Upload
greatlakes
View
0
Download
0
Embed Size (px)
Citation preview
Segmentation of Risk Factors associated with Cloud Computing Adoption
Easwar Krishna Iyer Great Lakes Institute of Management India [email protected]
Abstract: Cloud computing, the world of buying computing as a utility, is on the threshold of a massive global acceptance. Though the advantages of Cloud Computing have been widely documented, the adoption of cloud as a viable alternative to the traditional stand‐alone IT systems is only building up. Organizations are evaluating their IT asset portfolios in trying to assess what could move out to the cloud and what ought to remain in‐house. In this context, assets are getting bifurcated into ownership assets and utilization assets and one of the key decision support tools that is facilitating this division is ‘Risk Management’. Any new technology adoption comes with a set of associated risks, some endogenous and the rest exogenous. This paper aims at mapping the complex risk portfolio associated with cloud computing adoption. The work relies on literature support to stratify cloud adoption risk along six independent vectors. It then further subdivides these vectors into multiple sub‐vectors. The paper then proceeds to map these sub vectors into the three‐fold risk categorization framework proposed by Robert Kaplan. The study ends up in giving both a complete functional segmentation and a characteristics based segmentation of the cloud adoption risks. Keywords: Cloud Computing, Risk Mapping, Segmentation, Robert Kaplan’s Risk Framework, EASWAR framework
1. Introduction
Any new technology adoption involves a tradeoff between a set of risks and a set of returns. Let us look at a couple of examples. Dependence on new‐age big data and analytics will yield returns in terms of micro segmentation and positioning of new product offers. Yet, the flip side would be the risk of human intuition getting replaced by machine intellect in the context of understanding consumer behavior. All office‐on‐the‐move devices like laptops and tablets ensure anytime, anywhere information access. The flip side in this case is a severe compromise on work life balance with the risk of work following people to their homes. Any ERP implementation – despite its known benefits – has downsides like cost over runs, incorrect gap analysis, square peg in a round hole fitment and resistance amongst rank and file for implementation. Cloud computing adoption is no different. The cloud landscape is today dominated by technology titans like Amazon, Microsoft, Google and IBM. The gains that cloud platforms bring in are tangible. Offerings like Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are clearly outlined and well understood by enterprises which could probably adopt them. It is the risk part of cloud that requires a closer study. Any product goes through four phases of development ‐ Introduction phase, Growth phase, Maturity phase and Decline phase. This cycle is referred to as the Product Development Life Cycle (PDLC). Cloud offerings today are probably at the first quartile – Introductory Phase ‐ of the Product Development Life Cycle (PDLC). Literature clearly quotes [Armbrust Michael et al (2010)] that “Cloud Computing has tremendous potential to benefit organizations, but substantial challenges and risks stand in the way of adoption”. For cloud to move up the PDLC from introduction to growth phase, the industry should closely understand the perceived adoption risks vis‐à‐vis the actual gains. This paper posits that a rigorous segmentation of the aggregate cloud risk factors will go a long way in understanding the overall risk map. Such a mapping will eventually bolster customer confidence, thereby enhancing cloud buying. The paper analyses cloud risks at two levels. At level 01, the paper relies on existing literature survey to demarcate the risks associated with cloud into six broad clusters. These clusters are Security Risk, Vendor Risk, No Gain Risk, Efficiency Risk, Business Risk and Data Related Risk. Each of these broad clusters is further sub‐divided to finally get 24 independent sub‐vectors of risk. At level 02, the paper classifies the 24 individual risk elements into three distinct buckets based on the inherent risk characteristics of each category. This categorization framework has been adapted from the work done by Robert Kaplan et al (2012). The three buckets are Preventable Risks, Strategic Risks and External Risks. The allocation of the risk elements across the three Kaplan vectors will eventually help in the true monetization of all risk elements (The monetization part of risk is not part of this study).
82
Easwar Krishna Iyer
2. Literature Survey
Academics have already done substantial review of Cloud Computing across all its risk perspectives. A brief of the same is given in this section to lay the foundations of cloud risk segmentation and mapping. Bannerman Paul L (2010) compares the impact of ten cloud risk categories across research and practice. The practice data is a mix of expert opinions and industry surveys and the research data is from literature survey. Most of Bannerman’s risk vectors are considered in this paper also. The seminal work by Armbrust Michael et al (2010) on Clouds helps in understanding the ten key bottlenecks for cloud adoption. On hind sight, many of them are perceived adoption risks. Achara Sachin et al (2014) specifically focusses on the security related risks and their monitoring in the context of cloud adoption. Their paper demarcates the risk due to external attacks as well as the risks due to internal architectural configurations like multi‐tenancy architecture. Alali Fatima A et al (2012) studies cloud risk from an accounting and auditing perspective. Dutta Amab et al (2013) arrive at their version of cloud risks list by developing a questionnaire and distributing it to around 300 IT professionals. The top three scores in terms of high perceived risk were for Confidentiality, Legal inconsistency and Vendor Lock in. All these three vectors find a mention in this paper also. Etro Federico (2011) talks about some macroeconomic perspectives of cloud adoption like tax implications. The paper mentions the possibilities of Service Tax for Cloud Service providers who are in the pay per use model space. Fan Chiang Ku et al (2012) starts with the premise that people who are working in the field of cloud computing are not fully exposed to the entire gamut of risks due to the novelty and complication of the new technology. Among other risks, the paper also clearly delineates disclosure risk due to deliberate malice and accidental disclosure. Hosseini A.Khajeh et al (2011) offers a decision template for cloud adoption which is primarily driven by cost modelling. Kalyvas James R et al (2013) offers a framework for measuring and managing cloud computing risks in a detailed article spread over two parts. Between the two parts, they cover almost the entire gamut of cloud risks ranging from disclosure to confidentiality breach to lack of continuity to cloud outages. Krishna Iyer Easwar et al (2013) models the Net Present Value (NPV) of future cash flows for a firm that gets into cloud adoption. The paper arrives at a bulk unknown risk component, which the authors call as Yuk. This parameter represents a non‐cash, yet monetizable aggregate unknown risk component that goes with cloud adoption. Nkhoma Mathews Z. et al (2013) does a large scale survey of potential cloud adopters to find out the barriers for cloud adoption. Tisnovsky Ross (2010) brings in the crucial element of lack of control – real as well as perceived – for a business which moves its processes to the cloud. There are a few more papers listed in the references section which completes the 3600 cloud risk perspective. All the papers discussed so far cover the risk angle specifically from the cloud computing perspective. This literature survey has also covered a few papers which do not touch upon cloud but look at risk from a standalone approach. The most important among them is the work of the co‐creator of the Balanced Score Card Management System Prof. Robert S. Kaplan. Kaplan et al (2012) discusses about managing a risk ecosystem in a new framework. He broadly divides risks into rule‐based controllable risks, dialogue and discussions based strategic risks and anticipation based external risks. This paper uses Kaplan’s generic segmentation framework to map the cloud risks and analyze its differential impact. The same will be dealt as a complete section. To sum up, there is a body of literature available today which deals with cloud adoption and its associated risks. The purpose of the trilogy of papers on cloud and risk that this author is writing is to arrive at an actuarial evaluation of risk. To achieve this end, the first part of the trilogy has mathematically modelled risk as a big amorphous single parameter. Details on that part are briefly given in the next section. The second part – this paper – delineates cloud risks and maps them in the Kaplan framework. The perception of these risks across different industries would be different. The third part of the study aims at creating a framework using tools like regression and probability to arrive at a reasonably precise monetized value for risk. From this cumulative perspective, this study is unique.
