The Cloud Computing Risk Intelligence Map™ provides a unique view on the pervasive, evolving, and interconnected nature

of incremental risks
associated with cloud computing that executives and managers may find useful in identifying risks that apply to their organizations.
Businesses thrive by taking risks, but falter when risk is managed ineffectively. A Risk Intelligent Enterprise™ recognizes this dual nature of risk and
devotes sufficient resources both to risk taking for reward and to the protection of existing assets.

Cloud Computing
The Risk Intelligence Map is intended to serve as a guide on the journey toward Risk Intelligence by helping personnel in all functions of an
organization broaden their perspective on risk and improve their ability to execute their risk-related responsibilities.
This may be accomplished by using the Risk Intelligence Map to:
spur discussions about risk management topics, including risk identification, prioritization, measurement, and mitigation

Risk Intelligence Map

facilitate the connection of risk management silos
identify redundant efforts in place to manage risk
improve efficiency in compliance and risk management efforts
develop risk event scenarios that require integrated responses
The Risk Intelligence Map is not a definitive or comprehensive representation of risks that may be encountered by an organization. Consider
customizing the Risk Intelligence Map based on risks that impact your organization. Areas could include regulatory, geographic, industry, and
company-specific issues.
For more information on customizing the Risk Intelligence Map to meet the needs of your organization, please contact your Deloitte practitioner.

Governance, Risk
Delivery Strategy and Identity and Access Business Resiliency
Management, and Infrastructure Security Data Management IT Operations Vendor Management Business Operations
Architecture Management and Availability
Compliance

Vulnerability Identity Technology Change

Governance Strategy System Security Data Acquisition Data Usage Asset Management Vendor Selection Contracting Human Resources
Management Management Resiliency Management

Malicious insiders with

Inadequate Lack of a coherent Security vulnerabilities Compromise of cloud Insecure integration of Housing inappropriately Lack of clear ownership Cloud service failure Failure to comply with Inadequate cloud Inadequate due Inability to customize administrative access
management oversight cloud strategy and introduced by cloud co- environment due to internal and cloud- collected data of cloud-generated data due to oversubscription software licenses due migration planning diligence of cloud cloud contract and to cloud components
of cloud adoption roadmap tenants and ecosystem poor security practices based identity in peak usage periods to ease of cloud security controls establish cloud provider
partners by the customer Unauthorized access or resource provisioning liability Inadequate IT skills to
Failure to evaluate and management Inability to verify cloud Inability to align
Cloud strategy not inappropriate use of Lack of sufficient manage cloud-based
monitor usage of cloud components infrastructure resiliency business process
aligned with business Lack of adequate cloud sensitive data (e.g. Insufficient tracking of number of viable cloud Failure to update cloud technologies
Failure to protect changes with
needs or technology service security due to Data Storage personal data, virtual assets providers contract over time to
against new Inadequate due Single-points-of-failure standardized cloud
maturity conflicting customer intellectual property) reflect operating Failure to retain
vulnerabilities in diligence prior to due to addition of service options Lack of performance
virtualization priorities complex technology changes technical specialists
Risk Management assignment of broad Underutilization of data track record due to
technologies cloud management components upon cloud migration to
use due to restrictions Lack of coordination of cloud service
Insecure end-user privileges Unauthorized access to Project oversee cloud
on access to data in system maintenance immaturity
Architecture Lack of timely security systems interacting with data storage through Increased complexity of operations
cloud Management resulting in conflicting
Inadequate analysis patches for proprietary cloud-based underlying cloud data replication or changes and difficult Resource
of incremental risks cloud components applications technology backup to other clouds troubleshooting
introduced by cloud Access or back in-house Provisioning
Lack of proper isolation Failure to patch Failure to secure intra- Inability to monitor data Poorly defined roles Legal
Management
for sensitive data due to vulnerabilities in virtual host communications integrity inside cloud and responsibilities of Monitoring
Lack of independent multitenancy in cloud machine templates and among multiple virtual storage cloud participants
Data Transfer Failure to formally
assessment of cloud offline virtual machines machines Cloud Provider
solution Lack of configurability Failure to implement Failure to properly Unresponsiveness in Operations define maximum Inadequate records
Continuity
and customization of proper access controls retain data due to cloud provider available cloud management,
Inadequate vulnerability Lack of performance
cloud architecture for cloud management complexity of multiple communications due to resources preservation, retention,
Insufficient expertise testing of services Noncompliance with monitoring mechanisms
in auditing cloud obtained from cloud interfaces cloud data stores customer volume beyond cloud provider and disposal policies
Inability to use best-of- data privacy laws due Inability to test cloud Inadequate monitoring
environment breed technologies ecosystem partners to cross-jurisdictional reports
Application Security Inadequate logical continuity and disaster of cloud resource Failure to consider
data transfer recovery plans utilization
Unacceptable access control options Inability to use third digital evidence and e-
performance due to cloud service parties to assess cloud discovery issues in
Inability to integrate Lack of continuity plan Incident IT operational
Inability to immaturity provider performance contracts
Compliance degradation due to data loss prevention for cloud provider processes not updated
increased network or independently test Management
Network Security technology with cloud failure, acquisition, or to reflect unique cloud Unauthorized exposure
system latency application security Inability to restrict
solution change in service computing risks of data at cloud
access or implement Gap between provider’s
Circumvention of strategy locations with
segregation of duties nonperformance vs.
Failure to engineer application access Delayed data breach unpredictable legal
Inability to demonstrate for cloud provider staff Lower availability of business impact of
cloud applications to Compromise of cloud controls by cloud Failure to establish notification due to environment
compliance with cloud service than service disruption
leverage scalability management interfaces provider staff source code escrow complex identification
regulatory requirements prescribed by the SLA
offered by the cloud due to targeted attacks agreement for of affected customers
Data Disposal due to provider
Failure to secure proprietary software
Limitations on ability to Failure to secure Ineffective incident oversubscription Finance
monitor compliance of interfaces between
network traffic between investigation due to
cloud components variety of cloud-based
distributed cloud Failure to remove data impermanence of Inability to provide
and traditional Supply Chain
components virtual systems adequate level of
Changing compliance applications from multiple cloud data Vendor Lock-in Lack of internal controls
stores Continuity service globally
landscape due to Exposure to distributed- Failure to limit incident for financial processes
evolving regulations Inadequate facilities to spill-over to other cloud and transactions in the
denial-of–service Insecure deletion of
and standards capture and store tenants cloud
attacks against public- data from multiple-use Interruption of cloud
application logs High cost of migrating
facing cloud interfaces hardware resources services due to critical
Noncompliance with Inability to troubleshoot cloud-resident Failure to control cloud
subcontractor failure Physical and technology due to
multijurisdictional data Lack of defense against performance issues expenses due to ease
Environmental proprietary architecture
privacy laws due to lack attacks originating from due to continuous of proliferation of cloud
of visibility into data within the cloud environment changes usage
location Complexity in
environment
Encryption Inadequate physical architecting technical Economic denial-of-
and environmental solutions that minimize service by exhausting
safeguards for cloud vendor lock-in metered cloud
locations resources
Lack of controls to Failure to plan for cloud
prevent cloud provider portability and
from accessing interoperability
Increased data loss for
encryption keys multiple customers from Lack of agreed upon Tax
physical machine theft exit obligations for both
Poorly implemented
provider and customer
encryption and key
management due to Failure to analyze and
cloud service plan for tax
immaturity considerations

Disclaimer: About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
Copyright © 2010 Deloitte Development LLC. All rights reserved.
that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, Member of Deloitte Touche Tohmatsu Limited
its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.
Version 1.0
Item #7355