Irena Bojanova - Home
Evaluating Initial Cloud Risks
Irena Bojanova
APR 10, 2013 08:00 AM
A+ A A-
painting of cowboy wrangling wild horses

It's the High-Tech Wild, Wild West out there!
Although the Cloud Computing marketplace is still chaotic, it is:

  • Exciting
  • Fast-growing
  • Full of opportunities

The stages of the Cloud follow the evolution of sharing on the Internet: networking, network sharing, information sharing, resources sharing, and services sharing (IBM).

Figure 1 - Evolution of Sharing on the Internet

Figure 1. Evolution of Sharing on the Internet

  • The first stage of the Cloud was around networking, the TCP/IP abstraction. Multiple regional networks, linking computers, were built at universities and national laboratories. Their inter-networking with TCP/IP led to network sharing and the emergence of the Internet and its worldwide adoption.
  • The second stage of the Cloud was around documents, the WWW data abstraction. The HTML format, the HTTP protocol, and the Mosaic browser were adopted by universities for document exchange and then worldwide for information sharing. Then, grid computing emerged with the creation of standards and software for remote resources sharing and collaboration, exclusively utilized for highly scalable High Performance Computing (HPC) jobs.
  • The newest stage of the Cloud, cloud computing, has emerged to provide services sharing by abstracting infrastructure complexities of servers, applications, data, and heterogeneous platforms.

No wonder then that CSA Security Guidance for Critical Areas of Focus in Cloud Computing considers two categories of assets that can be supported by the Cloud:

  1. Data (information)
  2. Applications/ functions/ processes (transactions/ processing)

CSA has also developed a simple framework to help evaluate initial cloud risks and inform security decisions:

  • It is a quick method that helps understand:
    • Importance of what is considered to be moved to the cloud
    • Organization's risk tolerance
    • Which combinations of deployment and service models are acceptable
  • It also helps get a good idea of potential exposure points for sensitive information and operations.

A concise version of the framework is provided in the following table. Note that SPI is used as an acronym for the most common cloud computing service models, Software as a Service, Platform as a Service, and Infrastructure as a Service.

Table 1. Evaluating Initial Cloud Risks

Steps in Evaluating Risk Details

1. Identify asset for cloud deployment

  • Determeine exactly what data or applications/ function/ process is being considered for the Cloud.

Potential uses of asset to account for:

  • Scope creep — data and transaction volumes often become higher than expected.

2. Evaluate asset

  • Determine how sensitive that data is and how important that application/ function/ process is to organization. Assess confidentiality, integrity, and availability; and how risk changes if all/ part of that asset is in the Cloud — similar to project outsourcing assessment, just with wider range of deployment options.

Ask what would be the harm if:

  • Asset became widely public and widely distributed
  • Asset were accessed by employee of Cloud provider
  • Process/function were manipulated by outsider
  • Process/function failed to provide expected results
  • Data were unexpectedly changed
  • Asset were unavailable for a period of time

3. Map asset to cloud deployment models

  • Determine if any risks implicit to different deployment models (private, public, community, hybrid) and hosting scenarios (internal, external, combined) are acceptable.
  • At this point there should be a good idea of the comfort level for transitioning to the Cloud, and which deployment models and locations fit desired security and risk requirements.

Which model is acceptable for identified asset:

  • Public
  • Private, internal/ on premises
  • Private, external — look at dedicated or shared infrastructure
  • Community — look at hosting location, service provider, community members
  • Hybrid — look at least at rough architecture of where components, functions, and data will reside

4. Evaluate cloud service models and providers

  • Focus on degree of control organization will have at each SPI tier to implement any required risk management (risk mitigation).
  • For a specific offering, switch to a fuller risk assessment.


  • SaaS
  • PaaS
  • IaaS



  • Providers' offerings

5. Map out data flow

  • For specific provider offering, map out data flow between organization, cloud service, any customers/ other nodes. Understand whether and how data can move in and out of the Cloud.
  • For any offering, sketch out rough data flow for any deployment option on your acceptable list, to help you identify risk exposure points when making final decisions.


  • Private
  • Public
  • Community
  • Hybrid


  • Providers' offerings

 Anyone have ideas or sources on how initial cloud risks are or should be evaluated? Please share here!


Irena BojanovaIrena Bojanova, Ph.D., is the Founding Chair of IEEE CS Cloud Computing STC, an associate editor of IEEE Transactions on Cloud Computing, and an editorial board member of IEEE CS IT Professional. She is a professor and program director, Information and Technology Systems, at University of Maryland University College, managed academic programs at Johns Hopkins University and PIsoft Ltd., and co-started OBS Ltd., (now CSC Bulgaria). Her current research interests include cloud computing, web-based systems, and educational innovations. She is a member of the IEEE and can be reached at


[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: