Risk Landscape of Cloud Computing 

Download Article

Over time, as computing ease and functionality have grown, the IT industry has experienced from its users an ever-expanding desire for more information. With the web presence today, one can hardly imagine a day going by without accessing the web many times. Data are generated by the minute and are growing in variety and size; there appears to be no limit to where this appetite for more will finally face a “No, you cannot have it.”

To serve this appetite, costs should decrease and/or value of information should increase. For example, early installations of client-server configurations resulted in poor server utilization (because a server was dedicated to processing a limited number of applications). The costs of servers grew as the server farms grew. To ease the pains of underutilization, virtualization1 emerged, which made it possible for servers to attend to more than one application. Capacity utilization thus improved and cost of services came under some degree of control.

Even as the idea of virtualization as applied to desktops and servers matured, the passion for virtualization lingered. If storage can be virtualized, why not applications, services, platforms and infrastructures? So the concept of sharing or abstracting through virtualization beyond just servers grew and produced a bigger picture, known as cloud computing. Conceptually, cloud computing is a network of information systems resources (hardware, software, knowledge, etc.) that provides web-centric online services. Broadly, it is a “generic infrastructural fabric”2 leveraged on the web for providing all kinds of services in a flexible manner. In the past, power infrastructures and highway transportation infrastructures, for example, have changed society and the economy. For power, people do not need to have their own generators, they can use any amount they want at any time and for any purpose. The highway networks provide a means to go from anywhere to anywhere, using any kind of vehicle, and for any purpose. For sharing power, first a power grid was needed, and the highway network was designed by connecting various road networks so they could be shared for travel. For cloud computing, computational grids will need to be used to support huge data centers.

Although a lot needs to be accomplished before advanced use of cloud computing will occur, the wheels are in motion for a tectonic shift in the world of information systems. Call it a “disruptive technology”3 or “the next black swan,”4 cloud computing is here to change the entire spectrum of information systems domain. The cloud infrastructure, much like other infrastructures, will bring a sea change in business and life. According to The Economist, the rise of cloud computing is “more than just another platform shift. It will undoubtedly transform the IT industry, but it will also profoundly change the way people work and companies operate.”5

Gartner predicts that the market for cloud products and services will vault from US $46.4 billion in 2008 to US $150.1 billion in 2013.6 In light of constant pressures to reduce IT budgets, this is a welcome relief, though some of this growth may be funded by cutting existing IT outlays in other areas of information systems. Overall, it appears that a dynamic reallocation of information-systems-related outlays will occur due to potential advances in cloud computing.

Growth In Demand For Software Services

While virtualization physically supported the notion of sharing and optimizing resource utilization, the logical driver of cloud computing has been software services. In recent years, Software as a Service (SaaS) has grown exponentially, thanks to the notion of sharing a centrally available computing resource. The simplest examples of SaaS include the offering of a wireless telecom company, U.S. Cellular, to store, maintain and back up contacts (for upload in the event one loses his/her device), and Amazon’s Kindle services, where the company keeps track of the entire library of every Kindle buyer. The customer does not need to own, maintain or operate the software, and yet, the benefits of the software accrue to the customer. The combined effect of virtualization and SaaS can be seen in cloud computing.

Among the early cases of cloud computing are Amazon’s Elastic Compute Cloud (Amazon EC2) (an infrastructure), Google’s App Engine (a platform), and Microsoft’s Live Mesh (an infrastructure).

Cloud Example One—Amazon’s EC2

This article will focus on Amazon EC2 as one example of cloud computing.7 Amazon EC2 allows people to set up and configure their own virtual machine on Amazon’s cloud. This means everything about their instances, from their operating system to their applications. Central to this infrastructure is what is called an Amazon Machine Image (AMI), which is a packaged environment that includes all the necessary logic to set up and boot one’s own virtual machine. A unit of deployment can be used to create several building-block AMIs for one’s unique needs (e.g., an application server, database, a web server). Once a custom AMI is created, it needs to be uploaded to Amazon S3 (Simple Storage Service).8 Amazon EC2 uses Amazon S3 to provide reliable, scalable storage of AMIs, so that Amazon can boot them when asked to do so. The size and complexity of a customer’s virtual existence depends on the customer. Most everything is scalable, and users pay for what they use, and no more. Over time, as a user’s needs increase, the user may buy more services, including storage or processing, and will be charged based on use at that time.

Cloud Example Two—Evernote

Evernote’s main function is to allow users to take notes in any form, for example, by snapping pictures, recording audio, capturing web pages or typing words. They cannot lose or misplace these notes because they reside in a cloud. Every file sent to Evernote is uploaded to a server farm somewhere. From there, files are accessible via just about anything connected to the web—the user’s home and office computers, laptop, and cell. Say the user is browsing for recipes and finds a good one. He/she can clip it into Evernote and view it on his/her phone while shopping for ingredients. Back at home, he/she can pull it up on his/her laptop and start making the new recipe. Aside from place and media independence, what really distinguishes Evernote is its uncanny ability to “read” text contained in images, which allows the user to, say, take a shot of a business card and send it to Evernote, which will index the information and render it searchable.9

Logical Characteristics Of Clouds

Although clouds vary in their functionalities and complexity, some commonalities among them can be traced. Technically, these are centralized data center(s) with all information resources available for users to meet their own information requirements. The example of Amazon illustrates the elastic nature of such data centers, where a vast array of different user needs can be met in a flexible manner. The following four logical characteristics are evident in cloud computing:

  • Sharing—A predominant feature of cloud computing is that it is a high-performance machine built to address user needs at the lowest common denominator, thus allowing users to share the provider’s resources. For example, for developing one’s own programming applications, a multitude of subroutines is provided; the user then embeds into his/her own logic those subroutines that are needed, and thus creates a customized piece of logic without having to write monolithic code. The reusable components will be numerous and at the most basic level possible in order for users to pick and embed in their own constructs. In 2003, SAP introduced service-oriented architecture (SOA) into its software. It replaced its monolithic enterprise resource management (ERM) with a collection of reusable components that could be integrated into a whole according to the customer’s need.10
  • Communication bandwidth—Historically, the sharing of software systems by credit unions, for example, has been done through dial-up systems. In this case, each credit union relies on a monolithic software solution and dedicated data storage at the provider’s location to conduct its operations, make queries, update data and generate reports. This hub-and- spoke approach to sharing now belongs mostly to history.11 The new way of sharing is through the Internet in the web environment. Consequently, communication bandwidth should be adequate and reliable. Very little will exist at the customer’s end, for most everything will be in the cloud and not much will be able to be done without the pipeline.
  • Flexibility—Historically, “sharing” implies use of resources in a relatively confined manner. For example, a customer’s applications could be run by an external entity on a shared computer operated by the entity’s staff. Now, sharing takes a deep dive into granularity. New ways of sharing mean anything can be ordered in any amount and to the minutest requirements. It is like going into a restaurant and choosing one’s own bread, condiments, whether to toast the sandwich or not—all these decisions rest with the customer. Choice will be predominant and visible, and the results will not be like a precooked meal.12 For example, SAP has now granularized its ERM logic components to a degree where customers can determine what to use and even, within selected components, how to modify them to fit their own needs. Ingredients are made available to users for their own recipe.
  • Scalability—Scalability here means that users will not have to worry about getting a second server or another storage device in case their needs grow. It is all provided in a seamless manner by the cloud, regardless of whether the customer’s needs increase or decrease. The elapsed time between the customer’s need and supply of resources to meet the need will be insignificant. Equally important, the customer will not have to worry about selecting specifications, acquiring and installing resources, testing them for reliability, etc. It is all in one place without the customer having to worry about time lags, functionality and interoperability.

Risk Landscape

The characteristics of cloud computing lead to enormous opportunities as well as risks. Some of the risks already exist, but will be elevated, and others are new. Taking stock of these risks is as important as knowing how to leverage this development for one’s company.

Because it is too early to know the exact configuration of a cloud, it is difficult to predict precisely what risks would be present at the forefront of this development. Depending on whether the cloud provides SaaS, Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), the risk scenario could be different for each case. Also, a great deal depends on whether the cloud services are provided by an internal cloud (having a cloud environment within the organization) or an external cloud (outsourcing to a vendor’s cloud environment), with the latter likely posing greater risks. However, it is not too early for IT auditors to begin to monitor cloud developments to grasp in a timely manner the changing risks. The discussion of broad areas of risks in cloud computing is divided into six categories:

  • Authentication—The single most critical concern in the use of web-based services is the authentication of users. While technology for authentication has improved over time, there still are grave concerns about untrusted parties posing as authentic users and, if successful, causing data compromises. If most everything in terms of information resources resides in the cloud, this will be a significant risk to be addressed. Presumably, internal clouds may face lower risks of authentication than external clouds simply because of the differences in the customer universe.
  • Data security and privacy—Control over data on the web-managed vendors has been a matter of concern over the years. Even though the outsourcing option has gained popularity, customer organizations not only watch over the data protection standards their vendors use, but also mandate certain requirements of their own, and even perform their own audit. Despite this, the residual risks of losing data on the web remain high, and the customer organization could run into a crisis unless an in-depth security strategy is implemented for the cloud environment.
  • Interfacing with internal systems—Most firms may not be able to outsource everything to an external cloud (e.g., systems that address strategic initiatives, have intellectual property that comprise the core of its competitive strength or are so diverse that there are no viable options in the external cloud). If these residual systems and applications are diverse in nature, it will be a significant challenge to build interfaces for them. And even when such interfaces are in place, risks of data consistency and interoperability are likely to remain. Moreover, anything in-house, if connected to an external cloud, is subject to additional exposures from outside.
  • System availability—Businesses have moved from simple data crunching to integrated systems that are productive, seamless and strategic. Because they are lifelines for businesses, availability of such systems needs to be almost guaranteed. This means additional processes, data backups and redundancy; controls testing for availability requirements; and recovery strategies in the event of data loss. Not only will all this cost more, but it has to be reliable. Perhaps cloud vendors will be at an advantage in building a shared utility that provides for data availability for customers. Nevertheless, users’ concern for loss of control will continue to surface as more is handed over to the clouds.
  • Business continuity—Business continuity in the cloud environment depends on the cloud vendor. Consequently, if using an external cloud, one must be prepared to ask the question: “What if the vendor does not exist tomorrow?” Thus, the financial and operational viability of the vendor is at the center of the risk landscape. Add to this the facts that cybercrime is on the rise and there is a possibility that the clouds being used are somewhere around the globe in a risky region. Such risks are heightened because when most of the user’s resources reside in the cloud, he/she is almost totally dependent on the cloud.
  • Ownership of content and other legal requirements— When all systems’ resources, including data and related applications, are outsourced into a cloud, serious questions emerge. For example, who owns these data? Can one get these data back if the vendor ceases to exist? What will be the legal jurisdiction in the event of disputes and disagreements? Whose property will the applications be if the applications are made through a unique assembly of granular subroutines of a software vendor? Who is responsible for data breaches? Legal complications could become a serious drag on a business and could potentially result in disruption in business continuity.

Control Environment

There is little, if any, likelihood that physical and virtual worlds will exactly coincide. Not all locations of an organization are necessarily included in the virtual entity, but the virtual organization may extend beyond its physical perimeters into business partners, customers, service providers and the like.13 Thus, the articulation of a control environment must include significant and careful consideration of the virtual worlds—in this case, the clouds.

Because clouds are “shared” by many customers using the electronic highway, it is crucial that IT auditors and control experts pay attention to not just protection and security within the perimeter, but also on the highway. It is important to have seat belts, rearview mirrors and air bags in a car, but it is critical to also have highway controls, such as stop signs, traffic lights, guard rails and traffic cops.14 Similarly, air traffic control systems and safety requirements protect travelers from mid-air collision and other disasters. The cloud computing environment should include a careful and thorough consideration of controls over communication with the outside world.

Whereas outsourcing has until now been a matter of choice, the presence of clouds will elevate outsourcing as a matter of need. Therefore, the articulation of the cloud control environment must include all pertinent sources of risks of outsourcing of IT services. This focus on outsourcing may be limited in the case of internal clouds; however, the scenario is similar in that an internal cloud is also an outsourcing service for internal customers. Consequently, concerns about using internal cloud services are likely to be similar, if not heightened to the same level, as those in using external clouds.


It is too early to say what specific risks will emerge with the implementation of cloud computing. However, it certainly is time to begin mapping such risks to learn about the related risks and planning to mitigate them proactively.

Strategic, tactical and operational aspects of sourcing decisions should be carefully and comprehensively identified and addressed. Potential risks with outsourcing information systems lies in the facts that the customer is dependent on the third-party outsourcing firm and there are likely to be significant exit barriers.15 Project planning and management risks, contracting and negotiation risks, transition and start-up risks, and provider performance risks must be addressed.16 Finally, the process of gaining assurance of services and related controls should be documented and appropriate aspects of it should be included in the outsourcing contract.

Requisite variety in the service level agreement (SLA) is the key to managing risks of external clouds. In other words, for every foreseeable out-of-control situation, an appropriate control response should be identified. Every aspect of risk must be considered, and its possible effect should be determined. Risk scenarios should be built and discussed with the prospective vendors to learn how well the information resources are secured. A similar exercise for an internal cloud can be used to develop an internal SLA for cloud services to gain assurance of risk mitigation.


1 Virtualization is an approach to separating (abstracting) systems’ resources in terms of physical and logical dimensions. Thus, the same physical resource could serve more than one logical need. Such a separation could occur at any level, e.g., desktop, network, application, platform, infrastructure.
2 Delic, K.A.; “Emergence of Academic Computing Clouds,” ACM Ubiquity, vol. 9 (31), 2008
3 Christensen, C. M.; The Innovator’s Dilemma, Harper Collins, USA, 2003. He distinguished between established technologies that allow an entity to grow in a linear mode (sustaining technologies) from those that start out as simple, cheap and even inferior, but grow over time into innovative and new uses that generate exceptional economic value.
4 Taleb, N.N.; The Black Swan: The Impact of the Highly Improbable, Random House, USA, 2007. Taleb describes events—the black swans—that defy historical pattern and are unpredictable in timing and impact.
5 “Let It Rise,” The Economist, vol. 389 (8603), Special Section, 25 October 2008, p. 3-4
6 Hamm, S.; “Cloud Computing’s Big Bang for Business,” BusinessWeek, 15 June 2009, p. 42-44
7 Amazon Web Services, Amazon Elastic Compute Cloud (Amazon EC2), www.amazon.com/ec2
8 Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of web sites.
9 Samiljan, Tom; “You Must Remember This,” Hemisphere Magazine, August 2009
10 “Creating the Cumulus,” The Economist, vol. 389 (8603), Special Section, 25 October 2008, p. 8-10
11 Hayes, B.; “Cloud Computing,” Communications of the ACM, vol. 51 (7), July 2008, p. 9-11
12 Op cit., “Creating the Cumulus,” The Economist
13 Axelrod, C. Warren; “Cyber Security and the Critical Infrastructure,” Information Systems Control Journal, vol. 3, 2006, p. 24-28
14 Ibid.
15 Wright, Catherine; “Top Three Potential Risks With Outsourcing Information Systems,” Information Systems Control Journal, vol. 5, 2004, p. 41
16 Benvenuto, N.A.; David Brand; “Outsourcing—A Risk Management Perspective,” Information Systems Control Journal, vol. 5, 2005, p. 35-40

Editor’s Note

ISACA recently released a white paper, “Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives.” The complimentary white paper is available for download at www.isaca.org/cloud.

Vasant Raval, CISA, DBA
is professor of accountancy at Creighton University, Omaha, Nebraska, USA. A coauthor of two books on information systems and security, his areas of teaching and research interests include information security and corporate governance.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.