Governance and Risk Management in the Cloud with Cloud Controls Matrix V3 and ISO/IEC 38500:2008

Governance and Risk Management in the Cloud with Cloud Controls Matrix V3 and ISO/IEC 38500:2008

Abhik Chaudhuri (Tata Consultancy Services, India)
DOI: 10.4018/978-1-4666-9466-8.ch007


Cloud based services are gaining popularity across the globe and there is a growing interest to adopt the cloud for operational efficiency, green computing initiatives and service agility. However, concerns of security and risks in the Cloud are important constraints to reaping the benefits of Cloud Computing. Controlling the threats and vulnerabilities of Cloud based IT Services are prime necessities with proper policies and guidance from the Business Leadership or Board. While Business is concentrating on cost reduction as a primary enabler for adopting Cloud based Services, there is a growing need for exercising effective Governance and Risk Management to mitigate security risks and to exercise control over data in the Cloud. This chapter discusses how Governance and Risk Management domain (GRM) of Cloud Controls Matrix (CSA CCM) V3 Framework from Cloud Security Alliance (CSA) and the ISO/IEC 38500:2008 standard for IT Governance can be utilized together for an effective Governance and Risk Management of Cloud Services.
Chapter Preview


Cloud Computing is gradually gaining significance as an effective IT Service Delivery methodology with every passing year and there is growing interest among the Business Owners and IT Service Providers to embrace the Cloud. According to Gartner Inc.’s Hype Cycle for Cloud Computing (2013), Cloud Computing is gradually moving towards the Slope of Enlightenment, as shown in Figure 1, with its growing popularity and two key technology concepts related to the Cloud – Virtualization and Software as a Service (SaaS) are approaching the Plateau of Productivity. However, Cloud based IT Services are not free from security threats and vulnerability issues. In fact, if an organization overlooks the risks from security threats while moving to the Cloud and if it does not have proper governance mechanism to mitigate the risks then the Return on Investment in Cloud can have a negative impact that can reduce the tangible benefits and might even lead to a catastrophe.

Figure 1.

Hype Cycle for Cloud Computing (Gartner, 2013) .


Essential Characteristics Of Cloud Computing

According to Mell and Grance (2011), NIST (National Institute of Standards and Technology, U.S.A.) has ascribed five essential characteristics to Cloud Computing. These are:

  • 1.

    On-demand self-service - The Cloud Service Provider (CSP) should have the ability to automatically provision computing capabilities, such as server and network storage, as needed without requiring human interaction with the CSP.

  • 2.

    Rapid elasticity - The computing capabilities should be rapidly and elastically provisioned with minimal response time, to scale out or scale in quickly.

  • 3.

    Broad network access - The cloud network should be accessible anywhere and by almost any device.

  • 4.

    Resource pooling - The CSP’s computing resources can be pooled to serve multiple customers using a multi-tenant model with allocation and de-allocation of physical and virtual resources dynamically on demand irrespective of location of the physical and virtual resources (across geographies).

  • 5.

    Measured service - Cloud systems should provide a utility based computing experience where the resource usage can be monitored, controlled and reported providing transparency to the CSP and customer.

Complete Chapter List

Search this Book: