• Great articles on other sites
  • RSS Great articles on other sites

  • Enterprise IT, Sponsored Posts - Written by on Tuesday, March 26, 2013 9:43 - 3 Comments

    Assessing risk in cloud computing projects:
    A free framework [sponsored post]


    This article is a sponsored post by Microsoft Australia chief technology officer Greg Stone. Click here to download a free copy of Microsoft’s Cloud Risk Decision Framework.

    sponsored post When many people come up against the term “risk” in the context of IT projects, they immediately reach for the telephone to call for their IT security experts. Risk, to many people, means the risk of data loss; in this sense, focusing on security has often been a logical proxy for more comprehensive IT risk management strategies.

    However, the moves which many organisations are currently undertaking as they embrace cloud computing technologies for substantial cost reductions, performance improvements and greater scalability in their IT operations have made many IT professionals aware that such definitions of risk are not always comprehensive enough to meet their needs.

    The fundamental promise of cloud computing technology is that it allows organisations to externalise many of the resources previously managed within their own operations. However, unlike traditional outsourcing, which has typically been provided by one or multiple suppliers, cloud computing involves a broad range of suppliers whose varying approaches to security, governance, resilience, availability and privacy create a level of uncertainty for organisations. This creates perceived risk.

    Risk management is defined in the ISO 31000 international standard as “the effect of uncertainty on objectives”; therefore externalising IT resources via the cloud changes the risk profile for the workload and organisation. This demands a formalised approach to understanding and addressing the risk when considering a cloud-based option.

    It is critical for an organisation to make a balanced assessment of this risk, because doing nothing may pose the greatest risk of all. And yet, currently, many organisations are ill-prepared to identify and weigh-up the risk landscape associated with a cloud option. With this in mind, Microsoft has developed a Cloud Risk Decision Framework; a set of tools designed to help organisations identify, analyse, assess and determine potential risk and solutions associated with deployments of cloud computing technologies.

    Right now you’re probably thinking that The Cloud Risk Decision Framework is just another vendor-focused tool designed to get you to adopt Microsoft technologies. Somewhere in this document – probably just when you least expect it! – is a big fat promotion for Windows Azure, right? Or Office 365? Wrong ;)

    This guide has been designed to assist IT and non-IT individuals to evaluate potential cloud-based IT capability, from a vendor-neutral standpoint. It aids the user in evaluating risk, no matter which brand of cloud computing solution you might be evaluating. No additional training should be required as this guide provides a well-structured process that should be easily followed by a competent business practitioner.

    What’s more, it’s not intended to replace a comprehensive Enterprise Risk Management practice within an organisation. The Cloud Risk Decision Framework serves as support in the decision-making process as per the Risk Management best practice guidance outlined in the ISO31000 international standard.

    The Cloud Risk Decision Framework in practice

    Let’s go into an example of how The Cloud Risk Decision Framework can apply in practice, using the fictional example of a government department known as the Department of Citizen Engagement (DoCE).

    The IT division of the department supports the IT needs of DoCE, as well as several other agencies and departments; not an uncommon situation in government, where large departments often support smaller ones. However, the number of staff being supported has increased steadily over the years. This has driven a situation where meeting load requirements has become more challenging, at the same time as in-house expertise has become more pressured for time and budget pressures have made themselves known. And of course there are ongoing concerns about IT security in a climate where external threats are growing.

    The use of cloud computing technologies is one option to tackle this situation. However, it’s not an easy decision: Some of the supported agencies have stringent regulatory requirements they need to comply with, especially relating to data use and classification.

    Using The Cloud Risk Decision Framework, the first task for DoCE would be establishing the scope for the potential cloud computing project. In this case, it consists of the core messaging system, identity and access systems supporting the messaging system, relevant devices accessing the messaging system (including, for example, smartphones and tablets) and business processes which touch on the messaging system.

    Some time would then spent on agreeing on definitions regarding the impact and likelihood of various types of risks. For example, if a low risk eventuated, it might be able to be easily absorbed by normal business operations on the day concerned, while a severe risk, if it eventuated, might result in serious (but not complete) damage to assets of the department or its reputation. It’s important also at this stage that the diverse stakeholders in the project become involved in further analysis – including technical staff such as a representative from the department’s IT security team and its CIO, but also representatives from the department’s finance, legal and operations divisions, for example.

    The next stage of the project would involve identifying the risks inherent in the department’s current system. This step can be crucial, as it can reveal some critical risks in the existing environment which might not be widely known, or be perceived as benign when they are actually more serious.

    After that, DoCE would be able to evaluate the risks involved with using a public cloud computing platform as a replacement option, for example, and compare them with the risks involved in maintaining its currently platform. The same process can be applied to several specific cloud computing solutions in more detail to compare risks between different solutions.

