David Vohradsky, CGEIT, CRISC
In the period since the 2011 Oceania CACS Conference took place and when my article “Cloud Risk—10 Principles and a Framework for Assessment
,” was presented, cloud computing has moved well into business as usual for most organisations. We are even hearing that the word “cloud” may even disappear as it will become just the way IT is done in the future. Or the past, if you think about the parallels with bygone mainframe IT bureaus. Cloud assurance has also progressed in terms of commercial offerings being provided by individuals and organisations based on their own intellectual property.
However, I do not believe we have made much progress on an industry consensus cloud risk assurance framework.
The work by ISO/IEC JTC 1/SC27 will remain security centric as part of the ISO IT Security Techniques products. The Cloud Security Alliance (CSA) has also developed literature, with the GRC stack offering a very complete bottom-up control assurance and certification approach that cross references back to COBIT® 4.1, HIPAA, ISO 27002, NIST 800-53, FedRAMP, PIC DSS v2.0, and others. However, it remains a control assurance rather than a risk assurance tool.
HP Labs has done some work to expand on what it calls intelligent accountability—moving towards a governance focus rather than a “box checking” control-focus. This implies more of the activities that could be categorised as governance and risk management, and conducted by CGEIT® and CRISC® certified professionals, and less of the activities that could be categorised as security and audit, and conducted by CISM® and CISA® certified professionals. For the lower level assurance, they suggest a movement to scientific and mathematics assessments, as well as a focus on key preventative, detective and corrective controls.
ISACA has presented a number of high-level analyses on cloud risk in its Calculating Cloud ROI: From the Customer Perspective
, as has Marsh in its Cloud Computing Framework. Neither of these moves us further towards a comprehensive consensus assurance framework, but these developments add additional items that do not seem to fit into this approach—namely strategic contractual risk, supplier failure, pay-as-you-go overruns and general business risk from IT consumerisation.