How Risk Management has become a critical element of Cloud Computing Security

How Risk Management has become a critical element of Cloud Computing Security

The purpose of this article is to define cloud computing including some of the current issues related to security within its structure.  Additionally, the article will synthesize recent literature about some of the most effective risk management practices within the cloud. 

For the purpose of the article, the term “cloud” refers to a concept in technology and does not apply to the weather unless the context shows it.  Cloud computing is a relatively new concept that has evolved into different forms of interpretation to IT professionals.  The cloud enables the convergence of multiple software applications and other networking tools in a virtual environment that any authorized user can access from anywhere as long as Internet connectivity exists.  This innovative technology has evolved from an idea into a reality in just a few years.  Just like any other information system tool or application, security and assurance are very important to risk professionals that are managing cloud environments.

The article will first define the cloud to include background, characteristics, models, benefits, and challenges.  The article will then discuss some of the security issues that affect the cloud.  The article concludes discussing what risk management practices are being considered and utilized to protect the cloud.

Cloud Computing

Cloud computing is defined by the National Institute of Standards and Technology (NIST), as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources…that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell & Grance, 2011, p. 2).  Cloud computing provides applications as services over the Internet along with the hardware and systems software that normally reside in local data centers.  It is because of this common shared virtual environment that the IT world referred to as the “cloud” that none of the software and the hardware that houses it needs to be part of the user’s local operating environment.  Some of most common services in the cloud are e-mail, office software, and enterprise resource planning that use an ever-present amount of shared technology resources with as many users as required.  The result is having users on the Internet communicate with many servers at the same time, while these servers automatically collaborate among themselves (Hayes, 2008).



The original idea of cloud computing dates back to the 1950s, when bigger computer mainframes that were accessible via thin clients or emulation terminals became available to universities and corporations.  This type of approach was costly and not efficient because of the differences on usage demands.  Those who owned these computerized “beasts” began looking for ways to get the best return on the investment from them.  Rather than allowing individual groups operate at a smaller scale while others waited in line, more users shared the access to the computer from various locations as well as sharing CPU time, a practice that helped eliminate inefficiencies.  As computers became more widespread, researchers and engineers looked for ways to make available to more users the capacity of larger computing systems with time-sharing (Corbató, Daggett, & Daley, 1960).  Other scholars have shown that Cloud computing’s roots go all the way back to the 1950s when scientists like Herb Grosch, author of Grosch’s law, postulated that the entire world would operate on dumb terminals powered by about 15 large data centers (Ryan, Merchant, & Falvey, 2011).  Another scholar, McCarthy suggested in the 1960s that, “computation may someday be organized as a public utility” (2011).


The literature also shows that the origin of the term Cloud computing is still unclear, but it seems that it derives from the approach of using sketches or diagrams with clouds that included computing networks and other types of technology.  In 1997, Cloud computing was recognized as a “new computing paradigm where the boundaries of computing will be determined by economic rationale rather than technical limits alone” (Chellappa & Gupta, 2002, p. 118).  One company that has pioneered the use of cloud computing as part of the business is  Amazon has taken an important part in the development of Cloud computing by revolutionizing the way their data centers operate, by maximizing the utilization with similar or less capacity than before adopting this approach.  In 2006, Amazon began the development of a new line that provides the services of Cloud computing to external customers, and named it Amazon Web Service (AWS) (, 2012).

