There are two types of risks involved in cloud computing—Operational Risks and Systemic Risks.
Operational Risk involves more than security. An assumption that operational risk is all about security will create a tunnel vision that is risky in itself! Agility, availability, scalability and time to recover are factors that must be taken into consideration while evaluating operational risk. It is an umbrella term that encompasses risks arising form potential damage or loss of data, performance defects, latency and downtime costs. All these risks directly affect the bottom line of the business.
A systemic Risk is the risk of collapse of the entire system. The shift to cloud computing can result in instability that is exacerbated by events that are interposed by inter-linkages, interdependencies in the system. A single entity or a cluster of entities or a cascade of entities may cause the failure resulting in system failure. Systemic risks may result in the enterprise being put out of business temporarily or permanently.
Evaporating risks in the cloud involves mitigating both operational and systemic risks. Operational risks can be addressed on a proactive rather than reactive basis. The service provider and the enterprise can jointly evaluate the operational risks and institute risk management processes that is repeatable, scalable and combative of any “flash crowd” syndromes that may affect the organization. The organization can further mitigate operational risks by putting dynamic application delivery infrastructures in the cloud with a capacity to automatically adjust delivery policies while maintaining a consistent performance level.
Systemic risks in the cloud can be reduced and managed by ensuring that the service provider and the enterprise use a pull based, dynamic, secure environment for information storage and recovery. Systemic risks can be further controlled by building robust policies, plans and procedures for procurement of data center hardware on the part of the vendor or for identity management and access control on the part of the customer. Top level administrators and other privileged users must take their role seriously and ensure that unauthorized access or malicious human intervention does not trigger system crashes.
Having said all this, it is necessary to point out that all kinds of IT risks can only be managed and never completely eliminated. The organization’s success and even its existence depend on how well risk is managed, controlled and prevented. Evaporating the risk must be integral to any cloud migration policy that may be adopted by the enterprise or technology that may be marketed by the vendor.