Finding a Framework for Hybrid Cloud Risk Management

DISA Chief Technologist States Plan for Cloud

By G C Network | September 23, 2008

In an interview reported on in this month’s Military Information Technology magazine, David Mihelcic, DISA Chief Technology Officer, has laid out his goal for the agency’s cloud computing initiative. As…

Google, GeoEye, Twitter. What a Combination!

By G C Network | September 23, 2008

On September 9th, Bob Lozano posted his kudos to GeoEye for a successful launch of GeoEye-1. (Hey Bob! Where’s that post on your “cloud failure” last week?) According to their…

RightScale goes Transcloud

By G C Network | September 22, 2008

Over the weekend, Maureen O’Gara of SYS-CON media reported that RightScale is now offering a “first in industry” capability to provide application management across multiple cloud infrastructures. It now offers…

A Bill to Outlaw Cloud Computing…..

By G C Network | September 19, 2008

… is what we may see if we don’t educate our lawmakers now! That seemed to be one of the main point at last week’s Google workshop in DC. Berin…

NCOIC and Cloud Computing

By G C Network | September 18, 2008

Yesterday the Network Centric Operations Industry Consortium (NCOIC) had a very good session on cloud computing during their plenary session in Falls Church, VA. Led by NCOIC’s Bob Marcus, speakers…

Military Information Technology Cloud Computing Collaboration

By G C Network | September 17, 2008

Today, we’re happy to announce what we believe to be an industry first. “Military Information Technology Magazine“, as the publication of record for the defense information technology community, is collaborating…

Is 99.999% reliability good enough?

By G C Network | September 16, 2008

According to Reuven Cohen in his recent post, Cloud Failure: The Myth of Nines , the whole concept of reliability may be meaningless. “In the case of a physical failure…

You Probably Use Cloud Computing Already.

By G C Network | September 15, 2008

56% of internet users use webmail services such as Hotmail, Gmail, or Yahoo! Mail. 34% store personal photos online. 29% use online applications such as Google Documents or Adobe Photoshop…

20 Real-Life Challenges of Cloud Computing

By G C Network | September 12, 2008

Nikita Ivanov of GridGain offers some excellent insight into the nuts and bolts of getting the cloud to work. Definitely worth a read. To summarize: Most likely you do NOT…

3Tera Announces Global Cloud Services

By G C Network | September 11, 2008

Last week, 3Tera has announced the availability of global cloud services, based on their AppLogic grid operating system. 3Tera is currently running data centers in seven countries (United States, Japan,…

 (Sponsored by IBM. Originally published on Point B and Beyond)

Hybrid cloud is rapidly becoming essential to today’s information technology processes. This is why hybrid cloud risk management has become the keystone to many modern corporate strategies. To effectively manage this shift, leading enterprises are reorganizing how the business side of IT is accomplished. When this reality is coupled with the rising cost of poor cybersecurity, decisions often rise to the board level.

Threats that challenge cloud-based information systems can have adverse effects on organizational operations, organizational assets, employees and partners. Malicious entities can exploit both known and unknown vulnerabilities, compromising the confidentiality, integrity or availability of the corporate information being processed, stored or transmitted by those systems. In this environment, risk management must be viewed as a holistic activity that is fully integrated into every aspect of the business.

Establishing Standards for Hybrid Cloud Risk Management

The National Institute of Standards and Technology (NIST) offers a very good model for hybrid cloud risk management that groups activities into three categories based on the level at which they address the risk-related concerns. It divides activities and concerns into:

  • The organization level (tier 1);
  • The mission and business process level (tier 2); and
  • The information system level (tier 3).

Addressing these activities in reverse order, the NIST Risk Management Framework (RMF) provides a disciplined and structured process for integrating tier 3 enterprise information security with risk management activities. Since mission or business processes govern tier 2, those details generally lie outside the scope of general treatment. Tier 1 organizational level aspects are, however, at the heart of the organizational restructuring needed to deal with risk management within today’s hybrid IT environments.

One effective approach for addressing the tier 1 aspects of a cloud ecosystem is through the use of a hybrid IT operating model construct. This distributes tactical and operational risk management activities across a front, middle and back office. Generally referred to as a cloud service brokerage, organizational risk management activities are managed through:

  • A front office that accommodates IT service choice, automated provisioning and quick service delivery;
  • A middle office that holds responsibility for decisions that involve business operations and new IT service brokerage functions; and
  • A back office that integrates orders with service provider fulfillment, thus addressing IT supply chain risk management activities in order to ensure the continuous delivery of solutions from the organization’s cloud ecosystem.

More About Cloud Service Brokerage

The IT service brokerage function addressed here is in no way similar to the real estate or financial service broker function with which many are familiar. Far more than the single transaction service of these other broker types, IT service broker functions sit between the back office (operations) and the front office (user experience).

From that position, it is responsible for new IT business operations skills such as sourcing, procurement, packaging and billing. This continuous and ongoing function defines and executes board guidance with regard to the organization’s technology sourcing strategies. It also supports the creation of solution architectures that maximize the value of the multisourced hybrid IT investments while meeting business needs.

Cyberattacks are a threat to businesses everywhere. Executives, board members and IT professionals must strategically organize to address hybrid cloud risk management. While the RMF and business-specific risk management processes are excellent options for tier 3 and tier 2 issues, a front-middle-back office organizational construct can be used to effectively manage tier 1 and the operational risk of the hybrid IT ecosystem.

Cloud Musings

( Thank you. If you enjoyed this article, get free updates by email or RSS – © Copyright Kevin L. Jackson 2015)

Follow me at https://Twitter.com/Kevin_Jackson
Posted in

G C Network