• Summarize the four risks and challenges.
• Discuss how an organization can mitigate the risk associated with them

• Summarize the four risks and challenges from this Pages
• Discuss how an organization can mitigate the risk associated with them

3.4 Risks and Challenges Several of the most critical cloud computing challenges pertaining mostly to cloud con- sumers that use IT resources located in public clouds are presented and examined. Increased Security Vulnerabilities The moving of business data to the cloud means that the responsibility over data secu- rity becomes shared with the cloud provider. The remote usage of IT resources requires an expansion of trust boundaries by the cloud consumer to include the external cloud. It can be difficult to establish a security architecture that spans such a trust boundary without introducing vulnerabilities, unless cloud consumers and cloud providers hap- pen to support the same or compatible security frameworkswhich is unlikely with public clouds. Another consequence of overlapping trust boundaries relates to the cloud provider's privileged access to cloud consumer data. The extent to which the data is secure is now limited to the security controls and policies applied by both the cloud consumer and cloud provider. Furthermore, there can be overlapping trust boundaries from different cloud consumers due to the fact that cloud-based IT resources are commonly shared. The overlapping of trust boundaries and the increased exposure of data can provide malicious cloud consumers (human and automated) with greater opportunities to attack IT resources and steal or damage business data. Figure 3.9 illustrates a scenario whereby two organizations accessing the same cloud service are required to extend their respective trust boundaries to the cloud, resulting in overlapping trust bound- aries. It can be challenging for the cloud provider to offer security mechanisms that accommodate the security requirements of both cloud service consumers. Overlapping trust boundaries is a security threat that is discussed in more detail in Chapter 6. Reduced Operational Governance Control Cloud consumers are usually allotted a level of governance control that is lower than that over on-premise IT resources. This can introduce risks associated with how the cloud provider operates its cloud, as well as the external connections that are required for communication between the cloud and the cloud consumer. trust boundary of Organization X Organization X cloud service consumer cloud service trust boundary of Organization Y Organization Y 1 cloud service consumer Figure 3.9 The shaded area with diagonal lines indicates the overlap of two organizations' trust boundaries. Consider the following examples: An unreliable cloud provider may not maintain the guarantees it makes in the SLAs that were published for its cloud services. This can jeopardize the quality of the cloud consumer solutions that rely on these cloud services. Longer geographic distances between the cloud consumer and cloud provider can require additional network hops that introduce fluctuating latency and potential bandwidth constraints. The latter scenario is illustrated in Figure 3.10. 3.4 Risks and Challenges 47 reliable network reliable network Organization A unreliable network connection Cloud A 1 cloud service consumer cloud service organizational boundary of cloud consumer organizational boundary of cloud provider Figure 3.10 An unreliable network connection compromises the quality of communication between cloud consumer and cloud provider environments. Legal contracts, when combined with SLAs, technology inspections, and monitoring, can mitigate governance risks and issues. A cloud governance system is established through SLAs, given the as-a-service nature of cloud computing. A cloud consumer must keep track of the actual service level being offered and the other warranties that are made by the cloud provider. Note that different cloud delivery models offer varying degrees of operational control granted to cloud consumers, as further explained in Chapter 4. Limited Portability Between Cloud Providers Due to a lack of established industry standards within the cloud computing industry, public clouds are commonly proprietary to various extents. For cloud consumers that have custom-built solutions with dependencies on these proprietary environments, it can be challenging to move from one cloud provider to another. Portability is a measure used to determine the impact of moving cloud consumer IT resources and data between clouds (Figure 3.11). Cloud A (Cloud Provider X) supports message encryption and digital signatures cloud consumer requires encryption and digital signing of messages Cloud B (Cloud Provider Y) supports message encryption only Figure 3.11 A cloud consumer's application has a decreased level of portability when assessing a potential migration from Cloud A to Cloud B, because the cloud provider of Cloud B does not support the same security technologies as Cloud A. Multi-Regional Compliance and Legal Issues Third-party cloud providers will frequently establish data centers in affordable or con- venient geographical locations. Cloud consumers will often not be aware of the physical location of their IT resources and data when hosted by public clouds. For some orga- nizations, this can pose serious legal concerns pertaining to industry or government regulations that specify data privacy and storage policies. For example, some UK laws require personal data belonging to UK citizens to be kept within the United Kingdom. Another potential legal issue pertains to the accessibility and disclosure of data. Coun- tries have laws that require some types of data to be disclosed to certain government 3.4 Risks and Challenges 49 agencies or to the subject of the data. For example, a European cloud consumer's data that is located in the U.S. can be more easily accessed by government agencies (due to the U.S. Patriot Act) when compared to data located in many European Union countries. Most regulatory frameworks recognize that cloud consumer organizations are ulti- mately responsible for the security, integrity, and storage of their own data, even when it is held by an external cloud provider. SUMMARY OF KEY POINTS O . Cloud environments can introduce distinct security challenges, some of which pertain to overlapping trust boundaries imposed by a cloud provider sharing IT resources with multiple cloud consumers. A cloud consumer's operational governance can be limited within cloud environments due to the control exercised by a cloud provider over its platforms. The portability of cloud-based IT resources can be inhibited by dependen- cies upon proprietary characteristics imposed by a cloud. The geographical location of data and IT resources can be out of a cloud consumer's control when hosted by a third-party cloud provider. This can introduce various legal and regulatory compliance concerns