Business-driven management of infrastructure-level risks in Cloud providers

摘要

Cloud computing is an innovative and promising paradigm that is leading to remarkable changes in the way in which hardware and software are designed and purchased, as well as how IT systems are managed. However, the Cloud is a risky paradigm. For instance, the use of Cloud services, which usually are external assets to their consumers, implies unprecedented risks that must be taken into account.In this paper, we propose the involvement of the risk management discipline into the Cloud computing realm. We present a risk management approach led by business-level objectives (BLOs) of Cloud organizations. Its main goal is to assist in business-driven self-managed Cloud providers, by facing uncertainties always present in their internal decision-making processes. Our Cloud-aware risk management method includes a SEmi-quantitative BLO-driven Cloud Risk Assessment (SEBCRA) as the core subprocess. Its aim is to constantly rank and prioritize risks affecting the governing business-level goals.In addition, we present, as a use case, a PaaS provider that incorporates our risk management approach to enhance the achievement of two BLOs, i.e. maximization of profit and customer satisfaction. In particular, it can manage - identify, assess, and treat - the most critical Cloud infrastructure-level risks, i.e. provisioning its private Cloud, either under- or over-provisioning, as well as resource failures. We present some risk treatment responses to face these risks and we evaluate their impact on the above-mentioned BLOs. Our results show that the best responses to address risks may change over time depending on the current provider's status. As a result, an adaptive management of risks should be considered as a mandatory process for Cloud providers to ensure their success in the ever-growing worldwide ecosystem of Clouds.