Cloud Computing Risk Management: Trust But Verify

The reasons most IT and business leaders give for moving to cloud computing are at odds with its worst threats. Moreover, the top three cloud fears of IT and business leaders do not line up with the top three most likely cloud risks. If you fail to consider the most likely highest impact threats, you could suffer a devastating failure.

At a minimum, you must take into account that new operational costs will offset some savings. In the worst case, you could cost your firm its market position. You must prepare for cloud failures just as you prepare for power failures – it’s that important.

Service Catalog, Information Security, Event, Service Level, and Supplier Management processes are critical to your success. Develop service definitions to understand business requirements. Learn what a cloud offering must do for your firm using risk assessment. Select vendors based on your business-driven risk assessment. Manage vendor contracts tightly. Validate requirements and ensure customer and user productivity regularly. To obtain the benefits of cloud computing requires IT and business leaders working jointly with strong IT Service Management (ITSM) processes.

What You Need to Know

  • Cloud computing is on-demand access to measured service. It traits are self-service, rapid elasticity, and open access. The top three reasons for moving to the cloud are: efficiency, agility, and innovation. Resource pooling makes cloud computing both appealing and dangerous. Managing cloud’s inbuilt risks can help you achieve its benefits.
  • IT and business leaders know there are risks to cloud computing. Security is the top concern, cited by over half of those considering cloud. Top security fears are #1) corporate confidentiality, #2) privacy of personal data, and #3) data integrity. Security is an obvious risk. Still, many have not done an objective risk assessment. The top risks are actually #1) data portability, #2) control and visibility, and #3) legal issues. Failing to determine and address your actual risks before choosing a cloud provider could setup a catastrophe.
  • Our research shows average cost reductions of 20% or more are realistic. 75-80% of cloud adopters will save money. The risks of failures, vendor lock-in, governance issues, and jurisdictional concerns are real too. If you assess your risks, you can know what is most important to your firm. Use that information to compare service offerings, choose a provider, and manage the relationship. To obtain the best Return on Investment (ROI), you need confirm the faith you place in cloud providers — trust but verify.


Is now the right time to move to cloud computing? If so, then follow these steps.

  • Utilize Service Catalog Management (SCM) to evaluate your readiness for cloud computing and make the best decision. Use your service definitions to discover what you do for whom and understand threats. Understand what cloud computing means to the identified assets (e.g., service or service component) and how and why it can affect your firm and IT.
  • Assume that the business reasons for moving the asset(s) to the cloud do not represent your primary sources of risk. Assess your own risks using Information Security Management methods like ISO/IEC 27005. Determine the odds of each threat occurring and what negative business impact it will have. Work with affected business peers for this effort.
  • Using Service Level Management (SLM), develop Service Level Requirements (SLRs) based on your risk assessment. Then use SLRs to compare and select cloud providers and service offerings. Obtain proof from selected vendors that they address all SLRs completely. Further verify via a well-defined trial.
  • Put in place service monitoring and event management. Service monitoring is end-to-end transactional visibility vs. traditional IT operational metrics around CPU, network or storage. Event management is how you handle service issues.
  • Use Supplier Management to ensure all contracts support SLRs and all providers meet all contractual obligations. Monitor vendor performance. Use SLM to ensure business satisfaction. Identify and define improvements with periodic planned reviews and as needed review and adapt.
  • Get started now by creating a cloud computing team to consider the steps outlined in this brief. Determine which cloud service model (SaaS, PaaS or IaaS) and deployment mode (Public, Private, Community or Hybrid) is best for your firm. Develop a short list of providers based on your service definitions and risk assessment. Revalidate your risk assessment based on data flow between your firm, your selected providers, and any vendors they use in their delivery.
  • Be sure to use the process outlined in How to Adopt Cloud Computing to improve your odds.

Related Courses
Cloud Computing Training

In this article

Join the Conversation