Recently I engaged in a conversation with other top level IT executives about the nature of cloud computing and some of the challenges and opportunities they’re facing regarding risk management. Some in the group felt it wasn’t appropriate for their environment while others embraced SaaS (Software as a Service) as an opportunity. No matter what, at the end of the spectrum you find that regarding cloud computing there is a risk management component that each enterprise must address.
What is cloud computing - In a nutshell? It is simply a dynamic environment where scalable and virtualized resources are provided as a service over the Internet (SaaS for instance). It sounds simple – create an application, build a virtual architecture to support it, and offer it as a service over the internet. The reality is far from simple and can be one of the most challenging service delivery mechanisms in information technology. But, the topic here isn’t focused on security per se, nor on the ROI concerns or even operational prerogatives. Instead, I want to limit the topic strictly to risk management as it relates to the cloud.
What is Risk Management?
In practice few organisations have formal risk management processes, or at the least they have an overly optimistic view of what their risk management assessment process is. If this is true, and it most likely is for many organisations (speaking with risk management experts the consensus is that it is true), how do you break down the components of risk management and what role do they have on the decision making process?
Let us first address what risk management truly means. Simply put it is understanding the various factors (law, regulation, business) that contribute to risk and formulating strategies to mitigate such risk. Essentially there is Legal Risk (the risk of losing a lawsuit or of being sued); Regulatory Risk (the risks involved with regulatory compliance and mandates); and Business Risk (risks associated with business continuity – i.e. the going concern question).
Legal and Regulatory Risk
The first set of these risks is the Legal and Regulatory climate that many companies must contend with. All companies operate with risk constraints that fuel their business model. Publicly traded companies worldwide must contend with the various legally binding regulatory disclosures that come with trading in the market. Additionally, each industry will have specific laws and regulations that burden them, not only with reporting requirements, but operational requirements. The pharmaceuticals industry for instance has a number of regulations that place demands on them and which dictate the operations and design of their businesses model– in the US there is FDA, CPSC, OSHA, and even EPA oversight, in the EU you have REACH, and there are many more across the globe.
How does regulation, or the law, impact cloud computing? Some countries, especially EU member nations, require that client data meet some very strict privacy requirements. Some national mandates require that information about their citizens be kept within their geographical borders (i.e. it’s illegal to store such data in another country). Such laws stem from the days when paper was the primary media, but draconian as they are, such laws persist and apply to the digital realm. Another aspect to regulation is change management as it relates to data – i.e. audit trails. Who changed what, when, and how, is often a requirement of regulation, but such audit trails serve to fulfill a rapidly evolving section of law called electronic discovery (e-Discovery).
So, you might ask what does this all mean in the realm of the cloud? On its face managing such risks seems ominous or difficult. However, in practice, the impact is negligible when considering a couple of factors. First, most providers are well aware of the regulatory and legal climate in which their clients exist. Second, to the extent that SaaS providers will make a significant error when it comes to a regulatory issue - it is possible, but the probabilities are no greater than if your enterprise were to deal with compliance on its own.
As for legal risk, here’s where we find shades of gray. Primarily “who is ultimately responsible for securing data that meets the very broad and loosely interpreted requirements of e-Discovery?” Courts in the US have been reluctant to forgive companies for the misdeeds of solutions providers, and courts in Europe aren’t much different. In essence, the company is required to guarantee that they can provide all the documentation needed regardless of whether the application is hosted in house or by a SaaS provider.
Business Risk
Business risk, as discussed earlier, reflects the extent to which a given issue causes a loss of value to an enterprise (including terminating the business). Without getting into a discussion of best practices regarding risk management, it is easy to say that, based on experience; most companies do not have formal processes that score risk when making decisions at every level. When it comes to SaaS solutions business risks tend to appear in three major forms – operational risk; policy / administrative risk; and provider risk.
Let’s address the first – operational risk. In basic terms this risk is basically related to control. Who controls the data, access, and security? The more important the application is to the organization the greater these concerns are.
Secondly, there is policy or administrative risk – does the application support administration of, and adherence to, overall enterprise policies? Risk here is that enterprise policies will need to be drastically altered or that compliance with such policies cannot be met.
Finally, there is provider risk. By this I mean concerns regarding the provider itself, primarily the soundness of their enterprise and their ability to deliver services to an acceptable level or meet their SLA’s.
Addressing Risk Management
At this point the question begs “What can be done to address risk management as it relates to cloud computing?” First –gain an understanding of what risks are facing you (compliance, legal, and business). It isn’t sufficient make a decision based strictly on ROI or TCO.
Next, develop a risk management methodology that helps you assign risk in such a way that you can score, or weight, risk. Finally, make certain that your service provider has risk management strategies and have them explain what they are – in detail.
