With storm clouds steadily approaching, here are a few things an organization should take into consideration on an individual basis before making a move to the
cloud.
These are some measures needed to be taken in order to appropriately determine your organizations risk whether real or perceived.
First and foremost, I would propose any organization to re-evaluate their business function model (
BFM).
There are two components to business continuity planning (
BCP).
1. Business impact analysis -
BIA is concerned with evaluating the process and what impact a loss would have on the organization.
Here are some things to consider for a business impact analysis:
- Identify Critical Functions -- What functions are necessary to continue operation in the event of a disruption?
- Prioritize Critical Functions -- What happens if your data communication service is disrupted?
- Calculate A Time Frame For Critical System Loss -- How long of a disruption can our organization withstand?
- Estimate The Tangible And Intangible Impact On The Organization -- What is the public relations repercussions?
2.
Risk assessment sometimes referred to as risk analysis - Risk analysis primarily deals with the threats, vulnerabilities, impacts related to the loss of information, processing capability and data availability.
Here are some things to consider for a risk assessment:
- Risk Exposed To The Organization -- Operating systems and applications are known to be at risk in certain environments.
- Risk That Need Addressing -- Resources should be allocated in such a way to prevent theft and espionage.
BCP is a management tool that ensures the BFM can be performed when normal
business operations are disrupted. The risk assessment, in conjunction with the BIA, provides a organization with an accurate picture of the decisions facing it. It also allows the organization to make intelligent decisions about how to respond to various scenarios.
Before anyone makes a move to the cloud, it would be advantageous to incorporate their
business model with a true annual loss expectancy (
ALE).
ARO - (annualized rate of occurrence) - Is historical data of occurrences happen within a year.
SLE - (single loss expectancy) - A monetary value assigned to data.
ARO x SLE = ALE
example:
Lets say an organization's in house
web server generates $25,000 in revenue per hour. The probability of the web server failing is 25 percent, and a disruption causes 3 hours of down time and $5,000 in repair cost. The SLE is $80,000($25,000 x 3 hours + $5,000), and the ARO is .25. The ALE is $20,000($80,000 x .25).
From a technical perspective, securing of information will be done by the existing confidentiality, integrity, and availability (
CIA) technology used in
information technology today, with more enhancements with the focus being on speed of
compression/decompression and
encryption/decryption.
Also expect the
US government to implement a
key escrow system for the purpose of law enforcement access.
The weak link in on-line security as it exists today is the single factor authentication model which is predominately used today. However, there is nothing intrinsically wrong with single factor authentication. They would have to at lest go to some form of a
multi-factor authentication model to achieve a greater level of acceptance by the industry as a whole and the masses.
In conclusion: If done correctly, the cloud should only augment one's current infrastructure not replace.