adam's notes

Cloud Computing Risks by Deployment Model

Private Cloud Risks

  • private cloud can be implemented by an organization running its own data center or hosted by a cloud provider
  • hardware in a cloud provider data center can be owned by:
    • the cloud provider
      • granted exclusive access to customer
    • the cloud customer
      • known as a colocation (co-lo) center
  • better option for customers in highly regulated industries or that process a significant amount of sensitive information

Risks

  • Personnel threats
    • includes both inadvertent and malicious threats
    • if a managed provider/data center is used, provider’s administrators are outside customer’s control
  • Natural Disasters
    • can destroy entire data center
  • External Attacks
    • unauthorized access
    • eavesdropping
    • DDoS
    • etc.
  • Regulatory Noncompliance
    • customer has more control over controls
    • but regulations still apply and carry risk
  • Malware
    • can be external or internal threat
      • depends on source of infection
  • none of these risks are unique to private cloud, though
    • but customer has greater control over mitigations

Community Cloud

  • resources are shared and dispersed among an affinity group
  • Benefits come with risks:
    • Resiliency through Shared Ownership
      • [p] environment is more resilient
        • due to operations shared among members
        • environment can survive loss of many nodes
      • [c] risk is that each node is a point of entry
      • [c] unity of configuration management and baselines is difficult
      • [c] distributed owners = distributed decision-making in policy and administration
    • Shared costs
      • [p] overhead and cost of infra is shared by members
      • [c] access and control are shared too
    • No Need for Centralized Administration for Performance and Monitoring
      • [p] Removes burdens of centralized management
      • [c] but also removes the reliability and homogenized standards for performance and security monitoring

Public Cloud

  • [c] has same risks as private cloud:
    • insider threats
    • external threats
    • natural disasters
    • etc.
  • [c] lack of control, oversight, audit, enforcement capabilities
  • Public cloud specific risks:
    • [c] Vendor lock-in
      • dependence on the cloud provider
      • can be costly to move away
      • contract obligations
      • use of proprietary data formats that aren’t support by other providers
      • regulatory constraints
      • portability describes the general level of ease or difficulty in transferring data out of a cloud provider’s datacenter
        • Increase portability of data:
          • Ensure favorable contract terms for portability
            • consider an exit strategy
              • reduced rate trial period
              • what is penalty for early termination
              • difficulty in data transfer at end of contract?
          • Avoid proprietary formats
            • ensure raw data is available
              • may involved using a conversion process before moving data out
          • Ensure no physical or technical limits
            • sufficient bandwidth
            • ensure new provider can handle size of import
          • Check for Regulatory Constraints
            • ensure there are more than 1 CSPs that can handle your compliance requirements
    • Vendor lock-out
      • caused when a provider goes out of business, is acquired, or otherwise ceases operations
      • concern is whether customer can readily access and recover their data
      • consider these factors:
        • Provider longevity
          • how long has provider been in business
          • what is its market viability
        • Core competency
          • can provider offer what you need
          • does it meet all service requirements
          • is cloud service central offering or additional function
        • Jurisdictional Suitability
          • what country is provider in
            • where is it chartered
            • where does it operate
          • where is long-term storage and backup capability
          • does data cross borders
          • can you use provider and remain compliant
        • Supply chain dependencies
          • does provider rely on other entities for critical functions
        • Legislative environment
          • are there statutes that may limit ability to use a cloud provider

Multitenant Environments

  • Specific risks to multitenant/public cloud:
    • Conflict of interests
      • provider personnel who administer your data should not be involved with competitors
    • Escalation of privilege
      • authorized users may try to acquire unauthorized privileges
    • Information bleed
      • possibility that information from one customer will be read or received by another
    • Legal activity
      • data and devices may be subpoenaed to seized as evidence or part of discovery
      • a particular device may contain data belonging to other customers

Hybrid Cloud

  • includes all the risks of the models it combines

Graph View

Backlinks