Cloud services have inherent risks
Understand risk profile
Pre-define risk appetite
Identify risk mitigations
Common risks:
1. Role and responsibility shifts
Risk | Mitigation actions |
Responsibilities shift from in-house to CSP team Control at service level |
Review shared responsibilities Define new roles Training |
Disruption and reliance on technical staff |
Define full-service architecture before migration Define service usage and SLAs Training |
Overfocus on device management Activities over outcomes |
Quantify outcomes |
2. Unauthorized procurement and use
Risk | Mitigation actions |
Easy to procure cloud services Weak access controls create risks |
Control measures and policies CSP monitoring tools Cloud management office |
Uncontrolled purchasing:
|
Centralized purchasing Policies and standards Access controls Service catalogs Purchasing frameworks Budget alerts |
Uncontrolled use creates inefficiencies |
Access controls Resource management training Audits |
Don´t confuse cloud and innovation |
Establish use cases Differentiate approved and new services |
3. Security
Shared responsibility
CSPs use highest level of security
Cloud capabilities enhance CSP security
Benefits consumers
Risk | Mitigation actions |
Inconsistent use of security tools |
Define security requirements Update security policies Use security monitoring tools Security training |
Misaligned responsibilities |
Stakeholder education Clear policies |
Physical access |
Physical access controls Limit consumer access Assess security through third-party audit Limit virtual access |
4. API vulnerability
API enables two systems to communicate
Risk | Mitigation actions |
Unauthorized use |
Secure data Detect and manage failures Security procedures Security tools |
Data storage and transfer |
Identify data source, destination and route Verify security requirements Review policies and tools Establish minimum security levels |
5. Tenant separation/data deletion
Economies of scale through multi-tenancy
Risk to consumers
Risk | Mitigation actions |
Misapplication of procedures Data incorrectly distributed |
Ensure adequate CSP procedures |
Unauthorized physical access can lead to data deletion |
Ensure security measures |
6. Vendor lock-in
Switching CSPs difficult (ensure good CSP fit)
Switching can cause architecture issues
Accept switching costs
Risk | Mitigation actions |
High customization = high switching risk |
Consider cloud usage carefully Rebuild solutions with generic cloud services Ensure common standards Use generic components Flexible applications Evaluate unique components |
Customized SaaS solutions risk vendor lock-in |
Differentiate SaaS software and customization Assess level of specialist knowledge Check future roadmap Assess cultural fit Support levels How to move service ? |
7. Third-party contracting
Reasons CSPs take partners:
Unclear relationship: clearly state responsibilities
Solution contains components from different providers
Consumer manages solution
Use clearly-defined services
Specify:
8. Migration
Movement between environments incurs risks
Risk | Mitigation actions |
Stolen credentials |
Access controls Process testing Policy reviews |
Cloud and in-house differences |
Planning essential Skill analysis Staffing and training programs Expand skill set |
Access abuse Informal processes cause problems |
Security procedures Access controls Monitoring |
Data loss |
Data retention policies Test for dependencies and failure points Contingency plans |
Contract misunderstandings |
Due diligence |
Go back to ITIL 4 Acquiring Managing Cloud Services Certification Course: Explore to finish this chapter or to the main page ITIL 4 Acquiring Managing Cloud Services Certification Course.
When you are managing a team, “how to be a good manager” is the “must”...
As manager, I am doing many reports, even when I was an ITIL consultant, I still needed to do many reports...
ITIL V3 is going to be obsolete...
Managing an IT service when I start a new company is not an easy task, particularly true, if the service...