3. Part 01 of this Trilogy – A Brief
This study [Krishna Iyer Easwar et al (2013)] looks at what will be the behavior of the Net Present Value (NPV) for a firm which is progressively moving into cloud adoption. It aims to find out the cloud adoption fraction value for which the NPV maximizes. By the very nature of the previous statement, it becomes clear that NPV is
83
Easwar Krishna Iyer
not a linear function of cloud adoption. The function obtained is actually a maximizing function implying that NPV increases monotonically up to some cloud adoption level and then starts falling when the adoption intensity further increases. The turnaround is primarily driven by the unknown risk vector [The paper designates this amorphous unknown risk parameter as Yuk]. If one plots the value of NPV vis‐à‐vis incremental cloud adoption for various arbitrary ‘values’ of Yuk, it can be observed that the turnaround effect starts happening faster (or earlier) for higher and higher values of Yuk. The actual value (or fraction) of incremental cloud adoption for which the NPV function maximizes is thus critically hinged on the unknown risk component associated with cloud adoption Yuk. The paper surmises that the skeptical adoption of cloud that is happening today is primarily due to the perception of a high amount of risk associated with higher cloud adoption. To improve our understanding of what are the real adoption roadblocks, a better understanding of the parameter Yuk is necessary. Delineation and segmentation of the risk factors associated with cloud adoption is the purpose of this paper. Monetization of the same is the purpose of the last paper of the trilogy.
4. Functional Segmentation of Cloud Risks
Based on detailed literature reviews, this paper identifies six broad areas of functional risk aggregation in the context of cloud computing adoption. It is worth mentioning at this point that when the paper mentions cloud from the risk analysis point of view, we imply public clouds only. For example risks like ‘lack of control and governance risk’ or ‘data center location risk’ are not applicable for private cloud in the same way we would associate its relevance in the public cloud space. The same logic would apply for risk elements like vendor lock in and SLA adequacy. Thus the risk analysis for this paper is confined to the risk of migration to the public cloud space. Each of the six risk spaces are briefly touched upon below.
4.1 Security Related Risks
Based on the frequency with which it gets quoted in literature, security related risks are the prime concern of customers who are on the threshold of a cloud adoption. A slew of sub‐factors, most of which are endogenous, constitute the overall Security Risk. Disclosure of data either by malicious insiders or by sheer accident constitutes a key security threat. Breach of confidentiality – it could be termed as ‘privacy’ for some industries like healthcare industry – is another security vector. The security environment can be compromised on a large scale by external factors like natural disasters. Japan went through a delicate period in restructuring its datacenters after the dual incidences of earthquake and tsunami.
4.2 Vendor Related Risks
The vendor space in the newly evolving cloud market can be split into the utilities provider space and the solutions integrator space. It is a three‐layer architecture with the top layer being the utility computing provider and the middle ‘intermediary’ layer being the web applications and SaaS solutioning provider. The 3rd and last layer is the Cloud / SaaS user. Thus, the top two levels aggregate to give the final cloud application to the end client. Many a time, client firms tend to burn their own bridges by dissipating their traditional in‐house computer architecture, before they migrate to the cloud. In this context, ‘Lock‐in’ with an incompatible vendor is the biggest risk that they run into in the vendor related risk space. Reputation fate sharing of another client’s bungling of the cloud space, lack of continuity of vendor operations, typically that of the intermediary vendor and poor uptime maintenance of cloud operations, all these add up to create the platform called Vendor Risk.
4.3 ‘No Gains’ Risks
The key posited cloud gain of zero CAPEX (capital expenditure) often obfuscates the significant increase that cloud adopters will face in terms of running OPEX (operational expenditure). There are studies which indicate that IT operational expenses can exceed the initial savings in capital purchase within a 5 year cloud adoption life cycle. Also, the posited cash gains of cloud adoption might be transitory in the event of energy cost escalation. There could also be hidden tax implications with service tax coming in for cloud offerings. The tax component in a product buy situation is more obvious than the ‘hidden’ tax component in a ‘pay‐and‐use’ service buy situation like cloud computing. All these factors add to create the ‘No Gain’ Risk vector.
84
Easwar Krishna Iyer
Figure 1: Six Aggregate Cloud risk vectors exploded into 24 sub risks. (The number in the last colum indicates the literature reference of each sub rick)
4.4 Efficiency Related Risks
A combination of internal and external factors adds up to impede the efficiency of cloud operations. Disruptions to smooth operation can be caused by outages triggered by power or network interruption. The possibility of quick upsizing and downsizing (dynamic scalability) can create provisioning roadblocks. On one side, scalability – both up scaling and down scaling ‐ is an intrinsic benefit that cloud computing ushers in. But the constraint that it will impose on the system because of the dynamic nature of provisioning brings in the element of efficiency risk. Finally, the intrinsic technical problem of latency – the number of hops that data has to traverse from origin to destination – adds up to complete the delineation of the efficiency risk space.
4.5 Business Related Risks
With technology in a convergence mode, there could be problems associated with the newly emerging business models itself. In other words, technology adoption can compound basic business risks. There is the unknown danger of loss of control and governance of IT assets to a 3rd party hosted facility. The landscape of the legal compliance environment changes with 3rd party IT support. The location of the data center becomes critical in cloud migration for many industries (like banks). All these add up together to create the fifth dimension of cloud adoption risk – Business Risk.
4.6 Data Related Risks
This paper treats data per se as different from the security framework that envelops data. Data that moves to the cloud is exposed to its own set of sub‐risks like compatibility, migration, restoration, integrity, redundancy and the likes. They add up to create the sixth and last dimension of risk – Data related risk. The 24 sub‐risk vectors are listed in Figure 01. The last column of this table indicates the literature reference number for each sub risk (taking them in the order in which they appear in ‘References’). As an example,
85
Easwar Krishna Iyer
citations on ‘Green Cost’ are found in 4 [Bannerman Paul L (2010)] and 8 [Hosseini A. Khajeh et al (2011)]. The frequency of quotes can be taken as an empirical indicator of the degree / impact of a given sub‐risk.
5. Inherent Characteristics based Segmentation of Cloud Risks
From this level, we proceed to the second level and re‐classify the same set of 24 cloud sub risks, based on the inherent characteristics of the involved risk. This approach has been adapted from the generic risk framework proposed by Prof. Robert S. Kaplan (2012). The three buckets of risk classification at the second stage are Preventable Risks, Strategic Risks and External Risks. The 24 sub‐risks are re‐categorized according to the Kaplan framework in Figure 02. Each of the 24 sub‐risks is aligned to only one of the Kaplan Risk categories. The row‐column alignment and mapping is indicated by a tick mark. If unweighted percentages are any indicators, then 37.5% risks are preventable, 46% have a strategy building quotient and only 16.5% risks are external. This picture will substantially change when weightages get assigned to individual risks, which is what the 3rd and last part of this study (not part of this paper) is all about.
5.1 Preventable Risks
Figure 2: Categorizing the 24 sub risk factors into preventable strategic and external risks.
Many risks that firms face have no flip‐side gains associated with it. Or in other words, no user / user group have a strategic leverage in going for such risks. Hence the only two approaches that can be employed to handle such risks are elimination or minimization. Some of these risks can be controlled by putting in place rigorous rules and ensuring compliance. Avoidance of accidental disclosure of data can be achieved by bringing in checks and processes in place. In some cases, an upfront signaling of value systems (through platforms like vision statements and mission statements) can reduce the occurrence of certain classes of risks. Unauthorized and malicious leak of information by disgruntled employees fall in this category. At a different plane, complete elimination of the risk of data loss can be employed by bringing in data redundancy measures. SLAs, service levels, service uptime, business continuity and the likes can be improved by bringing in a rule based risk management environment. In terms of risks – across industries – the category of preventable risks is the most understood risk management category.
86
Easwar Krishna Iyer
5.2 Strategic Risks
As previously explained, in the context of the Kaplan framework, Strategic risks are those risks that are adopted by firms to gain a specific strategic leverage. Conscious adoption of a multi‐tenancy framework (despite knowing the risks of common space sharing by multiple clients) is to gain a better pricing advantage of cloud offerings since the hardware space gets commonized between multiple users. Similarly a risk of a high OPEX is consciously adopted to save on equipment purchase, equipment upkeep, equipment upgradation and the likes. The associated costs of tax costs and green compromise costs follow the OPEX costs. Strategic risks do not have the classic control element that one would associate with a preventable risk. A risk like latency is difficult to control. Viewed from a completely different perspective, strategic risks are those risks that follow the archetypal ‘risk‐return’ profile. Cloud adopters knowingly and consciously adopt these risks to leverage a better strategic return. The point would be driven home better when one looks at examples of strategic risks across other industries. Simple credit default is a strategic risk which is perpetually associated with the banking industry. Any lending is associated with the inherent risk of a payment default. If banks cannot absorb this risk, then their very survival is in question. Similarly cannibalization of one’s own brands / variants is a strategic risk for FMCG (fast moving consumer goods) industry. For a short period, the firm runs the risk of a well‐branded product being pulled out and a new variant trying to establish its place. Upfront R&D investment is a strategic risk for the Pharma Industry. There is no guarantee that one will come up with a breakthrough medicine after every run.
