The beneficial role of the cloud computing in the enterprise risk management (ERM) architecture may best be perceived through the optimization of the organizational governance, risk and compliance (GRC) activities. Cloud computing can reduce the overall degree of complexity involved with most on-premises, physical computing and information storage operations by simplifying data center operations, enhancing resource utilization and providing alternative backup and disaster recovery tools that otherwise may not be available under one single technological platform. Consequently, specific GRC solutions that play critical roles in organizational ERM activities can be offered and accessed globally based on specific needs of the organization while maintaining the much needed scalability and security to maintain a competitive edge.
By deploying appropriate cloud computing solutions, Computer and storage resources become rather instantly available on demand. Cloud computing terminates the need to lease brick-and-mortar hardware, physical facilities or employ and train more on-site human resources to ensure compliance. By keeping the costs down, the right adoption plan can make GRC a unified, transparent and global effort on the part of the organizations to maintain compliance and manage risks while remain strategically competitive and economically sustainable. When planned, deployed and managed appropriately, cloud computing “empowers” organizations to adopt viable ERM architectures and best practices by rationalizing and/or re-engineering GRC business processes, specialization of resources, enhancement of information and data management as well as the reduction of potential and existing impediments associated with legacy IT investments.
As part of a risk management exercise for cloud computing, it’s important to rank the positive information security benefits from utilizing cloud infrastructure. Since the largest risks lie on public cloud fronts (unless mentioned otherwise), all references are only to public cloud infrastructure.
A background
By its very nature, cloud computing setups have a huge setup in place, which typically comprises of hundreds (if not thousands) of servers running a wide variety of operating systems, virtualized platforms and databases. The network will utilize equipment with Gigabit transfer rates and high end security systems. The data centre is at least a tier 2+, if not a tier 3/4 setup.
Specialized personnel: Since the entire business model is based on providing IT resources, cloud providers can afford to hire and retain the industry’s finest skillsets. This is a huge boon for many organizations, since they are unable to attract and retain highly skilled resources. It’s not rare to see organizations which are able to spend large sums on IT Infrastructure, but unable to derive due benefits due to lack of skilled resources.
Opex, NOT capex: In many countries, organizations purchasing IT equipments for internal consumption – “capex – capital expenditure” cannot take immediate tax benefits by writing off expenditure, but get staggered benefits spread over five years. By employing a cloud provider’s resources, investments in cloud resources get classified as operational expense (opex), which results in immediate tax benefits.
Platform support: Many organizations are unable to rollout patches on time, or even identify the applicable patches due to various reasons like lack of adequate knowledge base, time, or adequate testing infrastructure. These shortcomings are not there for most cloud providers, ensuring that the platforms and applications that you use on those cloud setups are adequately up to date. This is a two edged sword, since this very point has also been observed as a weakness in certain cloud providers whom we have audited.
Organizations which have fairly mature processes in place ensure aspects like timely internal system updates and adequate testing. The same cannot be said in a guaranteed manner for cloud providers due to lack of visibility and transparency. We will cover this aspect in detail with mitigation strategies in the next installments of this tip.
Backup and recovery: Almost all the organizations that I have worked with in the past 20 years take regular backups. However, very few organizations ever perform regular restoration to check the working and adequacy of backups, which lead to last minute unpleasant surprises. Cloud providers have this step pat in place, since the repercussions of a mess-up will be fatal for their existence. Again, this is a two edged sword dependent on the policies of the cloud provider, which may or may not be sufficient for your organizational requirements. We will cover mitigation strategies in detail in the next parts.
Disaster recovery: This is critical for most organizations, but regularly side-stepped or watered down. Redundancy and disaster recovery capabilities are built into cloud computing environments. This is a two edged sword dependent on the cloud provider’s policies and implementation strategy, which may not be sufficient for your organizational requirements.
Thin clients: Since applications and data (in most cases) will reside on the cloud infrastructure, you will not require powerful laptops and desktops to run your applications. Not much confidential data will reside on your internal systems, thus cutting down on your information risk factors. This is again based on the cloud provider’s policies and your implementation topology.
Power savings: Last year, Pike Research found that cloud computing could lead to a 38 percent reduction in worldwide data center energy use by 2020, compared to what the growth of data center energy consumption would be without cloud computing. Another study from Microsoft, Accenture and WSP Environment and Energy in 2011 found that moving business applications to the cloud could cut the associated per-user carbon footprint by 30 percent for large, already-efficient companies. This figure could be as much as 90 percent for the smallest and least efficient businesses.
One thought on “Enterprise risk Management in Cloud Computing”