Technology assessment and risk assessment for cloud computing / Jamieson T. Lim

Year : 2012

Number of Pages : 77 leaves

Adviser : Prof. Renato T. Goco and Prof. Glen A. Imbang 

Executive Summary

It is the humble recommendation of this special project that potential cloud customers need to be aware and be informed that there are several risks involved in going to cloud computing (just like any other new technology that comes with risks and other unknown factors). But these risks can be avoided by conducting risk assessment & employing the necessary risk management - which would identify the possible vulnerabilities (e.g. Data Loss/Leakage) of the system and perform a planned mitigation (e.g. Encryption of Data) and remediation of the identified potential security threat (risks). Cloud computing is an emerging technology which could replace traditional IT systems. It is currently being used by a lot of people without even knowing that they do. Let us think of social networking - Facebook, being the largest and most widely used social media platform, is also using cloud computing. In this caste it is Software as a service (SaaS) platform. All users of Facebook can use the "Facebook application" for their personal data, but in essence they are not able to change anything to this "application". The "application" is in complete control of the service provider, in this case Facebook. Cloud computing makes it possible for an organizations' (just like Facebook) IT to be more flexible, save costs and process information and data faster than with traditional IT as this will be further discussed and elaborated in the "Enablers of Cloud Computing and Business model for Cloud Computing". It is important to know that value can be added for (growing or upcoming) organizations through using cloud computing. Previous studies have already established the value of going to cloud computing, for example in India - the Bangalore eye hospital experiments with e-healthcare software, which uses a Software as a service (SaaS) application with a pay-as-you-go model via the "cloud" can help in sending real-time images instantly from anywhere using handheld devices (like iPhone) without having to host the software in the hospital. An even better example of this is in Singapore, their government adopts e-Services for its citizens. Popular eServices being hosted in "cloud" are their submission of online application forms for real-estate and apartment purchase, searching for information on schools, employment opportunities, career development, and voter registrations. The existing approach on going to cloud computing is mainly focused on one side of cloud computing-that is only identifying the benefits while giving a very little importance on the potential risks involve. Also, often this approach is focused on the cloud service vendors (providers) and not into a larger and diversified market of users (like Government / Industry / Academe). Cloud computing is a game changing phase of Information Technology (IT) that is not only influencing the way traditional computing services are and will be delivered but also the way in which users will use IT. The Cloud promises several benefits in commercial and technical terms as elaborated in our Technology Assessment but the challenges should also need to be considered as this will be discussed and elaborated in our Risk Assessment, while it's also important to do a careful planning for the Cloud technology adoption. Businesses will also need to redefine their business models to better reflect changing trends in the use of IT (i.e. Cloud services). As such, the roles of the leadership will also change to better reflect the realities of the Cloud computing Technology. Cloud computing promises good benefits including cost savings, improved business outcomes and improved business continuity for enterprises and government institutions. However, there is also a diversity of information security risks that need to be carefully considered. Risks that will vary depending on the perceived value of the data to be stored or processed and how the chosen cloud provider (also referred to as a cloud service vendor) has implemented their specific cloud services. Knowing the risks involved in this emerging discipline will be the first step towards a more reliable system. Adapting to cloud computing technology will be a complex decision involving many factors. Like, understanding the significance, consequence and importance of what they are moving into the cloud, their risk tolerance, which combination of cloud computing deployment models and service are acceptable. Potential customers should also need to have an idea of possible exposure points for their sensitive information (data) and sharing how their business operations to their cloud service providers. It is my hope that sharing information contained in this special project will help and guide government, organizations and academe to a better understanding on what questions to ask (see annex #A1) on the current recommended practices, and potential pitfalls to avoid in going to Cloud computing (see annex A # 2-5). Though assessment and risk assessment (security focused), we have attempted to bring greater clarity to an otherwise complicated landscape, which is often filled with incomplete and oversimplified information. For those intending or already considering adopting cloud computing technology, they would want to know the certainties of how this technology works, that it will really deliver all the benefits and profits being claimed by proponents, that it will save them money, time and effort. But like any good thing, there are things that the adopter must look out for- there are also disadvantages (one of which is exposure to possible loss of data) and becoming fully aware of these is important. The key motive for this paper is to give a glimpse of understanding on cloud computing as a new technology for this era. Its potential is considered so vast that it is surely going to give up a new dimension for the generation to come. By this it mean that the business model of an organization today will be change by how cloud computing will affect the value chain of their organization. So, in the long run, because every company (large, mid size or small) do not want to have the overhead cost associated with running a large IT department that is solely involved in sustaining existing enterprise application. The ability to outsource 'commoditized' IT infrastructure and contextual IT applications (like payroll, HR etc.) will enable the companies to focus on their core competency. More importantly, the IT department within the organization will be able to focus on aligning IT to the business needs. IT can focus on building applications that will create/sustain companies the core competency.