Cloud Computing Characteristics

The NIST identifies five characteristics that separate cloud services from conventional computing approaches (Caytiles, & Lee, 2012).  The first of these characteristics is called on-demand self-service.  Customers can individually establish required computing capabilities, such as server time and network storage, without the need to contact a service provider (Badger, Grance, Patt-Corner, & Jeffery, 2012).  On-demand self-service is a vital piece of the total Cloud computing environment; nevertheless, it is equally important that businesses have reliable metrics that provide decision makers the necessary information to determine if there is balance in the utilization of on-demand services.  On a public cloud, anyone with a credit card can procure the services as needed.  For the private cloud, users can access services with proper authentication.  Additionally, a correct user validation can establish what level of service the user is authorized to have access to.  Common risks associated with the use of on-demand self-service of the private cloud are, authentication, authorization, and role assignment for those that require access to the services as well as for those who manage the access (Badger, Grance, Patt-Corner, & Jeffery, 2012).  For example, users that request resources from the private cloud may be part of the IT department itself, acting on behalf of a client from a business unit in need of services from the cloud.  If some services are not available at the time the IT unit can easily make new infrastructure resources available much faster than in a more traditional architecture.  The IT unit can establish additional virtual servers and storage services in a short time rather than the days or even weeks it can take to order and implement a physical server and storage, resulting in the IT department to be capable to deliver a much better service to business units within the organization.  It is critical for the CIO and the risk management subject matter experts such as chief risk officers, not to sacrifice the security of the network for capacity and efficiency.  Risk management and IT assurance must continue to be part of the high priorities for decision makers of the organization.  This and other security topics will be discussed later on the article. More capabilities can result in additional challenges to risk managers, addressed in the second characteristic of cloud services, broad network access.

With broad network access, resources become available to users throughout the network and accessed through ordinary devices that stimulate its use by a mixed of thin or thick client platforms like mobile phones, laptops, and PDAs (2012).  With increasing demand for cloud access from more mobile devices such as smartphones and tablets, so is the increase of security risks that these service providers must face.  Mobile devices are conduit for threats in a much broader surface, not only from outside the organization, but also from within.  Although the private cloud has more security controls in place than the public cloud when granting access to such environment, the need for some security still exists from other vulnerabilities triggered by the access to the external world from the private clouds.  Users can do so much with the limited resources found inside the private cloud.  It is still necessary for users to be able to access some public resources in order to perform some activities that may not be available in the private cloud alone.  Threats found through broad network access may require additional authentication based on the location of the user or client, and the control of application’s data like personally identifiable information, company confidential information, and publicly available information.

The third cloud characteristic identified by the NIST is resource pooling.  This process automatically assigns and reassigns resources according to consumer demand by pooling them from different areas and distributes them to serve multiple consumers using a multi-tenant model, with different physical and virtual resources.  There is a sense of transparency in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of service retrieval.  Examples of these resources include storage, processing, memory, network bandwidth, and virtual machines.  Attackers can try to exploit the security weakness found on the low business impact service running on the same physical layer as the higher impact service.  Even for risks with a low business impact, it is vital to address these with the same importance as those with a higher business impact.  An attack may involve trying to gain access to the high business impact service’s data, or simply making the high value service unavailable by overloading the low value service.  Management needs to address this by dividing the infrastructure into pools so that you can segregate the hosted applications, for example, running high business impact applications and services in their own pool.  That pool may have more stringent security controls applied at the infrastructure layer or might only run applications and services with integrated security controls.  This arrangement might affect service billing, with high security pools demanding premium billing.  However, note that the resource pool approach may limit the efficiency of resource allocation in the private cloud and adds to the overall complexity of your solution.  Specify limits on the type of application that you will allow to run in the private cloud.  For example, no services classified as being high business impact can run on the private cloud infrastructure.  The infrastructure layer typically includes network traffic monitoring in network devices such as switches.  This type of monitoring can identify unusual traffic that may indicate that an attack on the infrastructure is in progress or the compromise of some element in the cloud.

The next characteristic as described by the NIST is rapid elasticity.  In the cloud environment, the term elasticity refers to scalability of the network.  In traditional IT environments scalability means upgrading existing conditions via the purchasing of newer hardware, but actual scaling up or down is not done very often.  Factors such as budget and time need consideration when planning on this type of changes to the networks.  In a traditional network environment changes like these form part of a long-term investment.  Elasticity does the same for a cloud enterprise, but with sufficient flexibility to adapt to changes easily.  In a cloud environment, it is important to anticipate the demand for capabilities, in some cases automatically, so that these are increased, or to quickly scale down if required.  Organizations need to keep track of reliable metrics that measure changes for demand of services from the organization itself as well as from customers.  The next characteristic discussed on the article allows organizations running a cloud computing business or those running on the cloud to know exactly the utilization rate at which the cloud environment is running at. 

