releases and schedules which might pose as a constraint for the end-users if they need an upgrade. Again, yearly audits are mandatory in any organizations. In a yearly audit, organizations take a back-up and make necessary recovery. Employing external service providers on a surface level seems a wise option. It allows us to avoid the risk of losing our data due to hardware failure. However, in service level agreements or SLA what the vendor can offer might not be adequate for an organization. In addition to this, there is a threat for the provider if he fails to deliver as per his SLA. We will discuss more on SLA in the subsequent slides. In the next slide, we will discuss the security aspect of cloud computing.

6.7 Security

Security risks are nothing but any sort of threat that an organization faces from an adversary. These risks can be mitigated by using a number of technical means such as firewalls, intrusion detection system, employee screening, etc. In cloud, the assumptions based on which the systems are built keep changing from time to time. One such assumption is insecure communication. In a typical architecture model, there is a separation between the company and the outside world, i.e., the Internet. However, in cloud everything operates through the same network. This allows some category of users the access to an organization’s data through public network. In such cases, having a very secure communication is highly critical. Another such assumption is multiple touch points. In cloud, we know that sharing of resources is a key attribute. As a result of having multiple providers and users connecting over a network, there are multiple points of communication between the organization and the Internet. In such situations, it is mandatory to establish multiple firewalls. In cloud, firewalls are offered by the service provider and users have minimal control over it. Yet another assumption is the attack approaches. Firewalls play an important role in protecting the assets but they might not be sufficient always. Other attack approaches exist and they keep growing as security measures increase. Few approaches to consider are social engineering, cross-site scripting, etc. They apply not only to cloud but also for in-house management systems. The next one is social engineering. There are a lot of crimes involving communication and we become aware of them from time to time. The best example for this security concern is ‘phishing.’ In this kind of crime, the e-mail messages contain wrong information and the recipients end up opening fraudulent websites. Finally, we have concern over less relevance to physical access security. In cloud, everything exists in the network and data is accessible with a simple login. Besides, physical location remains with the service provider and this aspect renders the concept of physical location irrelevant. In addition to all these, there are the residual risks. All cloud providers have extensive security policies in place. The best names in the industry have security policies and compliance rules surpassing best industry standards. In cloud, it is important that policies are changed according to the existing services and needs. When any kind of residual risks arises, it should be addressed by the customer. Here are a few possible risks that might arise. If the cloud provider goes out of business or service, offering can deteriorate in quality. In such instances, an exit strategy to move existing data, software, and assets is needed. Secondly, when service provider is outside, user’s jurisdiction might require disclosure of information or service can be denied. Lastly, network connectivity is at a risk when the connection is interrupted between provider and user. In our next slide, we will discuss the concept of privacy.

6.8 Privacy

Privacy can be defined as the right that individuals exercise in disclosing information selectively, about themselves, in order to prevent others from knowing them. Likewise, organizations also exercise privacy about their employees and customers. In cloud, privacy is a primary issue. Cloud computing involves multiple parties and stakeholders in any given situation. Stakeholders here involve both the organization and the government. Privacy regulations vary depending upon the jurisdictions and individuals. In this module, we will look at these regulations from European Union’s point of view since they are the most stringent in implementing them. These regulations apply outside Europe as well. One example of EU’s privacy policy is as follows. All of us are concerned about the sharing of our personal and confidential information without our knowledge. In EU, bodies are appointed depending upon the data they manage. For example, any person cannot change or manage information about individuals; a controller is in place which limits the processing of data by unauthorized party. Some confidentiality issues can arise due to data leakage. In cloud, there are no physical barriers to protect them and data is as good as our password. Access to information is possible. Similarly, social networking sites can be highly dangerous as the privacy features are not very well defined. Likewise, since the service provider is in a remote location, the user does not have physical access to that location. As a consequence, the user is left with no choice but to trust the provider. In the next slide, we will discuss reputation.

6.9 Reputation

Any data misuse can be detrimental to one’s reputation. In cloud, the major risk arises due to sharing of resources. Servers, data centers, and network links are all shared by the end-users. In these cloud facilities or cloud-like facilities, there are possibilities of misuse of data, either knowingly or unknowingly. The result of such misuse is, however, very serious. There are situations where spammers can contract virtual servers from an IaaS provider, and as a result other users sharing the same network will suffer. The network address gets blacklisted by means of law enforcement. Sometimes, computers of innocent people are seized since they are housed in the same facility where illegal activities take place. Let us now take a look at the legal aspect of cloud computing.

