Cloud Risk Checks

Private cloud computing is perceived by a lot of companies as an optimal way to realise most of the benefits that are promised by cloud computing while at the same time assuming a more manageable risk profile. In this article, we list some of the more important risks that are inherent in private cloud computing and that need to be managed by the consumers of the private cloud.

Private Clouds

Private clouds are operated ‘solely for an organisation’, excluding other organisations, implying the fullest control. The two primary reasons for deploying private cloud are:

  1. Guarantee of capacity. A private cloud can be guaranteed to be available to its consumers, in a way that a public cloud cannot be; and
  2. Security. The data in, and communications with, a private cloud can be subject to more controls than would be possible in a public cloud.

These reasons lead to different requirements and potentially different private cloud set-ups and control sets. Two example private cloud scenarios on opposite sides of the spectrum are:

  1. IaaS (Infrastructure as a Service) workloads on hardware managed by, owned at, and located at the cloud consumer. This has the fullest control, but without the benefit, of reduced capital expenditure; and
  2. IaaS workloads on hardware managed by, owned at, located at a private cloud provider. The provider guarantees hardware and network isolation for a particular consumer. There is less control here, but potentially more flexibility.

For a private cloud deployment to succeed and be beneficial to the organisation’s goal, a number of critical risks need to be addressed. In the remainder of this paper, we focus on the risks that are associated with private cloud deployment. Some of these also apply to other cloud deployment models.

With off-premise cloud deployments, network issues become more important.


To realise the benefits of private cloud (agility, flexibility, better utilisation), the following risks need careful consideration.

1.Virtualisation management plane

Server virtualisation introduces a management plane that controls the hypervisor and networking. The access keys to the management plane are the ‘keys to the kingdom’. A single administrator might now control the company’s entire server farm, where this was not necessarily possible before.

2. Consolidation

The management plane risk, is in fact, an example of a range of consolidation risks: risks that arise out of consolidating resources to a single entity.

  • A single failure can now impact a much bigger part of the infrastructure;
  • Multi-tenancy implies that one tenant might impact another tenant;
  • and Consolidation leads to more automation, which implies that the effect of a human error can be much larger.

3. Off premise network risks

With off-premise cloud deployments, network issues become more important.

  • Bandwidth is the amount of data that can be transmitted in a given time. Bandwidth on wide area networks is typically much lower and more expensive than on local area networks potentially leading to application performance problems;
  • Delay is the amount of time it takes for data to be transmitted. Delay in audio is audible as echo. Similarly, some applications are very sensitive to delays, and the further away they are placed geographically, the less usable they will become;
  • Redundancy of network connections has to be engineered and checked. There are too many cases where an unknown single point of failure still exists;
  • Security. Network connections can potentially be tapped and listened in to. In reality, this is not very easy to do, but the risk may need attention anyway.

4. Licensing

A packaged software application often has a licensing scheme that is tied to the physical hardware that it runs on. Virtualising these servers may be technically infeasible, or lead to extreme licensing cost.

5. Technology

Private cloud technology is fairly complex. Virtualisation alone brings a lot more ‘moving parts’ to the table. Choosing the wrong virtualisation technology can hinder scalability and result in vendor lock-in. But virtualisation alone is not enough: management tools are not optional but required.

6. Deployment process

One of the desired business benefits of private cloud can be quicker deployment of servers, application clusters, and similar infrastructure. It typically requires drastic reengineering of service management processes to realise the benefits.

7. Provider risk

A fully owned and operated private cloud is just one of the options. Practically, it makes sense to outsource a lot of the assets and work. Outsourcing introduces third party risks, and these will have to be managed. Can the provider enable the customer’s cloud strategy, so they can can reap the benefits (i.e. scalability, flexibility, opex/capex, financial commitments, control over technology selected)?

Can the provider enable the consumer’s security strategy, so they can be safe and compliant? Tools for that include contracts, right to audit, SLA and governance controls (such as CSA Cloud Control Matrix, ISO 20000 service management, ISO 27000 IT security Management System). Can the incident response processes be suitably integrated? Who is responsible for patching operating system images?

How much are the customers locked in to the vendor? Is there a suitable exit strategy? How does the business continue if the provider suddenly stops, or refuses to serve the consumer any longer?

8.Capacity management

Cloud Computing brings new challenges in capacity management. The business case for private cloud often depends on reducing capacity and increasing the amount of sharing. This takes more management.

  • Virtualisation is harder to manage technically: more moving parts, more automation, less visibility, less overcapacity. There are more KPIs to watch;
  • Organisational. The most important issue is when sharing crosses organisational boundaries. This brings resource conflicts to new levels of management. Instead of fighting over who gets a new server next year, the issue is who gets the CPU and memory in the next hour. In addition, fair cross charging for resources is likely to become more important as well as more complicated.

9. Compliance risk

In a regulated industry such as healthcare or finance, there are likely to be fairly strict rules on the way IT infrastructure is organised. This may be a compliance risk. The regulator may require each function to be on a separate machine. Could that be a virtual machine?

10. People skills

In summing up, we see that private cloud deployment requires more technology and more processes. In turn, this implies more skills and competences to possess, and new roles to be filled. Without proper attention to these, a private cloud deployment runs the risk of not fulfilling its strategic business goals, and might even expose the organisation to new risks.

Cloud Resources

Cloud computing is a new and developing field. Who can be your guide?

One of the desired business benefits of private cloud can be quicker deployment of servers, application clusters, and similar infrastructure. It typically requires drastic reengineering of service management processes to realise the benefits.

Vendors publish lots of white papers. Some of these are very interesting and educational. However, there is a lot of cloud washing going on, and the vendors’prime interest is selling something to you.

Training courses and seminars. There is some training available in the market, both vendor-neutral and vendor specific. Increasingly, this training leads to industry recognized certifications. Two examples are the Cloud Credential Council and the Cloud Security Alliance.

The Cloud Credential Council is focused on developing certification specifications, and does not itself develop training material. The most relevant certifications right now are CompTIA Cloud Essentials and Virtualization Essentials.

CSA is a vendor-neutral, industry backed, international group. In the area of cloud governance and risk management it is probably the most advanced and practical. The CSA guidance document, and the Cloud Control Matrix are actively developed and used in the cloud community. CSA has also developed the Certificate of Cloud Security Knowledge (CCSK).

There are no comments

Add yours

This site uses Akismet to reduce spam. Learn how your comment data is processed.

freshmail.com powered your email marketing