The fifth and last NIST cloud characteristic is measured service.  Cloud systems engineers plan and design these networks to automatically control and optimize resource use by leveraging a metering capability that measures needs for more capacity for elements such as storage, processing, bandwidth, and active user accounts (Badger, Grance, Patt-Corner, & Jeffery, 2012).  The process is transparent to both users and service provider.

Cloud Computing Models

Cloud computing has been broken down by service models.  The first model Software as a Service (SaaS), as the name suggests, simply denote the applications provided to the consumer that run on a cloud infrastructure.  Applications such as word processors, email, databases, and others, are accessible from different client devices through either a web browser or a program interface.  In this model, users have no management control over the networks, servers, operating systems, or application capabilities, with the possible exception of limited user-specific application configuration settings.

The second model Platform as a Service (PaaS) fits better in organizations that require some control over individual applications or tools such as programing languages, libraries, services, and other tools supported by the service provider.  The organization does not manage or control the principal cloud infrastructure of network, servers, operating systems, or storage, but has control over the deployed applications, as well as configuration settings for the application-hosting environment.

The third and last model is Infrastructure as a Service (IaaS).  IaaS encompasses capabilities such as storage, networks, and other essential computing resources where users can deploy as well as running any software, to include operating systems and applications.  Although users do not manage or control the underlying cloud infrastructure, they have control over operating systems, storage, and deployed applications; and even some limited control of select networking components such as host firewalls.

All the aforementioned characteristics and models gave a better understanding of what the cloud computing is made of and how it is supposed to work.  So far, in comparison with traditional network infrastructures the cloud projects more flexibility as well as potential benefits.  The next section will expand more on those benefits as well as some of the challenges faced by organizations operating or considering operate under the cloud concept.

Benefits and Challenges of Cloud Computing

Benefits of Cloud Computing

Organizations and enterprises are constantly making technology innovation one of their highest priorities.  Before another company can figure out the next better idea, companies face the challenge of how they can beat their competition before the competition beats them.  Driven by the pressure to cut costs and grow simultaneously they realize that it is not possible to succeed simply by doing the same things better.  They know they have to do new things that produce better results.  Cloud computing infrastructures can allow enterprises to achieve efficiency with their IT hardware and software investments.  Cloud computing is an example of an ultimately virtualized system, and a natural evolution for data centers that employ automated systems management, workload balancing, and virtualization technologies (Xinlei & Yubo, 2010).  A cloud infrastructure can be a cost efficient model for delivering information services, reducing IT management complexity, promoting innovation, and increasing responsiveness through real time workload balancing.  The interest in cloud infrastructures continues to grow and to serve as platforms for innovation especially in large businesses, particularly in countries that want to foster the development of a highly skilled, high-tech work force (Sharma, Amit, Bhatt, & Amu, 2010). 

Cost benefits seem to attract more IT clients to the use of cloud computing.  Cloud computing is a pay-as-you-go approach to IT, in which a low initial investment is required to get going.  Companies incur in additional investments as system usage increases and costs can decrease when usage decreases.  In this way, cash flows match better the total system cost (Armbrust et al., 2010).  The arrival of cloud services is essentially shifting the economics of IT.  Cloud computing mixes the best economic qualities of mainframe and client/server computing.  A significant economic benefit of the cloud is its capacity to tackle flexibility in resource exploitation generated by these elements (Fox, Gribble, Chawathe, Brewer, & Gauthier, 1997).  Many of these characteristics rely on the flexibility that the environment where these could operate.

Cloud flexibility allows IT groups to predict early variations in use of services and do not have to rush to acquire additional hardware and software.  Cloud computing offers the flexibility to turn on or turn off additional resources when necessary, and pay just for what is used.  Just like flexibility is so important and a great benefit to those using cloud computing it is also important how quick these changes take place which is another benefit found in the cloud.

Cloud computing offers the flexibility to adapt quickly to changes and the flexibility to rapid implementation of these changes. Requirements such as procurement and certification processes will become outdated.  The cloud environment offers a myriad selection of services, tools, and features, helping organizations to get off the ground in a very short time.  In addition to the swiftness that clouds computing can provide to businesses, there are other benefits such as reliability, increased effectiveness, and energy efficiency.