5.3 External Risks
Risks that are external, unknown, exogenous, probabilistic and sporadic come in this category. Firms normally have no control on risks like arson, disasters, outages and the likes. Prevention of such risks would be driven by complicated statistical models of these recurring risks based on Apriori data. In the context of cloud computing and external risks, some level of prediction can be achieved on power as well as network outages based on previous data. A finer understanding of the inherent characteristics of each of the three risk buckets is given in Figure 03.
Figure 3: Cloud risk delineation based on the inherent characteristics of the risks
6. Part 03 of this Trilogy – A Brief
In a broader risk mapping and mitigation context, this paper is the second part of a trilogy of studies on cash flow modelling and risk mapping of public clouds. The first paper ‐ presented elsewhere – draws attention to the non‐cash, yet monetizable ‘aggregate risk component’ that is associated with Cloud adoption. This paper
87
Easwar Krishna Iyer
disaggregates that risk into multiple risk vectors. The third and last paper in the trilogy ‐ which is currently in the drawing room ‐ will do a weighted analysis of deterministically evaluating the Actuarials associated with each risk. For both the current study and the previous study, the entire analysis can be done by focusing in the vendor space. There is no mentioning on any specific cloud customer nuances. Thus in a sense, the first two parts are ‘adoption industry agnostic’. The third part of the study – where individual weights have to be arrived at for each cloud risk – will be highly adoption industry specific. The individual risk weightages for a banking industry will not be the same for say a healthcare industry, though the broad risk elements will be the same. The entire trilogy will conclude with a risk evaluation framework – Evaluation of Actuarials by Segmented and Weighted Analysis of Risk – or in brief the EASWAR Framework.
7. Conclusion
As a technology offering, Cloud Computing which offers distributed, on‐demand, self‐service, location independent, elastic, pay‐for‐use only, zero CAPEX, zero ownership, utility driven computing is here to stay and grow. The movement towards cloud adoption is in line with the global trend of moving from product procurement to service procurement. With Cloud Computing poised to move from its nascent phase to a more robust growth phase, a systemic understanding of the risk space enveloping cloud is becoming important. This paper is primarily focused in delineating the risk vectors of the cloud landscape. Business risk mapping is the process of identification and segmentation of all hazards that impede the normal running of a business. The hazards or risks have first got to be delineated in the functional space. In the context of this paper and cloud, the six functional spaces that have been identified are related to the ‘compromises’ that the adopting firms will have to make to accommodate the cloud factor. The vectors are ‘compromise on security’, ‘compromise on vendor liaison’, ‘compromise on actual gains’, ‘compromise on efficiency’, ‘compromise on business requirements’ and finally ‘compromise on data management’. The functional risk space is then divided into 24 sub‐vectors with each of them giving an indication of one slice of the overall risk. The categorization of risk along functional lines is highly industry dependent. Geopolitics, dollar fluctuation, global demand, OPEC supply, pricing of substitutes, raw material quality and regulatory frameworks will be the functional silos through which we can map the risks of the Global Oil Industry. For say a banking sector, the functional risk spaces would be Operational Risk, Credit Risk and Reputational Risk. The first is the transactional space, second is the payment default space and the third is the credibility space. One can see that no two industries will have a common generic set of functional risks. The first part of this paper uses literature survey as a backup to analyze the functional risks of cloud adoption. Risks or hazards are of three types – the preventable risks with no strategic mileage, the consciously undertaken risks with a strategic underpinning and the pure external risks on which firms has no significant handle. This paper segments the 24 functional sub‐risk vectors into these three buckets. Threat mitigation on an Apriori basis [before it has happened] would be the approach for the Preventable Risks. Consequence containment on an Aposteriori basis [after it has happened] would be the way to tackle the External Risk. Risk‐Return profiling, Likelihood Analysis, Scenario Mapping and Impact Analysis would be the measures to be undertaken to manage the Strategic Risks. This paper stops at finding out the functional risk silos and then classifying them into the three risk buckets mentioned. The next step would be to take a typical cloud adoption industry – say banking industry – and do an actuarial analysis to estimate the ‘cost’ of each risk. The study of cloud computing risks will be complete when all risk factors are understood, mapped, segmented, weighted and finally monetized.
