Public Cloud Adoption: Considerations for Managing Operational Risk

20 02 2012

by Chris Ortyl

Adoption of cloud computing presents significant challenges to virtually every organization, across industries and sectors. Business and IT leaders face a daunting task navigating the array of cloud technologies, products and service offerings, and filtering vendor hype from operational reality. Further complicating matters is the multiple service and deployment models available to cloud consumers, as well as new fee structures and cost models associated with on-demand, IT as a utility service sourcing and provisioning.  Organizations must assess and rationalize cloud service offerings and capabilities relative to business objectives and business requirements. In addition to the potential benefits and opportunities, considerable analysis and due diligence is required to understand operational risk, as well as data privacy, legal and compliance issues inherent in the cloud computing paradigm.[1] A risk-based approach is essential to development of a solid cloud security strategy.

NIST defines three cloud service models (SaaS, IaaS, PaaS), and four deployment models (public cloud, private cloud, hybrid cloud and community cloud).[2] Of the four deployment models, public and hybrid cloud configurations present the most significant risk as they entail extension of the organization’s value chain to an external business entity. The public and hybrid models also involve use of 3rd-party computing resources and placement of data assets outside the organization where they are hosted and placed under control of the cloud service provider (CSP). The pooled resource, multi-tenancy hosting model and potential lack of data location specificity raise significant information security concerns and challenges. Security and risk management become more crucial when CSPs host sensitive data such as personally identifiable information (PII) and other restricted data.

Cloud security continues to evolve, and organizations struggle to keep pace with increasingly creative and sophisticated attack methods and tactics. “Cloud solutions are subject to conventional attacks — buffer overflows, password attacks, physical attacks, exploitation of application vulnerabilities, session contamination, network attacks, man-in-the-middle attacks, social engineering, and so on.”[3] In addition to external threat consideration, the risk management practitioner must assume that attackers can be legitimate users with valid accounts and unimpeded access to the cloud service. The increased insider threat potential renders many conventional security controls such as firewalls and security zones irrelevant.

Additionally, there are security concerns unique to, or exacerbated by cloud computing. The Cloud Security Alliance (CSA) report, “Top Threats to Cloud Computing”[4] outlines specific considerations for cloud adoption. The CSA report also offers guidance on cloud service model applicability, potential impact areas and candidate remedial approaches. In addition to IT-related concerns, cloud computing raises a variety of legal and compliance issues not typical of traditional enterprise applications. These include matters of funding obligations, export controls, indemnification, data ownership and retention, exit strategy, and court order and subpoena protocols, to name a few.

A comprehensive, risk-based approach and process framework is essential to managing high-value, mission critical assets and services, while at the same time increasing assurance in their ability to achieve mission objectives. The framework must also address continuity and sustainability requirements to ensure assets and services continue to meet mission objectives in times of stress and uncertainty.

The Carnegie Mellon University Software Engineering Institute (SEI) CERT Resilience Management Model (RMM) provides a capability-based framework and model for establishing, managing and continuously improving operational resilience from an enterprise perspective.[5] CERT-RMM integrates the disciplines of security management, business continuity management, and IT operations management to provide a holistic approach to operational risk management.[6]

RMM process areas such as Risk management (RISK), External Dependencies (EXD), Technology Management (TM), Asset Definition and Management (ADM) and Controls Management (CTRL) provide a starting point and foundation to systematically address risk associated with external CSP service and solution due diligence, sourcing and implementation.  The model can also increase an organization’s ability to respond to new and evolving threat and vulnerability profiles as cloud computing continues to mature.

In addition to managing cloud computing risk, the CERT-RMM can be applied across the organization to integrate, manage and improve operational resiliency at the larger enterprise level.


[1] NIST: “The NIST Definition of Cloud Computing, Publication 800-145.

[2] IDG-CSO: “ Security still a concern for those considering cloud move” (

[3] InfoWorld, “ Cloud Security Deep Dive” (

[4] Cloud Security Alliance, “Top Threats to Cloud Computing V1.0”, March 2010.

[5] Caralli et al., ”CERT Resilience Management Model – A Maturity Model for Managing Operational Resilience”, Carnegie Mellon University, Software Engineering Institute, 2011.

[6] Caralli et al., Technical Report “CERT Resilience Management Model – Improving Operational Resilience Processes”, Carnegie Mellon University, Software Engineering Institute, 2010.