Sailesh Gadia, CISA, ACA, CPA, CIPP
Cloud computing has come a long way from being a mere buzzword to a meaningful tool with a lot of potential for consumers of technology products and services. The adoption of cloud computing has accelerated in the last few years, and it continues to undergo phenomenal growth.1
Just as in the early days of the Internet, there are many unknown variables in cloud computing. Due to its nebulous nature, it is important to understand the risks associated with utilizing cloud computing. It is not just a new technology; it is a different way of doing business.
Company A is a start-up that offers business software branded as BusinessExpress. Company A offers BusinessExpress as a Software as a Service (SaaS) solution. The demand for SaaS solutions is expected to grow rapidly. With SaaS, customers enjoy all the benefits of cloud solutions such as not having to host their software in-house2 (figure 1).
Company A’s core competency is performing software development, not providing hosting solutions. Infrastructure as a Service (IaaS) cloud service providers (CSPs) specialize in providing hosting solutions. Leveraging an IaaS CSP for hosting has allowed Company A to remain focused on its core competency. There are several other benefits of utilizing an IaaS CSP, such as:3
Due to the numerous benefits of IaaS, Company A leapt into a cloud computing arrangement. The cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.4 The chief information officer (CIO) of the company engaged an information systems (IS) auditor to conduct a review and assess the risks of offering a SaaS solution and adopting IaaS cloud computing for this arrangement. The following paragraphs describe the steps followed by the IS auditor to conduct the exercise. This exercise will help the CIO in determining what Company A needs to protect, prioritizing the risks and determining a response.
To conduct a risk-based assessment of the cloud computing environment, there are generic risk frameworks such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management—Integrated Framework. There are also IT domain-specific risk frameworks, practices and process models such as ISO 27001 and IT Infrastructure Library (ITIL). Bottom-up guidance specific to cloud computing also exists from various bodies such as the Cloud Security Alliance (CSA), European Network and Information Security Agency (ENISA), and the US National Institute of Standards and Technology (NIST). The Cloud Controls Matrix released by CSA is designed to provide security principles to guide cloud vendors and assist prospective cloud clients in assessing overall security risks of a CSP. The NIST guidelines on security and privacy in public cloud computing (NIST Special Publication [SP] 800-144), which are currently in draft form, contain the guidelines required to address public cloud security and privacy. The Risk IT: Based on COBIT® framework from ISACA fills the gap between generic risk management frameworks and domain-specific frameworks based on the premise that IT risk is not purely a technical issue.
The IS auditor of Company A chose the Risk IT framework, supplemented with an understanding of the Cloud Controls Matrix, ENISA’s cloud computing risk assessment and the NIST guidelines.
Risk IT provides a list of 36 generic high-level risk scenarios, which can be adapted for each organization. Starting with the set of generic risk scenarios helps ensure that the IS auditor does not overlook risks and attains a more comprehensive view of IT risk. Further, Risk IT offers an extensive mapping between the generic risk scenarios and the COBIT control objectives that are customizable for each situation. Figure 2 illustrates the mapping between the high-level risk scenarios and the corresponding COBIT control objectives created by the IS auditor for the cloud computing arrangement.
Leveraging Risk IT in conjunction with a widely accepted IT governance and controls framework such as COBIT makes the risk identification robust and the risk assessment process effective and efficient. This leads to a model that is extensible and reusable and that can scale up to IT risks affecting the entire company.
Once the risks and COBIT control objectives were defined, they were used by the IS auditor to develop a risk-based audit program. Figures 3–105 represent a selection of the audit program for the higher-risk areas in figure 2. Figure 11 represents a summary of the specific risks and gaps after conducting the audit.
The auditor created a heat map of risks (figure 12) that shows the impact/magnitude and likelihood/frequency of key risks relevant to Company A. The combination of higher (negative) impact/magnitude and higher likelihood/frequency of the incident leads to a higher level of business risk. The darker shade indicates unacceptable risk. This level of risk is far beyond Company A’s normal risk appetite. (There may be other risks unique to the ultimate end users/customers of Company A, but that is out of scope for this case study.)
Due to competing resources, the prioritization of risks related to cloud computing needs to occur, and appropriate action should be taken based on the risk appetite of the company. Appropriate action includes a combination of the following:
The audit highlighted that Company A needs to mitigate several risks. However, implementing too many controls may not be the best risk-mitigation approach because the benefit from implementing controls should outweigh the cost. Other risk-mitigation measures such as transferring, avoiding or accepting the risk are worth considering as well.
Once the company aligns IT risk with the organization’s overall business risk and remediates unacceptable security controls, the company is better prepared to harness the power of cloud computing.
Businesses are realizing the power of cloud computing, and its use is increasing. This case study represents a one-time attempt at risk assessment of the cloud computing arrangement. The risk assessment helped uncover some of the key risks, prioritize those risks and formulate a plan of action. Given the evolving nature of risks in cloud computing, no longer can one-time risk assessments suffice. As newer risks emerge, risk assessments need to evolve and the mitigation approach needs to innovate. A risk assessment needs to occur before an enterprise enters into a cloud computing arrangement—to help avoid surprises and minimize the costs of implementing and maintaining controls.
1 Gartner Inc., “Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in 2010,” press release, 22 June 2010, www.gartner.com/it/page.jsp?id=13893132 Gadia, Sailesh; “Cloud Computing: An Auditor’s Perspective,” ISACA Journal, vol. 6, 2009, www.isaca.org/Journal/Past-Issues/2009/Volume-6/Pages/Cloud-Computing-An-Auditor-s-Perspective1.aspx3 Pepitone, Julianne; “Why Attackers Can’t Take Down Amazon.com,” CNNMoney.com, 9 December 2010, http://money.cnn.com/2010/12/09/technology/amazon_wikileaks_attack/index.htm4 European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks and Recommendations for Information Security, Greece, 2009, www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment5 IT Governance Institute (ITGI), COBIT® 4.1, USA, 2007
Sailesh Gadia, CISA, ACA, CPA, CIPPis a director/senior manager at KPMG’s advisory practice in Minneapolis, Minnesota, USA. He has an extensive background in designing, implementing and assessing IT controls in various industries and third-party service organizations. Gadia is also an editorial advisor for the monthly Journal of Accountancy from the American Institute of Certified Public Accountants (AICPA). His previous ISACA Journal article on cloud computing was published in vol. 6, 2009. Gadia can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.