Challenges of Cloud Computing

As the article has described it so far the potential benefits of cloud computing are remarkable.  While CIOs and IT executives are optimistic about these benefits, they remain vigilant about a complete implementation because of some challenges that still exist.  Even when businesses are moving toward the values and benefits derived from cloud-based software and services, such movement is slow.  According to a survey conducted in June 2012 by Dimensional Research, of almost 350 CIOs and IT executives that participated in the survey only 31 percent said their systems formed part of a cloud-based environment at the time of the survey (Hostanalytics, 2012).  The survey also revealed great optimism and expectations among CIOs and IT executives for cloud acceptance, but it showed some difficulties including the anticipation that IT could end up operating cloud applications acquired by other business areas and without input from IT.  Purchasing of such applications by business areas of the organization should be restricted or limited.  To overcome these and other hurdles to adoption, good communication is crucial, and must start at the top of the organization. 

The federal government promotes cloud computing in many ways (Kundra, 2011).  While progress seems evident, there are still some challenges that will slow down any new progress made.  One of these challenges is cloud security requirement.  Cloud retailers may not recognize what security specifications may be required for a particular client like a federal government agency that must continuously monitor and maintain an inventory of IT systems.  It would be difficult to keep track of this type of inventory in an environment like the cloud where services or tools can be turned on or off in a matter of minutes, or seconds.  Overlooking the strategizing and provisioning for governance and standards to the cloud can result in costly modifications to existing infrastructure.  For example, new tools or services will not work with older legacy tools if a newer standard does not reflect the older legacy tools in them.  It is important that organizations like the National Institute of Standards and Technology (NIST), the European Telecommunications Standards Institute (ETSI), the Open Grid Forum (OGD), and other similar forums continue the work for a unified standardization of cloud computing.  While these and other groups continue to work on the establishment of a uniformed and controlled cloud environment the security challenges continue to emerge and add to the already existing complexity of this extraordinary but challenging technology revolution.

Risk Management in the Cloud

Effective risk management practices are crucial for operating and maintaining a secure cloud computing solution (Jansen & Grance, 2011).  Security and privacy processes require that risk managers oversee the organization’s information system networks and evaluate the policies, standards, procedures, and guidelines that are used to establish and preserve the confidentiality, integrity, and availability of information system resources (2011).  From a risk manager’s point of view, evaluating, and administering risk in a cloud computing environment can be very challenging (2011).  As mentioned before, the cloud computing setting can be complicated in terms of security management.  Managers measure and analyze risk by making qualitative and quantitative factors part of the process (2011).  This provides a complete interpretation of the results obtained and a better confidence to managers about the security of the network.  Before accepting any risk, managers cautiously take in consideration any existing defensive mechanisms and implement crucial processes to reduce risk to an adequate level.  After accepting some type of risk level, managers must ensure that necessary security and privacy controls are in effect, that these operate as intended, and meet its requirements.  Following this course helps establish a level of confidence of the cloud service environment and the security controls applied to defend the organization’s data and applications, and more important any indications of the effectiveness of those controls (NIST, 2010).  On occasions, the verification of an acceptable operational condition of the network or portion of it, and the success rate of implemented security controls may not be achievable, nevertheless, other factors such as external inspections may be used to create such confidence.  If the level of trust in the service falls below expectations and the organization is unable to employ compensating controls, it must either reject the service or accept a greater degree of risk (Jansen & Grance, 2011).  Cloud computing relies on the unique security controls for every single component of the cloud environment, especially those for self-service, partitions, and storage tracking, and many other applications and tools.  Several interfaces and service removals contradict the intrinsic difficulty that influences security.


In addition to maximizing the effectiveness and minimize costs through the implementation of good security measures, privacy must also be considered from the initial planning stage at the start of the systems development life cycle.  Attempting to address privacy after implementation and deployment is not only more difficult and expensive, but also more risky.  Although cloud computing can result on reliable storage of considerable amount of data, and savings of database management expenses, sharing that data with a third-party retailer and allowing it to obtain personal records causes doubts about privacy protection (Hayes, 2008).  Risk managers must be aware that the data privacy complications in the cloud computing are similarly experienced in the long-established data publishing element.  An example of this type of attack is a record linkage attack, which removes specific descriptors like names and Social Security Numbers from the unrestricted data and defies the protection of personal privacy.  In addition, information such as zip code, gender, and date of birth, still can identify individuals from the mix of non-identification characteristics (Wang, 2010). 