    What the department would end up with from this process was four major categories of risk (compliance, strategic, operational and market & finance), cross-linked with the likelihood of those risks eventuating. This would then flow into conclusions about which risks could be reasonably managed, and which couldn’t, and a comparison of the risks inherent in staying with their current platform, compared with the risks involved in migrating.

    The last several steps in DoCE’s process would involve treating risks with risk mitigation strategies – for example, by implementing a hybrid cloud email system which would make some use of public cloud infrastructure while retaining in-house control over some sensitive accounts – and then producing a formal report which can be presented to the department’s executive council.

    This may, or may not, result in an immediate decision to proceed with the project – but it may allow high-level decision-makers to authorise further in-depth investigation of the various options. The initial risk assessment conducted through the use of The Cloud Risk Decision Framework would then form a ‘launching point’ for further research.

    You can see from this example that a department like DoCE would have had quite sensible fears about migrating its core messaging platform to a cloud computing solution. But here’s the thing about fear: When it’s broken down in its constituent parts and analysed, it starts to seem manageable, rather than unsurmountable. This is what The Cloud Risk Decision Framework is all about – building in a needed level of discipline amongst professional buyers of IT products and services. In the process, risk management turns from being an impediment to IT projects proceeding to an enabler of positive, considered change. And I think we can all agree that’s a very good thing.

    Click here to download a free copy of Microsoft’s Cloud Risk Decision Framework.

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Steve Hodgkinson, Research Director IT Asia/Pacific, Ovum
      Posted 26/03/2013 at 10:11 am | Permalink | Reply

      We need to think of this in terms of both type I and type II errors in cloud services procurement.

      Cloud services policies are being developed and iterated in all government jurisdictions. Having reviewed a number of draft policies in recent months, I believe policy-makers need to work harder to create a level playing field for cloud services adoption, mindful of the potential for both type I procurement errors (buying a “bad” cloud service) and type II procurement errors (buying or building a “bad” in-house, shared, or outsourced service, when a cloud service would have been better).

      Policies tend to be biased toward avoiding type I errors, so even in policies that are well-intended the playing field is tilted away from cloud services. This leads agencies into a distorted view of the risks of cloud services … “better the devil you know”. Type II errors (made by undervaluing cloud services benefits and underestimating the risks in the status quo) can, however, create worse outcomes, arising from waste, mismanagement and missed or delayed opportunities for productivity improvement and innovation in policy and service delivery.

      The risks of procuring a “bad” cloud service are relatively low and can be contained by well-established risk-management mechanisms and shorter contract terms. However, the risks of buying, building or perpetuating a “bad” in-house, shared, and outsourced service are well understood; they are often substantial, long term, and difficult to mitigate … as we have (sadly) seen time and time again in many government agencies.

      • Posted 26/03/2013 at 12:23 pm | Permalink | Reply

        Good comment as always Steve!

        I think your thoughts speak to much of the current difficulty involved in purchasing cloud computing services in government right now. Departments and agencies are often set up to purchase things using certain frameworks for doing so. Often, as you mention, cloud computing services are fundamentally different — the risk of procuring a ‘bad’ cloud service are just fundamentally different than the risks of procuring an in-house solution, as the underlying technology is just different.

        I think in Australia that your work personally on cloud computing has done much to provide some sensible thinking around starting to give departments and agencies tools that allow them to move past these internal blocks on procurement thinking and towards more positive, productive approaches. Microsoft’s not paying me to write this comment, but I have read through the company’s Cloud Risk Decision Framework, and in my opinion it’s another useful tool in this regard. I think much of this is about providing tools to help generate a shift in thinking towards evidence-based approaches rather than emotional, often fear-based approaches (‘our data is out of our hands’), or just traditional existing process-driven approaches (‘the cloud needs to mimic the exact same functionality as on-premise’).

        In this regard, the more tools available to help everyone understand how this stuff works, the better.

        I even face some of these decisions in my own small business. Do I host Delimiter’s web hosting offshore or onshore? With a public cloud provider or a private server? How do I protect myself from third-party access to emails I have with sources I need to protect? And so on.

    2. Conor
      Posted 03/04/2013 at 1:16 pm | Permalink | Reply

      Nice article and great “Cloud Risk Decision Framework”…

      Has anyone got any links to where this material actually lives (Landing page on MSFT)?

      The link above to the framework is hosting it off http://delimiter.com.au/

      I wanted to download the actual Excel Files that accompany the document.


    Leave a Comment


  • Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

    Follow us on social media

    Use your RSS reader to subscribe to our articles feed or to our comments feed.

  • Most Popular Content

  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, the $250 million project has not precisely been going well.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT

    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications

    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry

    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights