In embarking on a Cloud Computing project, it is important to assess the risks, come up with strategies to mitigate the risks and communicate any that aren’t sufficiently covered.

In practical terms this involves a mix of project management and business continuity best practices to arrive at a) the overall risk of the project, and b) what can be done to mitigate or lower the risk to acceptable levels.

Risk assessments take into account fire, flood and other intentional and unintentional disruptions caused by people. These are multiple pathways that can disrupt the people, processes and technology that drive an organisation’s effectiveness.

Other outside dependencies like power and light, gas and water, postal services, inbound and outbound logistics (shipping), data and telecommunications are all likely to be providing inputs and managing outputs independent of your control and oversight.

Organisational impact: what would happen if?

What would happen to the organisation, customers, brand and staff if this scenario power was cut for the local area for an extended period?  What would happen if diesel or natural gas delivery was disrupted?  Are the generators capable of running on multiple fuels?  What is the minimum workspace required to perform the most essential tasks?  If the workspace was not available, what would happen?


Mitigation strategies: what can we do to lessen impact?

Mitigation strategies introduce stacking-the-deck strategies to minimise the impact of events. If you depend upon the Internet to communicate, installing a satellite link and/or a cellular data link as a backup might prevent an outage. If voice is critical, alternatives such as voice over IP or cell over IP can provide communications in a crisis.

Continuity plans: keep going if the worst happens

A continuity plan is simply the formalisation of the steps you must take to continue operations in the face of a disruption. Once the ideas start flowing on how to keep things from occurring, management will buy in to the alternate strategies and fund practicing drills for the reaction strategies that kick in after the event has occurred.

Testing the continuity plan

Most organisations start testing by requesting comments on the written plan, then move to a structured walkthrough or a group edit, then up to a tabletop exercise.

In a tabletop exercise, the players represent a particular business role such as the accounting manager or IT manager. The exercise referee announces the type of disruption. The players then walk through in a timed round what they would do about the disruption.

The exercise helps ensure that the plan has no gaps in coverage and the staff understand the plan well enough to execute under the pressure of real events. These are exercises. There is no right or wrong answer.

Business continuity planning

Figure 11: Business continuity planning

The only wrong answer is answering no to the question “Did we test this?” when we actually have to undergo the real thing. This level of planning helps identify areas of risk and also contributes to formally devising plans to reduce the risk to an acceptable level.

External versus internal hosting providers

An external hosting provider will provide some economies of scale, especially if the organisation is small or medium-sized. Larger entities may also benefit if the application or infrastructure is a commodity. The external provider may be able to provide additional services than are available internally at a reduced cost.

For example, e-mail and Webmail generally are favorably evaluated for conversion because a) the transactions generally traverse the Internet anyway, and b) the actual transaction processing is usually done within the confines of some narrowly defined application hosts with very little customisation, or customisation that can be easily duplicated by an outsourcing partner.

Exceptions may be sensitive government or civilian traffic. This may be so sensitive that the actual e-mail does not traverse public networks. In these cases, it can still be converted to a private Cloud hosting facility, provided the service provider requires rigorous HR background checks, and substantial and documented internal controls.

When your hosting provider is so strict that an organisation is not authorised to visit its own hosting facility unescorted, we may be approaching the appropriate level of strictness required to outsource the most sensitive transaction processing. Even so, there are, quite frankly, some applications that may not fare well in a Cloud environment.

Information such as that with a high risk for theft or that could cause major financial loss if misused, or anything that is proprietary intellectual property or could cause risk to life or property may not be suitable to store electronically at all.

Identifying the risk of the information stored on a public or private Cloud service provider is a key issue in identifying and quantifying risk. A public Cloud is hosted on shared resources open to the public. A private Cloud hosts only information on systems dedicated to one entity.

Private Clouds

The private Cloud model uses the shared service model, but all of the customers for the Cloud are internal. The advantages are that with top management support, a modicum of shared effort and shared goals, a private Cloud running internally can be created using the same best practices and approaching the efficiency of a public Cloud service provider, without some of the security concerns of turning internal data over to third party.

If the main objective is to reduce operating costs by providing a shared platform, this may work very well. Using Cloud Computing techniques can increase the efficiency of internal operations, and, there should be some savings from not having to maintain as vigilant a watch over the service provider, so this option may be as cost-effective as the public Cloud option while avoiding some of the stress and security concerns that apply mainly to public Cloud environments.

This extract is taken from the book ‘Above the Clouds: Managing Risk in the World of Cloud Computing’, published by IT Governance Publishing. The book can be bought at: The extract, and the original text it is taken from, are both subject to ITG copyright and may not be reproduced in any form without prior consent.