The Cloud provides a way of obtaining IT services that offers many benefits including increased flexibility as well as reduced cost. One of the primary benefits of the cloud is that it enables companies of all sizes to focus on the differentiating factors of their business as opposed to managing the IT infrastructure required to run it.
There are several types of cloud service and ways in which these services are delivered. The types of services range from IaaS (Infrastructure as a Service) which provides the basic computing infrastructure, through PaaS (Platform as a Service) which provides the tools upon which to build cloud applications to SaaS (Software as a Service) which provides an application. The delivery models range from Private cloud where the infrastructure used to deliver the service is dedicated to one customer through to Public cloud where the infrastructure is shared by all the customers. Many Cloud Service Providers (CSPs) now provide services that span the range of service types and delivery models.
When a customer uses a cloud service they give control of the management of that service to the CSP. The customer therefore needs assurance that the service they receive corresponds with that which they agreed to and are paying for. This is especially true for areas like security which are not immediately transparent. There is therefore an element of risk and choosing a cloud service involves assessing and managing this risk. In this report we have considered the five critical risks that a cloud customer faces, which are:
- Loss of compliance – many organizations depend upon their IT systems being in compliance with laws and regulations. Using a cloud service could put this at risk.
- Cyber Risks – there are a large variety of ways in which there could be unauthorized access to a customer’s data held in the service.
- Legal risks – the use of a cloud service may raise legal problems for the customer. One area of particular concern is around compliance with privacy laws; this involves contractual issues as well as an understanding of the legal requirements in different jurisdictions.
- Availability of service and data – the customer is dependent upon the availability of the cloud service and the data. Loss of access to the service or data can occur for a variety of reasons, some of which are technical and some due to other causes such as takeover or financial failure of the CSP.
- Lock in – there is a risk of the customer becoming locked into a particular CSP for contractual or technical reasons which make it difficult or expensive to migrate to another provider’s service.
Not all of these risks are under the direct control of the CSP; for example, it is up to the customer to identify the regulatory compliance needs for their data and to assure that these are met.
It is important that customers understand their business needs for a cloud service, the division of responsibility for security between themselves and the service provider and the scope of independent certifications to ensure that these cover their actual needs.