6.10 Legal

A gamut of legal issues arise surrounding contracts offered by cloud providers. Services are usually offered through an SLA or service level agreement. We have already touched upon this topic earlier in slide no. 6. . SLAs are typically offered by the service provider and, therefore, they protect their interests. SLAs usually consist of the components like type of functionality offered by the provider (e.g., e-mail service), percentage of guaranteed uptime (e.g., 99percent), response time of the service offered (e.g., web page loads in 2 seconds), and a financial paragraph that explains the cost structure surrounding the service. While working with large service providers there is little room for negotiation to happen. There is a huge difference between an SLA and business needs. Both of them have to be mapped so that they are understood clearly. In a typical SLA for cloud service, there is very little protection if the service suffers any downtime. The best compensation that the service providers offer is a discount in the subscription, for the downtime that is caused. There are several legal subtleties surrounding service offering. For example, a service provider can execute a number of processes on behalf of the customer, such as identity provisioning. In such situations, accountability of the provider alone is not sufficient to prevent any damage. In order to find a solution to such situations, a mixture of technical measures, appropriate auditing, and clear contractual agreements are mandatory. In the next slide, we will examine the concept of licensing with respect to cloud computing.

6.11 Licensing

Traditional licensing models do not apply to cloud service providers since the entire business model here is different. Most software applications used in various organizations had a typical license cost that recurred on a yearly basis which were tied to number of CPUs installed. This is obsolete with reference to cloud since servers in cloud are provisioned as and when needed. Also, users are charged mostly in pay-per use model. Nevertheless, service providers, in recent times, have come up with suitable licensing model which best suits cloud services. In the next slide, we will discuss financial management.

6.12 Financial Management

In every organization, IT departments operate on a yearly budget cycle. Budgets are directly associated with IT capacity of the organization which means business value. Chargeback also work in the same manner. But this model does not work for cloud services. Elasticity is an important attribute of cloud. A company can have provision for 100 servers through an IaaS provider or the number of users of a SaaS application can grow from a mere 10 to 1,000 overnight. Hence, in cloud we follow the pay-per use model. Traditional yearly budget cycles are not applicable here. There a multiple ways to manage the issue of unpredictable cost. We can set limits on the total cost incurred, which ensures that if there is any uncertainty, it can only occur downwards. Besides, any cost incurred has to be directly tied to the revenue generated. Again, there might be another capacity related issue. The success of an application might depend on the possibility of rapid scaling. However, the service provider might not offer the service of provisioning additional servers, accounts, etc. In such cases, the consumer can make a reservation for a minimum fee. Financial commitment from consumer ensures commitment from service provider as well. In the next slide, we will evaluate the implications of direct cost.

6.13 Implication of Direct Cost

From a financial perspective, the shift from internal IT to external cloud service provider directly reflects on balance sheet, i.e., there is a reduction in capital. This is an important advantage of cloud, which we have discussed in earlier modules. This reduction in cost might not reflect immediately as an advantage for an organization since assets depreciate over few years. However, there is an increased volatility in cost base. There is rapid change in cost: the cost could go up and come down at a rapid rate. This adds some additional pressure on the financial management capabilities. Most importantly, the cost allocation processes need a revamp to ensure that the end-user enjoys maximum benefit from cloud and financial risks are reduced. The next slide introduces us to strategic supplier management.

6.14 Strategic Supplier Management

There are multiple ways to handle the risks associated with the failure of a vendor. Let’s look at this from an end-user’s perspective. The first aspect that we need to take into consideration is an exit strategy. In cloud, there is a great risk of a service provider going out of business. This could be due to several reasons such as, bankruptcy or vendor’s decision to back out on the customer since he has served him long enough. The same might happen with outsourcing. However, the time it takes to impact end-user is much quicker with cloud because a cloud provider can deploy his resources rapidly to another client. On the other hand, in outsourcing, assets are dedicated to customers. Again, provider can have more clients and there is no need to place importance on a single client. When this happens, it is important to have a plan in advance. This is called exit strategy. This can be termed as business continuity because ensuring business continuity is essential to reduce risk. There are other options as well. While evaluating vendor dependencies, it is important to look into one’s business process, application, and infrastructure. On all these factors, one has to have a plan in advance and analyze the effort needed in switching to alternative arrangements. For example, if a server stops functioning, because the IaaS provider has gone out of business, we can alternatively re-host the application in-house or go to another service provider. If a SaaS provider stops delivering, we can have the options to migrate the application itself. On the other hand, the entire business process could be outsourced as well. Cloud computing, however, has the necessary capabilities to reduce risks at various levels. When system crashes data might be lost. But when it is stored in cloud, it can be accessed. Similarly, a virus attack on a home PC is very likely; whereas, cloud has sophisticated security measures and data remain secure in it. Finally, when different versions of a document are circulated, there are the chances of a mix-up. The solution to this problem lies in using a good intranet option. This brings us to the end of this module. In the following slide we will summarize all that we have learned so far.

6.15 Summary

Let us now recapitulate the key points that we discussed in the previous slides. We have identified and explained the issues associated with integrating cloud computing into an organization’s existing compliance risk and regulatory framework, we have also examined the implications of direct cost and the cost allocation to be made, and discussed how to maintain strategic flexibility. This brings us to the end of this module. The following slides have some quizzes which will help you evaluate your knowledge of the risks and consequences in cloud computing. And, with this we have come to the end of CompTIA Cloud Essential Course. Thank You and Happy Learning.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*