Cloud Governance Project

Cloud Governance – Issues drawn from Deloitte Risk Map

Governance, Risk Management and Compliance


Inadequate management oversight of cloud adoption

Failure to evaluate and monitor usage of cloud

Risk Management

Inadequate analysis of incremental risks introduced by cloud

Lack of independent assessment of cloud solution

Insufficient expertise in auditing cloud environment


Inability to demonstrate compliance with regulatory requirements

Limitations on ability to monitor compliance of cloud components

Changing compliance landscape due to evolving regulations and standards

# Noncompliance with multijurisdictional data privacy laws due to lack of visibility into data location

Delivery Strategy and Architecture


Lack of a coherent cloud strategy and roadmap

Cloud strategy not aligned with business needs or technology maturity


# Lack of proper isolation for sensitive data due to multitenancy in cloud

Lack of configurability and customization of cloud architecture

Inability to use best-of-breed technologies

Unacceptable performance degradation due to increased network or system latency

# Failure to engineer cloud applications to leverage scalability offered by the cloud

Infrastructure Security

Vulnerability Management

# Security vulnerabilities introduced by cloud co-tenants and ecosystem partners

Failure to protect against new vulnerabilities in virtualization technologies

Lack of timely security patches for proprietary cloud components

# Failure to patch vulnerabilities in virtual machine templates and offline virtual machines

# Inadequate vulnerability testing of services obtained from cloud ecosystem partners

Network Security

Compromise of cloud management interfaces due to targeted attacks

Failure to secure network traffic between distributed cloud components

Exposure to distributed-denial-of–service attacks against public-facing cloud interfaces

# Lack of defense against attacks originating from within the cloud environment

System Security

Compromise of cloud environment due to poor security practices by the customer

# Lack of adequate cloud service security due to conflicting customer priorities

Insecure end-user systems interacting with cloud-based applications

# Failure to secure intra-host communications among multiple virtual machines

Application Security

Inability to independently test application security

Circumvention of application access controls by cloud provider staff

Failure to secure interfaces between variety of cloud-based and traditional applications

Inadequate facilities to capture and store application logs


Lack of controls to prevent cloud provider from accessing encryption keys

Poorly implemented encryption and key management due to cloud service immaturity

Identity and Access Management

Identity Management

# Insecure integration of internal and cloud-based identity management components

# Inadequate due diligence prior to assignment of broad cloud management privileges

Access Management

Failure to implement proper access controls for cloud management interfaces

Inadequate logical access control options due to cloud service immaturity

Inability to restrict access or implement segregation of duties for cloud provider staff

Data Management

Data Acquisition

Housing inappropriately collected data

Data Storage

Unauthorized access to data storage through underlying cloud technology

# Inability to monitor data integrity inside cloud storage

# Failure to properly retain data due to complexity of multiple cloud data stores

Data Usage

# Lack of clear ownership of cloud-generated data

Unauthorized access or inappropriate use of sensitive data (e.g. personal data, intellectual property)

Underutilization of data use due to restrictions on access to data in cloud

Data Transfer

# Noncompliance with data privacy laws due to cross-jurisdictional data transfer

# Inability to integrate data loss prevention technology with cloud solution

Data Disposal

# Failure to remove data from multiple cloud data stores

# Insecure deletion of data from multiple-use hardware resources

Business Resiliency and Availability

Technology Resiliency

Cloud service failure due to oversubscription in peak usage periods

# Inability to verify cloud infrastructure resiliency

Single-points-of-failure due to addition of complex technology components

# Increased complexity of data replication or backup to other clouds or back in-house

Cloud Provider Continuity

# Inability to test cloud continuity and disaster recovery plans

# Lack of continuity plan for cloud provider failure, acquisition, or change in service strategy

Failure to establish source code escrow agreement for proprietary software

Supply Chain Continuity

# Interruption of cloud services due to critical subcontractor failure

IT Operation

Asset Management

# Failure to comply with software licenses due to ease of cloud resource provisioning

# Insufficient tracking of virtual assets

Project Management

Poorly defined roles and responsibilities of cloud participants

Unresponsiveness in cloud provider communications due to customer volume

Incident Management

# Delayed data breach notification due to complex identification of affected customers

# Ineffective incident investigation due to impermanence of virtual systems

# Failure to limit incident spill-over to other cloud tenants

# Inability to troubleshoot performance issues due to continuous environment changes

Change Management

# Inadequate cloud migration planning

# Inability to align business process changes with standardized cloud service options

# Lack of coordination of system maintenance resulting in conflicting changes and difficult troubleshooting


Inadequate monitoring of cloud resource utilization

IT operational processes not updated to reflect unique cloud computing risks

Lower availability of cloud service than prescribed by the SLA due to provider oversubscription

# Inability to provide adequate level of service globally

Physical and Environmental

# Inadequate physical and environmental safeguards for cloud locations

# Increased data loss for multiple customers from physical machine theft

Vendor Management

Vendor Selection

Inadequate due diligence of cloud security controls

Lack of sufficient number of viable cloud providers

Lack of performance track record due to cloud service immaturity


Lack of performance monitoring mechanisms beyond cloud provider reports

# Inability to use third parties to assess cloud provider performance

# Gap between provider’s nonperformance vs. business impact of service disruption

Vendor Lock-in

High cost of migrating cloud-resident technology due to proprietary architecture

# Complexity in architecting technical solutions that minimize vendor lock-in

# Failure to plan for cloud portability and interoperability

# Lack of agreed upon exit obligations for both provider and customer


# Inability to customize cloud contract and establish cloud provider liability

# Failure to update cloud contract over time to reflect operating changes

Resource Provisioning

# Failure to formally define maximum available cloud resources

Business Operations

Human Resources

Malicious insiders with administrative access to cloud components

Inadequate IT skills to manage cloud-based technologies

Failure to retain technical specialists upon cloud migration to oversee cloud operations


# Inadequate records management, preservation, retention, and disposal policies

# Unauthorized exposure of data at cloud locations with unpredictable legal environment

Failure to consider digital evidence and e-discovery issues in contracts


# Lack of internal controls for financial processes and transactions in the cloud

# Failure to control cloud expenses due to ease of proliferation of cloud usage

# Economic denial-of-service by exhausting metered cloud resources


# Failure to analyze and plan for tax considerations

Last modified at 5/23/2011 10:19 AM  by Ron Hale Ph.D. CISM