samedi 4 janvier 2014

Potential Risks and Issues of Cloud Computing

What caracterizes the Australia cloud computing strategy when I was studying it; is the risk-based approche followed by the government to define the cloud strategic direction paper.

Many governments are interested to know the potential risks and issues of cloud computing.

Government agencies were designed to operate in a secure environment,so they need to fully understand the risks associated with cloud computing both from end-user and agency prespective.

Cloud computing is a new ICT sourcing and delivery model not a new technology, many of the risks and issues associated with cloud are also not new.

Depending upon the cloud model adopted, bellow some issue that shoud be understand and mitigate:

Application design
·         There may be less opportunity for customization of applications and services. This may increase complexity when integrating cloud services with existing legacy environments;
·         Applications (could be either SaaS or Line of Business applications, etc) will need to be treated at arms length from the infrastructure layer (IaaS);
·         Applications will need to be designed to accommodate latency; and
·         Existing software licensing models may not facilitate a cloud deployment.

·         Moving to a cloud environment will require more emphasis on business design where cloud services will interface/impact business systems;
·         Prior to making a decision to move to a cloud computing environment, agencies must address the impact on business processes and eliminate any technical barriers; and
·     Finance recommends agencies use an architectural framework to assist in identifying potential opportunities to deliver common and shared cloud services across agencies.
Business continuity
·         Because the cloud is dependent on internet technologies, any internet service loss may interrupt cloud services;
·         Due to the dynamic nature of the cloud, information may not be immediately located in the event of a disaster; and
·         Business continuity and disaster recovery plans must be well documented and tested.

Data location and retrieval
·         The dynamic nature of the cloud may result in confusion as to where information actually resides (or is transitioning through) at a given point in time;
·         When information retrieval is required, there may be delays impacting agencies that frequently submit to audits and inspections; and
·         Due to the high availability nature of the cloud, there is potential for co-location of information assets with other cloud customers.
Funding model
·         Due to the cloud’s pay-per-use model, some part of ICT capital budgeting will need to be translated into operating expenses (OPEX), as opposed to capital expenditure (CAPEX), which may have different levels of authorizations to commit expenses and procure services.
Legal & regulatory
·         Need to have the ability to discover information under common law;
·         Need to be aware of Australian legislative and regulatory requirements including Archives Act, FOI Act and Privacy Act;
·         Need to be aware of data sovereignty requirements;
·         Need to be aware of legislative and regulatory requirements in other geographic regions, as compliance may be a challenge for agencies;. and
·         Little legal precedent exists regarding liability in the cloud and because of this, service agreements need to specify those areas the cloud provider is responsible for.
Performance and conformance
·         Need to ensure that guaranteed service levels are achieved. This includes environments where multiple service providers are employed (e.g. combined agency and cloud environments). Examples include:
o     Instances of slower performance when delivered via internet technologies;
o    Applications may require modification;
o    Monitoring and reporting are adequately delivered for the period between service introduction and exit; and
o     Failure of service provider to perform to agreed-upon service levels.
·         Risk of compromise to confidential information through third party access to sensitive information. This can pose a significant threat to ensuring the protection of intellectual property (IP), and personal information.
·         Damage to an agency’s reputation resulting from a privacy or security breach, or a failure to deliver an essential service because risk was inadequately addressed must be considered for cloud computing applications.

Skills requirements
·         A direct result of transitioning to a cloud environment means:
o    Less demand for hardware and system management software product-specific skills; and
o    More demand for business analysts, architects, portfolio and program and change managers, and vendor/contract managers.

·         Must ensure cloud service providers and their service offerings meet the requirements of the Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM) and the Privacy Act 1988; and
·         With cloud computing, an agency may have limited ability to prescribe the protective security of the cloud environment. Yet agencies will remain ultimately responsible for the information that is stored and/or processed in the cloud. Management must maintain assurance that the security of the cloud service provider is in accordance with the PSPF.
Service provision
·         Reputation, history and sustainability should all be factors to consider when choosing a service provider;
·         Agencies should take into consideration the volatility of the growing cloud computing market; and
·         Agencies should ensure they address portability of data in the case of service provider failure.
Strategies for open standards, interoperability, data portability, and use of commercial off the shelf (COTS) products are required for reducing the risk of vendor lock-in and inadequate data portability. Examples include:
·         A cloud provider decides to no longer stay in business, an agency’s data/application/processes must be able to be moved to another provider; and
·         Certification of projects by vendors for prescribed platforms and versions.

Aucun commentaire:

Enregistrer un commentaire