Risk and Governance Considerations in Cloud Era

Risk and Governance Considerations in Cloud Era

Mohammad Ali Shalan (Jordan Engineers Association, Jordan)
DOI: 10.4018/978-1-5225-0759-8.ch016
OnDemand PDF Download:
List Price: $37.50


Cloud Computing (CC) has recently emerged as a compelling paradigm for managing and delivering computing services over the internet. It is rapidly changing the landscape of technology and ultimately turning the long-held promise of utility computing into a reality. Nevertheless, jumping into the cloud is never a trivial task. A special approach is required to discover and mitigate risks, also to apply controls related to the cloud jump. The main objective of this chapter is to specify some of the phenomena associated with the CC paradigm and associated business transformation. It looks at the motivations, contracting, obstacles and the agile project rollout methodologies. It then provides an in-depth analysis for the allied risks and governance directions. CC governance is being more crucial as the CC paradigm is still evolving. In this context, this chapter build few bricks toward a full Cloud Computing Risk and Governance Framework (CCRGF).
Chapter Preview


Cloud Computing (CC) is increasingly asserted as the technology with the potential to change the way internet and information systems are being utilized into Client Enterprises (CEs). Cloud has emerged as a growing trend of scalable, flexible and powerful computing. Consequently, it is capable of introducing a paradigm shift in how technology is delivering value to the business. With significant global investments, Cloud Computing (CC) is showing the power to completely revolutionize the business mindset and promotes new business characteristics. On-demand services, shared computing resources, rapid provisioning and minimal intervention activities are just few trends to mention.

Cloud benefits are not coming hassle free, several risks, security concerns, contracting and compliance issues are surrounding the cloud models. The abridged availability of critical business processes, compromised confidentiality and reduced integrity are side effects of the CC utilizations. This is not surprising, since the concept of secure surrounding perimeter has been vanished by users and services being more mobile. Internal or external service providers are introduced as a Middle Circle Contractors (MCCs) in the middle of the CC services. Additional substantially considerable effects exist due to moving company’s key applications and certain corporate information to the cloud. More challenge raised because the adoption of cloud computing applications might begin outside the Technology Organization (TO), causing plenty of loose activities and associations.

This chapter aims to portray a picture for risk and compliance issues related to CC and to emphasize governance as a mechanism to orchestrate such a heterogeneous environment. Governance can set the rules and responsibilities, lead the way to uphold the cloud phenomena and manage the associated risks in a reliable and trustworthy way. This chapter will devote to invert the question facing the Chief Information Officer (CIO) when approaching the board to ask for a Governance, Risk and Compliance (GRC) implementation. Usually the CIO will be asked “how much it will cost, and what are the benefits?”. Conversely, the right question in the cloud era should be “how much it will cost if we don’t have a GRC practice, and what are the consequences?”.

The chapter insight is putting risk and governance in the heart, while providing highly valuable experience to those looking for guidance to move their business infrastructure, processes and applications into the cloud. As a first step we aim to define cloud concepts and separate the potentially significant business benefits and threats, from the hype and hyperbole that are surrounding. This will increase navigation clarity through the fear, uncertainty and doubt. The native questions about the CE readiness for CC adoption are answered in a structured and systematic approach. One lesson learned from governance is that realizing value from new services requires a mature organization that can recognize associated benefits, set controls and own the relevant tools to measure. Because the cloud services are not yet mature, technology controls that exist today may be stretched or distressed if applied to the cloud and may be unable to cope with the demands placed on it. This chapter argued that new methodologies and mechanisms to control various cloud aspects need to be redesigned considering the associated risks and trends.

This chapter provides evidence-based insights into the CC benefits and challenges. Associated trends of elasticity, business transformation and value proposition are also conferred. The length and design of this chapter precludes extensive treatment of each area, consequently it appeals for both academics and practitioners. It highlights some key concepts and best practices to help smoothing the CC transition, the afterwards operation and the continuous enhancements. The main objective of this chapter is to highlight the risk and governance transformations in the cloud era and to provide real-world projections and effects. Notably, this chapter aims to help CEs rollout the CC projects, manage associated contracts smoothly and effectively follow the constructive trends including the agile methodologies.

Key Terms in this Chapter

SMAC: An acronym generated from the first letters of Social, Mobile, Analytics and Cloud words. These four technologies are currently driving business innovation, with multiple service categories and scenarios.

Technology Organization (TO): A team either inside the client enterprise (CE) or outside it, that is in charge of establishing, monitoring and maintaining technology systems and services. The “TO” need to support strategic planning to ensure that all technology initiatives aligned with business goals. Traditionally, “TO” was named as information technology (IT) department.

Cloud Service Provider (CSP): An entity that provides cloud computing services based on their existing platforms and apply certain rules and charges for these services.

Governance: A set of processes, customs, policies, laws and institutions affecting the way an enterprise is directed, administered or controlled.

Shadow IT: A term often used to describe technology systems and solutions built and used inside the CE without formal approvals or technology organization involvement.

Agile Methodology: A development method that is people-focused, communication-oriented, leadership philosophy that encourages teamwork, self-organization and accountability to develop a dynamic service that can respond to change and continuously deliver business value.

Middle Circle Contractor (MCC): An external or internal person, group or organization that is appointed to perform work or to provide goods/services at a certain price or within a certain time. The MCC appears as a middle person who may disappear after the specified task is complete usually.

Risk Management: The act of handling the risk exposure through mitigation, acceptance, sharing and avoidance. It includes the ability to handle information and technology risks based on stakeholders’ risk parameters.

Outsourcing: A common method whereby a third party performs a function on behalf of the Client Enterprise (CE), often when additional resources (either time, expertise, human resources, service, etc.) are needed. This may be usually an extended long relationship.

Client Enterprise (CE): A business enterprise that use the professional, networking or computing services provided by Cloud Service Providers (CSPs). Services is provided according to a signed contract against some agreed financial charges.

Complete Chapter List

Search this Book: