Managing Cloud Computing risks in financial services institutions

摘要

The integration of Cloud Computing with information systems architectures continues to grow at a rapid pace due to the availability of high quality, low cost computing services and organizational efforts to improve efficiency and productivity. Enterprises are increasingly comfortable turning to the Cloud for IT solutions, where teams of dedicated, specialized experts deliver important capabilities and outcomes, instead of investing in the development of internal architectures. While data and systems security concerns remain, for many firms the economic arguments are so compelling in favor of Cloud deployments that adoption tends to proceed regardless of security and assurance worries. As a result, enterprise IT functions find themselves managing an array of risk issues in an environment of diminished transparency and with limited opportunities to directly treat observed risks. The mechanisms for managing technology risks associated with Cloud models differ from traditional approaches taken to control risk in internal architectures. This paper examines emerging threats in Cloud Computing within a financial services organization. This includes consideration of insider threats, data leakage, insecure software, and new Cloud attack patterns. The nature and characteristics of the threats are explained and the paper explores the risk treatment options chosen by the sample organization. The authors' observations are synthesized in a general model that describes Cloud Risks and Controls for financial services institutions.