Page 248 - How Cloud Computing Is Transforming Business and Why You Cant Afford to Be Left Behind
P. 248
MANA GEMENT STRATEGIES F O R THE CL OUD R EV OL UTION
visibility and due diligence you performed when investigating
the provider, the greater the chance of introducing higher lev-
els of risk into your organization. Inversely, the less critical the
process, the less sensitive the data, the less risk you’ll poten-
tially inherit.
There is of course a distinct difference between potential
risk and actual risk, and the two should not be confused. The
key to the process isn’t saying “no” all the time, but rather,
achieving visibility into potential risks and assuring they are in
line with your organization’s risk appetite. Put another way,
it’s about going into a relationship with your eyes wide open
and ensuring you’ll be in a position to manage any newly in-
troduced, cloud-based risks.
Say you’re thinking about building a non-mission critical
application, perhaps a tool for the marketing team, using a
PaaS (platform as a service) offering. The app won’t touch any
sensitive data, and you’ve done enough investigation of the
provider to know its controls are within your risk-tolerance lev-
els. On the opposite end of the spectrum would be embracing a
cloud-based offering that involves data such as personally iden-
tifiable information (PII), credit card numbers or any type of
highly confidential data while doing little more than asking the
provider some questions beforehand. In this scenario, you’re
rolling the dice. There’s potentially a huge amount of risk to be
inherited due to the nature of the data, but without adequate
visibility, you simply don’t know what you’re dealing with.
Most real-world scenarios will fall somewhere in between
these two examples, but the approach of measuring visibility
against criticality is key. There will, of course, be new threats
228
