Now we have Mike Small of copy or call giving his speak on the cloud risk assessment. It's the word dynamic. Mike is not part of the title of what you're gonna present to us, but I Haven understood. It's quite dynamic as well. And I'd like to know a bit more about that. So
Thank you. Thank you
Very much for being here.
So I'm Mike Small, I'm an Analyst with KuppingerCole and I've spent the last five years analyzing the risks and the security of cloud service providers, writing industry Analyst reports on them and advising customers and the result of all of this experience, I've encapsulated in this very short presentation and a much longer workshop that is available for you all on, on, on Friday. So I'm pressing the button and hoping that something's going to happen.
Ah, it is happening. Have I, now I can't see my presentation down at the bottom, so
Wonderful. Right.
So, so everybody seems to be concerned about the risk associated with the cloud. And this has to be put in a context that actually there may be a lot of benefits from using a cloud. And so assessing a risk is in a fact, a balance between the risks and the benefit. There is also some uncertainty in, in organizations' minds as to what the real risks are and how they should deal with them. And in some organizations that I've come across, there is also a feeling that the lawyers were going to solve everything.
So the beginning of this presentation, I'm going to talk about what the risks are and I'm going to debunk the myth that you can deal with it through, through simply through contract, we in KuppingerCole have identified five major classes of risk that nearly every organization is concerned with. Not every organization is concerned with all risks and not every example of a use of the cloud involves all of these risks.
In fact, many examples are very low risk indeed, but they are, most organizations have to comply with laws and regulations and moving to the cloud can alter the balance to do with that. Every organization now is concerned about cyber risks, the risk of data leakage, the risk of loss of service, and how does the cloud alter that?
In fact, in many cases, it can make that better. What is often forgotten is that you need to have the service available. The infrastructure involved in delivering a cloud service may make it further away from you and introduce new elements of risk to do with, with that availability, but also could increase the, the benefits. You also have to be concerned that you may become locked in either contractually or through technical interfaces. And finally, the contract itself may pose a number of risks.
So I'm going to give you some examples of why the contract is pretty useless from this point of view.
The first thing is, and I together with a lawyer colleague of mine analyzed the service contracts offered by 19 different major cloud service providers. And largely speaking, they give you very little protection against a loss of service, even if it was the cloud service provider's fault. And on one case, I, I came across where a large service provider had misconfigured their, their network switches, which prevented the, the customer from getting their service for some length of time.
And usually what you get back for that is very little. Then you read the kinds of contracts in terms of, of the security provided. And this makes sort of very sad reading.
You know, we strive to keep your data content secure, but we cannot guarantee that we will be successful. You acknowledge that you bear sole responsibility for security protection and backup of your content and applications that isn't someone who is going out of their way to provide a service.
And then finally, if you look at what organiza, what cloud service providers will be liable for, they may cause the collapse of your business. They may cause you to defined for non-compliance risk regulations, but largely speaking, they will refund the, the, the rental fees that you have already paid.
And that's about it. So what can you do to manage this? So clearly I don't believe that the contract is the simple answer. What you need to do is to understand the risks and you need to take the right steps to manage those risks. And it's a question of balancing between risk and reward now. So what are the risks? And for many organizations, this long process that you can go through can be short circuited. We have actually from a variety of sources, picked out what are effectively the top 40, roughly 40 risks that nearly every cloud service may bring.
It's not necessarily a complet list, but it's a great deal. Easier to start from something that's already there. We have classified each one of those risks for each kind of service in terms of what the impact would be if that risk were to become manifest and what the probability is of that risk becoming manifest. Once again, this is not set in stone. We view it as a starting point that you can choose and you can amend if you will, you can add to now when you look at what risk management is about, and there is an ISO standard, 31,000, I think is the number.
If I remember what risk is about is about it is measured in terms of the impact and the probability of it occurring and risk management is about working to reduce the impact and the probability. And for people who have been used to running their own it services, there is a, a gap.
If you will, there is a, a step that they have to take a conceptual bridge that they have to cross, which says no longer am I in the position that I control it myself. I have to cross that bridge by taking steps to assure rather than to ensure that the risk is reduced. And that's through, for example, controls.
And I, I, in this particular slide, what I've actually done is I've brought out what are six levels. If you will, of assurance that you can provide. And each one of these gives you some indication of the, the reduction in either the impact or the probability of one of those risks. So for example, most service providers will say things they will make assertions. They will say, well, we do this.
But if that depends upon the trust, the level of assurance that you get from that depends upon the trust you've got in that provider, then you can look for contractual commitment and contractual commitment might be very good.
It's written down. But on the other hand, I've pointed out that the standard contracts are fairly biased in terms of in, in, towards the cloud provider. And anyway, the law is very expensive in order to pursue anything. So it's worth something but not worth, perhaps as much as you might want, then you have independent validation.
And here you have reports that auditors and the big auditing companies will do like the service organization control reports, where they do a verification that a control exists. And that, that is the SOC two type one report. Then you have independent testing and these can be, for example, the pen test reports or the service organization control type two reports where the auditors have actually tested. If the control is effective.
In fact, proving, this is rather like testing software testing software. After you've written, it may give you a measure of assurance that the software works, but it doesn't prove it's free of bugs.
It's much better to have designed the thing in the first place. So if you can find a cloud service provider that can provide you with assurance that the service was designed from the, from the base upwards to be secure, then that is certainly a big step forward. Not all of them have done that. Many of them have, have started off their services with performance or other features in mind.
And finally, is the service actually built using assured components or is it just some kind of LPO from, from wherever they can get these things? So those are the kinds of levels that you can expect for assurance. And what do those levels mean in terms of reduction of risk?
Well, in order to help that what we've done is we wrote a little tool and this is intended as a fairly quick assessment tool. And we use the base information that I described that we've taken from all these various sources we use Basian modeling in order to have a view of what the impact or the reduction that comes from a particular level of assurance is.
And we determine that level of assurance by having a number of questions, and we can either include or exclude risks or add risks if necessary.
And so that gives you a measure as you go along by answering the questions, it will alter the, the, the view of the particular risk based on the answers to the questions. And it will give you an aggregated view of the risk over overall there.
And this, this illustration shows how by answering a particular set of questions, you've got a view of the relative reduction in the impact and the probability of there being a loss due to that particular cloud. So what we can see is that in order to use the cloud, you involve yourself in an element of trust between you and the cloud service provider, but that trust must not be unqualified.
You need to, if you will, to trust, but verify by understanding what the critical risks are, looking at, what the inherent levels of those risks are from the basic cloud provider, as it stands, looking at what the impact of the assurance that you can get. And the controls that you can put in place are, which lead you to an assured level of that risk. And that all is based on our reports, our experience and tools. And if you're interested in more information on this, come to the workshop on Friday morning, thank you very much.
