As made clear from the above, cloud computing is a tool that offers enormous benefits to its adopters. However, being a tool, it also comes with some challenges when deploying in a public sector environment. It is continually evolving and there is still uncertainty and challenges that organisations need to understand. Organisations need to balance the headline benefits while considering the appropriate balance of risk relating to security.
An organisation's assessment of the risk to their information or services should not differ when assessing it in the cloud to how they would if it was on-site. What does differ is some of the questions that need to be considered, but the impact will remain the same. As with any information security assessment there are a variety of risks that need to be carefully considered, with the level of risks varying depending on the sensitivity to the organisation of the data being stored or processed.
However, benefits can only be fully realised following an assessment of the relative benefits and risks of any individual cloud service offering. All ICT has risk associated with it. For example, data stored at home are susceptible to theft or hardware failure. Cloud computing is not inherently more or less risky than traditional ICT, but the relative risks are different.
- Confidentiality: Organisations should have full ownership of their data and may want to specify the physical location of data stored or where it should not be stored. Consideration should be given to the impact of local regulations in countries where their data may be stored e.g. The USA Patriot Act and Regulation of Investigatory Powers Act 2000. Organisations using cloud computing to store or process publicly available data, such as a public web site may not be concerned about confidentiality. However, the organisation risk assessment should consider the availability and integrity of the public data, including reputational and other damage if the organisations system is offline, or is compromised and distributes misleading information or malicious content.
- Integrity: Data portability is a key mitigating strategy against vendor lock-in for cloud data storage services. Organisations should understand what is involved in moving from one vendor to another to allow them to continually get best value for their organisation
- availability: As organisations integrate more business capabilities with cloud computing there is a greater need for reliable internet connectivity. Downtime has the potential to have a negative impact on operations, similar to the loss of other services such as electricity or water. While the programme in Scotland to roll out Next Generation Broadband by 2020 will assist connectivity greatly, organisations should understand the implications of internet availability in their business continuity plans.
- contractual: When entering into a contractual arrangement there are a number of areas that should be understood, the key to getting the maximum benefit from the cloud is having the correct SLA for your service.
The assessment question list at Annex 2 should be considered when thinking about using cloud computing, this will assist in making an informed decision as to whether cloud computing is currently suitable to meet business goals with an acceptable level of risk.
It is recommended that any risk assessment is undertaken by digital business leaders as well as the ICT department in liaison with the information assets owner.
Updated guidance for organisations that need to assess and make business decisions about technology and information risks has been published by CESG see https://www.gov.uk/government/publications/technology-and-information-risk-management
Any risk assessment should also consider a privacy impact assessment ( PIA) see Annex 3.
Email: Philip Whitley