Risky Business

There is a significant focus within government agencies on the management of risks associated with the adoption of cloud services. This is to be expected as the general perception is that the “cloud” is risky and that adopting cloud services could result in bad outcomes.

Axenic developed the Cloud Computing: Information Security and Privacy Considerations paper which has been published by GCIO. The paper includes 105 questions that agencies planning to use a cloud service should answer in order to help them understand the risks associated with their use of the service. It also includes a significant amount of context and guidance for agencies seeking to leverage cloud services. However, the 105 questions have recently been extracted into a spreadsheet and labelled the “Cloud Risk Assessment Tool”, which has reduced the comprehensive guidance in the original paper into a simple set of questions to be answered.

We are seeing agencies treating the completion of the spreadsheet as a compliance exercise rather than a useful way to gather the information required to complete a formal risk assessment of their proposed use of a cloud service. This is a problem as the questionnaire was never designed to replace the need to complete a risk assessment; this is clearly stated in the document: “The process does not attempt to qualify or quantify the risks associated with the adoption of cloud services – rather it is designed to support agencies when they are performing a risk assessment.”

Simply answering the questions does not constitute an assessment of the risks introduced by an agency’s use of a cloud service. Nor does it identify the controls they require to effectively manage those risks so that they remain within its risk appetite.

Although some have claimed that completing the questionnaire is time consuming and expensive, it shouldn’t be. The majority of the questions need to be answered by the service provider, meaning that there should be little overhead for agencies. Once a service provider has completed the questionnaire for one agency, its overhead to provide the information to other agencies should be minimal. Proactive service providers (e.g. Microsoft) have even completed the questionnaire for each of their cloud services and published it on their website.

It is important to recognise that each agency needs to address the agency specific questions, in its own context, for each service it wishes to consume before assessing the associated risks – there are no shortcuts to take here.

The GCIO provides a clearing house for cloud questionnaires that agencies choose to share to ensure consistency of approach across government. This provides a cost effective way to leverage existing responses from vendors.

Agencies need to understand that proper risk management will not be achieved by simply completing the questionnaire and treating risk assessment as a box ticking exercise.