One of the major disadvantages of private clouds is that they require a huge investment in terms of hardware, software and the costs of implementation and maintenance. Therefore, they tend to be only set up and used by larger organizations. An organization also must ensure that there is adequate provision for power, cooling and general maintenance to reduce the risks of data loss and service disruption owing to physical damage to the units should any kind of a disaster occur. They must also ensure that security is maintained at the highest possible level, and must take steps themselves to ensure, for example, that system configurations remain in their ideal state, as misconfigurations are a major cause of security vulnerabilities and downtime. Another burden that could prove to be a risk if not handled adequately is that new operational procedures may be required for dealing with private cloud environments that rely heavily on virtualized infrastructures. Processes need to be developed that deal with new ways of working and staff must be adequately trained to contain those risks.
Hybrid cloud deployments are considered to be a fairly new development. Because they involve both the use of public and private cloud models, they can involve the risks that each model brings. However, they can also bring some new risks and challenges. While it is easier to migrate data from a private cloud to a public one, concerns can arise over data privacy and integrity as controls may vary significantly from one environment to the other. It can also be problematic to ensure security policies are consistent across both such environments, such as how encryption keys are handled, and this may be made an even harder challenge to achieve consistency if the private and public cloud environments are offered by different service providers, especially for hosted private clouds.
Recommendations for Reducing Cloud Risks
Whatever cloud computing model an organization decides to deploy, it is essential that it performs its own due diligence and risk assessments prior to launching any such services. According to TechTarget, the following ten categories should be part of any cloud computing risk assessment, which can be used either to compare the offerings of different cloud services providers, or to help in the choice between public cloud and internal private cloud:
- Effectiveness of controls—do current controls provide adequate protection for the data or service your organization is considering hosting in the cloud. Items to consider include adequate provision for separation of duties among the provider’s personnel to limit the number who can access sensitive data.
- Auditing and oversight—evaluate how auditing and administrative changes are performed. Changes can be evaluated by requesting and evaluating change-control logs to ensure that they were tested by appropriate personnel.
- Technical security architecture—items to evaluate include firewalls, VPNs, patching, intrusion prevention, network segregation, programming languages and web application frameworks in order to ensure that the environment matches your organization's business requirements.
- Data integrity—how is each customer’s data segregated in a multi-tenant environment involving shared hardware and does this match your organization's security and compliance requirements.
- Data encryption—how is encryption implemented for both data in transit and data at rest and is this sufficient for your organization's security and compliance requirements.
- Operations security—evaluate the provider’s disaster recovery and business continuity plans to ensure they provide adequate protection. How often are plans tested and does the data centre have enough redundancy for business needs.
- Standardized procedures—evaluate standardized procedures such as offsite tape backup procedures or background pre-employment screening. How are the interests of customers represented during a legal investigation or subpoena request.
- Business stability—what is the current financial condition and history of the cloud computing provider. Service providers that are private companies will require more investigative effort that those that are public.
- Intellectual property—evaluate potential issues regarding the hosting of business data with a service provider, including factors such as ownership, return and deletion of data after the contract expires.
- Contractual language—have legal resources review the contract to ensure that the contractual language is meaningful for all categories above. Ensure that the contract specifies how security protections will be communicated to the organization, and what the penalties are for non-compliance.