One of the processes that risk managers use to protect the cloud network from attackers is through compliance.  Organizations using the cloud need to comply with legal requirements, security standards, and regulations.  Compliance includes meeting the requirements with a recognized certification, standard, regulation, or law (Jansen & Grance, 2011).  Different forms of security, privacy, laws, and regulations exist in other countries, making compliance a more complicated issue for cloud computing (2011).

Another factor that needs consideration for cloud environment protection is data location.  Data location is one of the most common compliance issues facing an organization (Kandukuri, Paturi, & Rakshit, 2009).  The use of a traditional data center permits the organization to arrange its computing network and to identify with precision where data is stored and what defenses are in place to protect the data.  On the contrary, a usual characteristic of cloud computing services is that specific information about the location the user’s data is unattainable or intentionally hidden by the provider (2011).  This condition creates questions of whether appropriate precautions are in place and whether the organization’s compliance with legal and other governing rules exists.  Once again, external inspections and security certifications can improve this issue, but cannot be the only solution (Jansen & Grance, 2011).  If any form of data traverses through network boundaries, the governing statutes can be ambiguous and raise a series of questions about the security integrity of the network.  Therefore, restrictions on the traversing boundaries of sensitive data, as well as the requirements on the protection afforded the data, have become the subject of national and regional privacy and security laws and regulations (2011).  Some of the concerns that remain to be addressed are whether regulations in the territory where the data was collected authorizes such data to run, especially if the laws do not apply to the data after traversing the boundary, and whether the laws at the destination present additional risks or benefits (2011).  For instance, some European information security laws may enforce added requirements on the management of data transported to the United States (2011).

Risk Managers worry about individual users and enterprises that benefit from storing large amount of data or applications on a cloud (Caytiles, & Lee, 2012).  On the other hand, issues such as network integrity, authentication, and digital rights still require a much needed attention (2012).  On a mobile cloud for example, users want to make sure about the integrity of their information stored on the cloud and that certainty relies on full authentication and verification of the user’s identity.  There have been different approaches proposed in preserving integrity of information that is stored on the cloud.  For example, any stored information in the cloud by an individual or a group is digitally tagged to the user or users that stored the data, giving these users exclusive rights to access the information.  Different authentication mechanisms have been proposed by Cloud computing experts to secure the data access suitable for mobile environments.  Some uses the open standards and even supports the integration of various authentication methods.  Federal agencies have begun to take part on a global effort to establish better policies and standards for the cloud especially those that affect security.  One of those agencies is the National Institute of Standards and Technology (NIST).  The NIST published the reference Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144) (2010).  This reference gives a general idea of the security and privacy challenges that public cloud computing faces, and provides recommendations that organizations should consider when relying on cloud service providers to store data, applications and infrastructure on a public cloud environment.  The document also directs the risk manager’s attention to threats, technology risks, and safeguards related to public cloud environments, in order to help organizations make better decisions about the use of this technology.


This article defined Cloud Computing as a model that enables convenient, on-demand network access to a shared pool of configurable computing resources and that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell & Grance, 2011, p. 2).  Before discussing some of the challenges in security and risk management it seemed beneficial to give a historical background of the cloud since this is such a new concept, including some of the cloud characteristics and models. 

The article talked about the original idea of cloud computing dating back to the 1950s, when corporations and universities already had the idea of sharing resources located in a central location and accessed from separate premises.  At that time, it became a financial decision to try to obtain the best return on investments, hence the reason for these organizations to start offering their services on demand and to multiple users rather than individuals.

The article talks about the five cloud computing characteristics identified by the NIST which separate cloud services from conventional computing approaches. These characteristics are, on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.

The article covers three cloud computing models as these are known today.  Those models are, Software as a Service (SaaS), which denotes the applications provided to the consumers that run on a cloud infrastructure.  Platform as a Service (PaaS) which suits better in organizations that require more control over individual applications or tools such as programing languages, libraries, services, and other tools supported by the service provider.  The last model is Infrastructure as a Service (IaaS).  IaaS incorporates services such as storage, networks, and other essential computing resources that customers can deploy as well as running any software, to include operating systems and application.