References
Achara Sachin, Rakesh Rathi (2014), “Security Related Risks and their Monitoring in Cloud Computing”, International Journal of Computer Applications (0975 – 8887), Volume 86 – No 13, January 2014
Alali Fatima A., Chia‐Lun Yeh (2012), “Cloud Computing: Overview and Risk Analysis”, Journal of Information Systems, Vol. 26, No. 2, Fall 2012, pp. 13‐33
Armbrust Micheal, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia (2010), “A view of Cloud Computing,” Communications of the ACM, vol. 53, 2010.
Bannerman Paul L (2010), “Cloud Computing Adoption Risks: State of Play”, Asia Pacific Software Engineering Conference (APSEC 2010), Cloud Workshop – Nov 2010
88
Easwar Krishna Iyer
Dutta Amab, Peng Guo Chao Alex, Choudhary Alok (2013), “Risks in Enterprise Cloud Computing: The Perspective of IT Experts”, Journal of Computer Information Systems, Summer 2013
Etro, Federico (2011), “The Economics of Cloud Computing”, IUP Journal of Managerial Economics. May2011, Vol. 9 Issue 2, p7‐22.
Fan Chiang Ku, Chen Tien‐Chun (2012), “The Risk Management Strategy of Applying Cloud Computing”, International Journal of Advanced Computer Science and Applications (IJACSA), Vol. 3, No. 9, 2012
Hosseini A.Khajeh, D. Greenwood, J.W.Smith and I. Sommerville (2011), “The Cloud Adoption Toolkit: Supporting Cloud Adoption Decisions in the Enterprise,” Software: Practice and Experience, 2011.
Kalyvas James R., Overly Michael R., and Karlyn Matthew A. (2013), “Cloud Computing: A Practical Framework for Managing Cloud Computing Risk—Part I”, Intellectual Property and Technology Law Journal, Volume 25, Number 3, March 2013
Kalyvas James R., Overly Michael R., and Karlyn Matthew A. (2013), “Cloud Computing: A Practical Framework for Managing Cloud Computing Risk—Part II”, Intellectual Property and Technology Law Journal, Volume 25, Number 4, April 2013
Kaplan Robert S., Mikes Anette (2012), “Managing Risks: A new framework”, Harvard Business Review, June 2012. Krishna Iyer Easwar, Panda Tapan (2013), “Cash Flow Modeling and Risk Mapping in Public Cloud Computing‐ An
Evolutionary Approach”, International Journal of Consumer and Business Analytics (IJCBA), Vol. 01, No. 1, Feb 2013, Page 83‐94
Mangiuc Dragoş‐Marian (2012), “Security Issues of Cloud Based Services‐ a Guide for Managers”, Review of International Comparative Management, Volume 13, Issue 3, July 2012.
Merton Robert C. (2013), “The Big Idea Innovation Risk: How To Make Smarter Decisions”, Harvard Business Review, April 2013.
Nkhoma Mathews Z., Dang Duy P.T. and Anthony De Souza‐Daw (2013), “Contributing Factors of Cloud Computing Adoption: a Technology‐Organization‐Environment Framework Approach”, Proceedings of the International Conference on Information Management & Evaluation. 2013, p18‐19.
Otim Samual, Dow Kevin E., Grover Varun, and Wong Jeffrey A. (2012), “The Impact of Information Technology Investments on Downside Risk of the Firm: Alternative Measurement of the Business Value of IT, Journal of Management Information Systems / Summer 2012, Vol. 29, No. 1., page 159‐193
Solms R. von and Viljoen M (2012), “Cloud computing service value: A message to the board”, South African Journal of Business Management. Dec 2012, Vol. 43 Issue 4, p73‐81
Tisnovsky Ross (2010), “Risks Versus Value in Outsourced Cloud Computing”, Financial Executive, www.financialexecutives.org, November 2010
89