The rapid development of cloud computing has also brought many benefits to companies trying to refocus on key business goals, such as increasing the speed of product listings, increasing the competitive edge of companies, and reducing capital and/or operational costs.
In general, investing in cloud computing technologies such as software as a service (SaaS) or infrastructure as a service (IaaS) can reduce the demand for services in traditional information technology departments within the enterprise. Services that are managed by enterprise business units (such as training, human resources, payroll, and healthcare management) will also be phased out as cloud computing is used.
While investment capital and operational costs have decreased, the risk of cloud computing for information brokers in dark networks has increased. These malicious organizations will trade and sell all information, including personal identity, financial information and even intellectual property.
In the traditional sense, only the information stored inside the company is safe, so implementing cloud computing inevitably increases the risk of information disclosure. In addition, those who specialize in information intermediaries also make cloud-computing providers their target, because they have a good understanding of the information they control. In order to manage cloud computing risk, it is important to first understand what the risk is.
The ins and outs of cloud computing risk
The so-called risk, that is, we do not want the occurrence of the probability of events. In the area of information security, risk is the probability of a malicious or non malicious exposure to confidential information events, or threats to data consistency, and interference with system and information availability events. Any organization connected to the Internet is at risk, and they should consider the resilience of dark networks and the ability to expand private cloud computing and public cloud computing networks. Data exchange is legal and illegal, and an enterprise's Internet access provides an information transmission loop for legitimate data exchange (such as email, VPN, FTP, etc.) and hostile data exchange such as malware, information gathering and eavesdropping.
Hostile data exchange is not a data exchange that an organization or even an individual would like to have. Typically, the result is waiting for recovery downtime, loss of revenue, loss of data, impact on human capital, and related reputational damage. If an organization is a member of a regulated industry, the organization may be penalized for the cause of the hostile event. Even if companies are not penalized, they cannot afford the serious consequences of loss of customers and loss of confidence in business partners as a result of a security scandal.
All along, cloud computing has been advocating that we can do better and cheaper. You focus on your core business issues, and we manage your technology more cost-effectively and protect your data. While this may be true, cloud computing providers are facing the same challenges as other companies. Given its special business model, cloud computing providers may face more challenges than a typical enterprise. For example, cloud computing providers may cater to a niche industry, such as the credit card industry. If everyone knows that the cloud-computing provider has access to all the credit card information held by customers, it will be the target of a dark information broker. A successful hacker might benefit from an information broker peddling a customer identity or credit card or making a forged credit card.
The risk for cloud-computing providers is also among customers using cloud computing services. Regardless of the number of physical, logical, and virtual isolation and segmentation of the customer, the cloud infrastructure shares common energy, hardware, applications, and network resources. When a cloud computing service provider provides SaaS services, it trusts enterprise users and lets users ensure their user IDs and passwords are secure. Similarly, computing resources for accessing SaaS must also be secure. If an enterprise user is compromised, such as a user ID and password, a seasoned information collector might be able to access the SaaS application and determine how to access other customer data. In an instant, the confidentiality, integrity, and usability of other corporate users ' cloud computing environments are at risk.
The final risk lies in the level of cloud computing providers and their technical expertise. Suppliers are required to accept risk transfer and understand and comply with the relevant regulations. They also face the same challenges as all other businesses, especially attracting and retaining talent. When human capital is no longer a major factor in the success of cloud computing providers to attract and retain talent, the entire cloud computing environment is likely to collapse due to an ant colony. Lack of scalability, inability to provide a rich set of features, or inability to provide adequate security and privacy guarantees can affect the ability of cloud providers to attract and retain customers.
Risk transfer is an integral part of cloud computing, as suppliers must be committed to providing a certain level of service in the form of contractual agreements. Part of the service involves ensuring the security of information assets. If a bad event occurs because the cloud provider fails to conduct due diligence on industry best practices and regulations, it should be responsible for informing the person affected by the incident and launching the action. A cloud computing provider must be prepared to pass audits and certifications to confirm that its cloud computing infrastructure will remain available and secure. It must also be prepared to respond to security incidents. Even if their intentions are good, events such as the 0 vulnerability attack will occur and permeate the best security architecture.
It is also important to understand the necessary regulations. For privacy reasons, financial integrity and national security organizations usually have to comply with at least one rule. Most organizations have a number of rules to follow. Below, let's look at an example of a national organization that manages credit card data. The organization must comply with federal demands and specific regional regulations that may be stricter than federal law. Global organizations also need to add a layer of complexity, that is, they must abide by the laws of the United States and the countries in which they operate. Cloud-computing providers must have a big investment in understanding the rules and how to comply with them, because their violations also mean corporate user breaches, and they have the ultimate responsibility to provide compliance safeguards for their customers and regulations.
Three items of risk
Business experts understand and accept the risks associated with cloud computing customers and cloud computing providers. No matter what role you play, managing the potential events that you don't want to happen requires risk management. In the specific case of cloud computing, both sides of the risk management work is necessary, where both enterprise users and cloud computing providers must have a mature risk management plan. Maturity is demonstrated by a plan that is managed, has periodic reports, and maintains quantitative evidence of low risk status.
Risk management is achieved through three content: risk identification, risk assessment, and risk control.
• Risk identification-Enterprise users must be aware of the risks introduced through cloud computing investment. This allows the enterprise to ensure that the necessary business controls are implemented in the cloud computing services procurement process. In addition, appropriate procedures should be created and/or updated to support disruption events caused by cloud-related outages.
Cloud computing providers must identify risks to determine which cloud services it is best able to provide. Some suppliers may decide that they prefer to serve a particular industry, thereby becoming a niche supplier, thus reducing the regulatory environment. Providing cloud computing services to users in a variety of industries can be too risky.
• Risk assessment-An enterprise user must understand which of its assets is too valuable to risk outsourcing them to third-party service providers. Conversely, when a third party vendor's professionals are able to manage and protect data, this can help enterprise users realize that third party vendors can provide better services and protect the rich assets of the target.
• Risk control-Once the risk has been identified, assessed, and quantified, we can choose the appropriate control measures to facilitate risk control. In the cloud computing model, this is a responsibility that needs to be shared between customers and suppliers of cloud computing, so they should have complementary risk management procedures. Setting expectations for the application control of cloud computing vendors is the responsibility of cloud users. As cloud computing providers, they should ensure the implementation and maintenance of control measures according to user expectations and provide certification for service level agreements and compliance requirements control.
For some, cloud computing is risky because they believe that business users need to entrust their assets to third parties for care, maintenance, and protection. However, given the high level of recognition that cloud computing technology has gained in areas such as healthcare, E-commerce and government management, it is hoped that it will continue to feature as an outsourced technology that lowers costs and simplifies business operations. The first step in using cloud computing is to understand its risks and how risk management should be done.