The article discussed some of the benefits and challenges of cloud computing.  One of the benefits discussed was that a cloud infrastructure is a cost efficient model for delivering information services and reducing IT management complexity.  The cloud also allows for flexibility and adaptability to turn on or turn off additional resources when necessary. 

Then the article talked about some of the challenges that cloud computing brings to IT and risk managers.  The lack of uniformity in cloud standards has become an important topic that some globally recognized organizations are currently addressing. These organizations are the National Institute of Standards and Technology (NIST), the European Telecommunications Standards Institute (ETSI), and the Open Grid Forum (OGD). 

Lastly, the article discussed some of the effective risk management practices currently being used in the cloud.  Senior executives are depending more on their CIOs and risk managers to keep the networks healthy and safe.  These experts have the responsibilities to implement good security measures, such as compliance and authentication.

The cloud continues to evolve and with every day that goes by more advances are attained, and with these advances perhaps come more risk challenges.  The future of the cloud looks very promising but the risk and security threats may continue to slow down its progress.


REFERENCES (2012). Amazon web services. Retrieved from

Armbrust, M., Stoica, I., Zaharia, M., Fox, A., Griffith, R., Joseph, A. D., . . . Rabkin, A. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50. doi: 10.1145/1721654.1721672.

Badger, M. L., Grance, T., Patt-Corner, R., & Jeffery M, V. (2012). Cloud computing synopsis and recommendations (NIST Special Publication 800-146). Retrieved from

Caytiles, R. D., & Lee, S. (2012). Security considerations for public mobile cloud computing. International Journal of Advanced Science and Technology, 44, 81-88. Retrieved from

Chellappa, R.K., & Gupta, A. (2002).  Managing computing resources in active intranets. International Journal of Network Management, 12(2), pp.117-128. doi: 10.1002/nem.427.

Corbató, F. J., Merwin-Daggett, M., & Daley, R. C. (1962). An experimental time-sharing system. Proceedings of the May, 1-3. doi:10.1109/85.145324.

Fox, A., Gribble, S. D., Chawathe, Y., Brewer, E. A., & Gauthier, P. (1997). Cluster-based scalable network services. SIGOPS Oper. Syst. Rev., 31(5), 78-91. doi: 10.1145/269005.266662.

Hayes, B. (2008). Cloud computing. Communications of the ACM, 51, pp. 9-11. Retrieved from

Ryan, P. S., Merchant, R. & Falvey, S. (2011).  Regulation of the cloud in India. Journal of Internet Law, 15(4), p. 7. Retrieved from (2012). Current trends in cloud adoption: A survey of CIOs and IT executives. Retrieved on November 7, 2012 from

Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing (NIST Special Publication 800-144). Retrieved from

Kandukuri, B. R., Paturi, V. R., & Rakshit, A. (2009, September). Cloud security issues. In Services Computing, 2009. SCC’09. IEEE International Conference on (pp. 517-520). IEEE.

Kundra, V. The White House, Federal Chief Information Officer. (2011). Federal cloud computing strategy. Washington, DC: Government Printing Office. Retrieved from

Mell, P. & Grance, T. (2011). The NIST definition of cloud computing (NIST Special Publication 800-145). Retrieved from

National Institute of Science and Technology (NIST). (2010). Guide for applying the risk management framework to federal information systems: A security life cycle approach, Joint Task Force Transformation Initiative, (NIST Special Publication 800-37, Revision 1). Retrieved from

Sharma, D. P., Amit, E., Bhatt, A. K., & Amu, E. (2010). Cloud computing: Business values, risk manifestation and assurance viewpoint (with special reference to the developing and under developed countries). Review of Business & Technology Research (RBTR), 3(1), 197. Retrieved from

Wang, H. (2010). Privacy-preserving data sharing in cloud computing. Journal of Computer Science and Technology, 25(3), 401-414. doi: 10.1007/s11390-010-9333-1.

Wang, X., & Tan, Y. (2010, October). Application of cloud computing in the health information system. In Computer Application and System Modeling (ICCASM), 2010 International Conference on (Vol. 1, pp. V1-179). IEEE.

Leave a Reply