One final point is that these three items should be repeated frequently. In other words they aren’t once and done tasks and should be re-assessed periodically as part of your overall enterprise risk management program.
Also published on THE CTO FORUM
What is cloud computing - In a nutshell? It is simply a dynamic environment where scalable and virtualized resources are provided as a service over the Internet (SaaS for instance). It sounds simple – create an application, build a virtual architecture to support it, and offer it as a service over the internet. The reality is far from simple and can be one of the most challenging service delivery mechanisms in information technology. But, the topic here isn’t focused on security per se, nor on the ROI concerns or even operational prerogatives. Instead, I want to limit the topic strictly to risk management as it relates to the cloud.
What is Risk Management?
In practice few organisations have formal risk management processes, or at the least they have an overly optimistic view of what their risk management assessment process is. If this is true, and it most likely is for many organisations (speaking with risk management experts the consensus is that it is true), how do you break down the components of risk management and what role do they have on the decision making process?
Let us first address what risk management truly means. Simply put it is understanding the various factors (law, regulation, business) that contribute to risk and formulating strategies to mitigate such risk. Essentially there is Legal Risk (the risk of losing a lawsuit or of being sued); Regulatory Risk (the risks involved with regulatory compliance and mandates); and Business Risk (risks associated with business continuity – i.e. the going concern question).
Legal and Regulatory Risk
The first set of these risks is the Legal and Regulatory climate that many companies must contend with. All companies operate with risk constraints that fuel their business model. Publicly traded companies worldwide must contend with the various legally binding regulatory disclosures that come with trading in the market. Additionally, each industry will have specific laws and regulations that burden them, not only with reporting requirements, but operational requirements. The pharmaceuticals industry for instance has a number of regulations that place demands on them and which dictate the operations and design of their businesses model– in the US there is FDA, CPSC, OSHA, and even EPA oversight, in the EU you have REACH, and there are many more across the globe.
How does regulation, or the law, impact cloud computing? Some countries, especially EU member nations, require that client data meet some very strict privacy requirements. Some national mandates require that information about their citizens be kept within their geographical borders (i.e. it’s illegal to store such data in another country). Such laws stem from the days when paper was the primary media, but draconian as they are, such laws persist and apply to the digital realm. Another aspect to regulation is change management as it relates to data – i.e. audit trails. Who changed what, when, and how, is often a requirement of regulation, but such audit trails serve to fulfill a rapidly evolving section of law called electronic discovery (e-Discovery).
So, you might ask what does this all mean in the realm of the cloud? On its face managing such risks seems ominous or difficult. However, in practice, the impact is negligible when considering a couple of factors. First, most providers are well aware of the regulatory and legal climate in which their clients exist. Second, to the extent that SaaS providers will make a significant error when it comes to a regulatory issue - it is possible, but the probabilities are no greater than if your enterprise were to deal with compliance on its own.
As for legal risk, here’s where we find shades of gray. Primarily “who is ultimately responsible for securing data that meets the very broad and loosely interpreted requirements of e-Discovery?” Courts in the US have been reluctant to forgive companies for the misdeeds of solutions providers, and courts in Europe aren’t much different. In essence, the company is required to guarantee that they can provide all the documentation needed regardless of whether the application is hosted in house or by a SaaS provider.
Business Risk
Business risk, as discussed earlier, reflects the extent to which a given issue causes a loss of value to an enterprise (including terminating the business). Without getting into a discussion of best practices regarding risk management, it is easy to say that, based on experience; most companies do not have formal processes that score risk when making decisions at every level. When it comes to SaaS solutions business risks tend to appear in three major forms – operational risk; policy / administrative risk; and provider risk.
Let’s address the first – operational risk. In basic terms this risk is basically related to control. Who controls the data, access, and security? The more important the application is to the organization the greater these concerns are.
Secondly, there is policy or administrative risk – does the application support administration of, and adherence to, overall enterprise policies? Risk here is that enterprise policies will need to be drastically altered or that compliance with such policies cannot be met.
Finally, there is provider risk. By this I mean concerns regarding the provider itself, primarily the soundness of their enterprise and their ability to deliver services to an acceptable level or meet their SLA’s.
Addressing Risk Management
At this point the question begs “What can be done to address risk management as it relates to cloud computing?” First –gain an understanding of what risks are facing you (compliance, legal, and business). It isn’t sufficient make a decision based strictly on ROI or TCO.
Next, develop a risk management methodology that helps you assign risk in such a way that you can score, or weight, risk. Finally, make certain that your service provider has risk management strategies and have them explain what they are – in detail.
One final point is that these three items should be repeated frequently. In other words they aren’t once and done tasks and should be re-assessed periodically as part of your overall enterprise risk management program.
Also published on THE CTO FORUM
