Cloud Computing is easily the highest rated topic in current technology design, implementation, and control. No successful enterprise will circumvent the use of virtualization.
In fact, it is unlikely that any business today can accurately claim to be virtualization free, which makes understanding the risk model all the more critical.
Cloud computing benefits are directly associated with their type of cloud service or virtual service that create both opportunities and risk.
(Definitions and concepts are graphical representations and summary of content now offered through CompTIA Cloud Essentials, CobiT 5 from ISACA, Virtualization Essentials from
ITpreneurs and Cloud Security Alliance Materials as produced by their respective committees. EnterpriseGRC Solutions is here to train and to facilitate your implementation of these core concepts.)
Cloud computing, on its own, is a benign concept, identified as having these five attributes:
- priced according to recurring subscriptions or usage-based charges, rather than having an up-front cost.
- delivers IT capabilities that scale with demand, rather than being defined by a fixed set of assets.
- is delivered as a well-defined service, instead of as a product that needs system administrators and maintenance.
- is typically based on the open Internet technology, which increases its interoperability.
- enables resources to serve multiple needs for multiple consumers, rather than dedicating resources for individual infrastructure, software, or platforms
- Virtualization: Abstractions compute services away from their physical hardware and allow them to be treated as data. (The technology)
- Cloud: Builds on this abstraction by allowing services to be flexible, sourced from a number of providers and delivered over a number of channels. (The business)
- Asset Efficiency: resulting savings from buying, housing, and supporting fewer devices, (a.k.a benefit of Virtualization)
As identified by ISACA (Information Systems Audit and Control Association) the following attributes of cloud computing should be categorized under Business Impact and Risk:
- Applications processed in the cloud have similar implications for the business as traditional outsourcing. These include:
- Loss of business focus
- Solution failing to meet business and/or user requirements; not performing as expected; or not integrating with strategic IT plan, information architecture, and technology direction
- Incorrect solution selected or significant missing requirements
- Contractual discrepancies and gaps between business expectations and service provider capabilities
- Control gaps between processes performed by the service provider and the organization
- Compromised system security and confidentiality
- Invalid transactions or transactions processed incorrectly
- Costly compensating controls
- Reduced system availability and questionable integrity of information
- Poor software quality, inadequate testing and high number of failures
- Failure to respond to relationship issues with optimal and approved decisions
- Insufficient allocation of resources
- Unclear responsibilities and accountabilities
- Inaccurate billings
- Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization
- Inability to satisfy audit/assurance charter and requirements of regulators or external auditors
Common infrastructure benefits focus on availability, efficiency, and recovery. Still, with benefits and opportunities, come Technology, Compliance, Licencing and Security Risks.
- The introduction of virtualization brings many changes that need to be reflected in the tools that administrators use to manage systems. Some examples of the types of changes that need to be addressed include:
- Servers and workstations no longer are tied to a particular, known location.
- Releasing software patches is different in a virtual environment.
- Backup and restore - central location as opposed to execution on the machine.
- Monitoring tools that are used to correlating hardware and software events may no longer understand where dependencies lie.
- In addition, each virtual platform has its own management tools, which need to be integrated into operations.
The following "Flash Cards" show some of the areas of learning you and your teams could achieve by participating in CompTIA Virtualization and Cloud Essentials certification.
EnterpriseGRC Solutions is ready to step you through your own Cloud and Virtualization training and even implementation program.
Please join EnterpriseGRC Solutions in being among California's Certified Cloud and Virtualization Leaders.
- Cloud Essentials Course™
- CompTIA Cloud Essentials™ Exam
- Virtualization Essentials Course™
- Virtualization Essentials Exam™
- Virtualization and Cloud Computing Awareness Course™
For additional study and background regarding the impact, Cloud has had on GRC, we strongly urge all of our readers to JOIN CSA and participate in your local chapters. Here's a taste of what running with local geniuses can bring: RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
Additional Critical Resources and Reading from NIST