itil

ITIL Reporting

excel

ITIL 4

excel

Power BI

excel

Excel Formula | Macro | Script

ITIL 4 Acquiring Managing Cloud Services Certification Course: Explore - Risks

Cloud services have inherent risks

Understand risk profile

Pre-define risk appetite

Identify risk mitigations

Common risks:

  • Role and responsibility shifts
  • Unauthorized procurement and use
  • Security
  • API vulnerability
  • Tenant separation
  • Data deletion
  • Vendor lock-in
  • Third-party contracting
  • Migration

1. Role and responsibility shifts

Risk Mitigation actions

Responsibilities shift from in-house to CSP team

Control at service level

Review shared responsibilities

Define new roles

Training

Disruption and reliance on technical staff

Define full-service architecture before migration

Define service usage and SLAs

Training

Overfocus on device management

Activities over outcomes

Quantify outcomes

2. Unauthorized procurement and use

Risk Mitigation actions

Easy to procure cloud services

Weak access controls create risks

Control measures and policies

CSP monitoring tools

Cloud management office

Uncontrolled purchasing:

  • Omission of essential features
  • Discount disqualification
  • Unwieldy vendor management

Centralized purchasing

Policies and standards

Access controls

Service catalogs

Purchasing frameworks

Budget alerts

Uncontrolled use creates inefficiencies

Access controls

Resource management training

Audits

Don´t confuse cloud and innovation

Establish use cases

Differentiate approved and new services
 

3. Security

Shared responsibility

CSPs use highest level of security

Cloud capabilities enhance CSP security

Benefits consumers

Risk Mitigation actions

Inconsistent use of security tools

Define security requirements

Update security policies

Use security monitoring tools

Security training

Misaligned responsibilities

Stakeholder education

Clear policies

Physical access

Physical access controls

Limit consumer access

Assess security through third-party audit

Limit virtual access
 

4. API vulnerability

API enables two systems to communicate

Risk Mitigation actions

Unauthorized use

Secure data

Detect and manage failures

Security procedures

Security tools

Data storage and transfer

Identify data source, destination and route

Verify security requirements

Review policies and tools

Establish minimum security levels
 

5. Tenant separation/data deletion

Economies of scale through multi-tenancy

Risk to consumers

Risk Mitigation actions

Misapplication of procedures

Data incorrectly distributed

Ensure adequate CSP procedures

Unauthorized physical access can lead to data deletion

Ensure security measures
 

6. Vendor lock-in

Switching CSPs difficult (ensure good CSP fit)

Switching can cause architecture issues

Accept switching costs

Risk Mitigation actions

High customization = high switching risk

Consider cloud usage carefully

Rebuild solutions with generic cloud services

Ensure common standards

Use generic components

Flexible applications

Evaluate unique components

Customized SaaS solutions risk vendor lock-in

Differentiate SaaS software and customization

Assess level of specialist knowledge

Check future roadmap

Assess cultural fit

Support levels

How to move service ?
 

7. Third-party contracting

Reasons CSPs take partners:

  • Provide non-core services
  • Wider service offering
  • Access base services

Unclear relationship: clearly state responsibilities

Solution contains components from different providers

Consumer manages solution

Use clearly-defined services

Specify:

  • Responsibilities
  • Vendor engagement
  • Cloud and vendor management offices

8. Migration

Movement between environments incurs risks

Risk Mitigation actions

Stolen credentials

Access controls

Process testing

Policy reviews

Cloud and in-house differences

Planning essential

Skill analysis

Staffing and training programs

Expand skill set

Access abuse

Informal processes cause problems

Security procedures

Access controls

Monitoring

Data loss

Data retention policies

Test for dependencies and failure points

Contingency plans

Contract misunderstandings

Due diligence
 

Go back to ITIL 4 Acquiring Managing Cloud Services Certification Course: Explore to finish this chapter or to the main page ITIL 4 Acquiring Managing Cloud Services Certification Course.

Interesting Topics