The Cloud Computing Risk Intelligence Map™ provides a unique view on the pervasive, evolving, and interconnected

nature of incremental risks associated with cloud computing that executives and managers may find useful in
identifying risks that apply to their organizations.

Businesses thrive by taking risks, but falter when risk is managed ineffectively. A Risk Intelligent Enterprise™
recognizes this dual nature of risk and devotes sufficient resources both to risk taking for reward and to the
protection of existing assets.

The Risk Intelligence Map is intended to serve as a guide on the journey toward Risk Intelligence by helping
personnel in all functions of an organization broaden their perspective on risk and improve their ability to execute
their risk-related responsibilities.

This may be accomplished by using the Risk Intelligence Map to:

• spur discussions about risk management topics, including risk identification, prioritization, measurement, and
mitigation
• facilitate the connection of risk management silos
• identify redundant efforts in place to manage risk
• improve efficiency in compliance and risk management efforts

Cloud Computing Risk Intelligence Map • develop risk event scenarios that require integrated responses

The Risk Intelligence Map is not a definitive or comprehensive representation of risks that may be encountered by
an organization. Consider customizing the Risk Intelligence Map based on risks that impact your organization. Areas
could include regulatory, geographic, industry, and company-specific issues.

For more information on customizing the Risk Intelligence Map to meet the needs of your organization, please
contact your Deloitte practitioner.

Governance, Risk
Delivery strategy Infrastructure Identity and access Data Business resiliency Vendor Business
Management, and IT operations
and architecture security management management and availability management operations
Compliance

Vulnerability System Identity Data Data Technology Asset Change Vendor Human
Governance Strategy Contracting
management security management acquisition usage resiliency management management selection resources

Housing Failure to comply Malicious insiders

Inadequate Lack of a coherent Lack of clear ownership Cloud service failure due Inadequate cloud
Security vulnerabilities Compromise of cloud Insecure integration inappropriately with software Inadequate due Inability to customize with administrative
oversight of cloud cloud strategy and of cloud-generated data to oversubscription in migration planning
introduced by cloud environment due to of internal and collected data licenses due to ease diligence of cloud cloud contract and access to cloud
adoption roadmap peak usage periods
co- tenants and poor security practices cloud- based identity of cloud resource security controls establish cloud components
Failure to evaluate Cloud strategy not ecosystem partners by the customer management Unauthorised access provisioning provider liability
Inability to verify cloud Inadequate IT skills to
and monitor cloud aligned with business components or inappropriate Inability to align business Lack of sufficient
infrastructure resiliency Insufficient tracking manage cloud-based
usage needs or technology Failure to protect Lack of adequate cloud Data use of sensitive data
of virtual assets
process changes with number of viable Failure to update
technologies
maturity against new (e.g. personal data, standardized cloud cloud providers cloud contract
service security due to Inadequate due storage intellectual property)
Single-points-of-failure
service options over time to reflect
vulnerabilities conflicting customer diligence prior to Failure to retain
Risk in virtualization
due to addition of
Lack of performance operating changes
priorities assignment of broad complex technology technical specialists
management technologies cloud management
Unauthorised
Underutilisation of data track record due upon cloud migration
access to data components Lack of coordination of
Insecure end-user privileges use due to restrictions Project system maintenance to cloud service to oversee cloud
Architecture Lack of timely security storage through
on access to data in immaturity
patches for proprietary
systems interacting
underlying cloud Increased complexity management resulting in conflicting operations
with cloud-based cloud of data replication or
Inadequate analysis
cloud components technology changes and difficult Resource
of incremental risks applications backup to other clouds troubleshooting
Lack of proper Access provisioning
introduced by cloud isolation for Failure to patch
or back in-house Legal
Failure to secure intra- management Inability to monitor Poorly defined roles
Lack of
sensitive data due to vulnerabilities in virtual
host communications data integrity inside Data of cloud participants Monitoring
multitenancy in cloud machine templates and cloud storage
independent among multiple virtual transfer
offline virtual machines Cloud provider Failure to formally
assessment of Lack of configurability machines Failure to implement Operations Inadequate records
cloud solution Failure to properly continuity Unresponsiveness define maximum
management,
and customization of Inadequate proper access controls in cloud provider available cloud
cloud architecture for cloud management retain data due Lack of performance preservation,
Insufficient vulnerability testing communications due resources
interfaces to complexity of Lack of continuity plan monitoring retention, and
expertise in of services obtained Noncompliance with to customer volume
Inability to use best-of- multiple cloud data for cloud provider mechanisms beyond disposal policies
auditing cloud from cloud ecosystem Application data privacy laws due to Inadequate
breed technologies stores failure, acquisition, monitoring of cloud cloud provider reports
environment partners security Inadequate logical cross-jurisdictional data
or change in service resource utilization
Failure to consider
access control options transfer digital evidence and
Unacceptable strategy
due to cloud service Inability to use third e- discovery issues in
performance Incident
Inability to Inability to integrate parties to assess cloud
Compliance degradation due to immaturity IT operational contracts
increased network or
Network independently test data loss prevention Failure to establish management processes not updated provider performance
application security source code escrow Unauthorized
system latency Security Inability to restrict
technology with cloud to reflect unique cloud
solution agreement for exposure of data at
access or implement Delayed data computing risks Gap between
Inability to demonstrate Circumvention of proprietary software cloud locations with
Failure to engineer Compromise of segregation of duties breach notification provider’s
compliance with cloud applications to application access unpredictable legal
cloud management for cloud provider staff due to complex Lower availability of nonperformance vs.
regulatory requirements leverage scalability controls by cloud environment
interfaces due to identification of cloud service than business impact of
offered by the cloud targeted attacks provider staff Data affected customers prescribed by the service disruption
Limitations on ability to Failure to secure disposal SLA due to provider
Failure to secure Ineffective incident oversubscription Finance
monitor compliance of network traffic interfaces between
cloud components investigation due to
between distributed variety of cloud-
Failure to remove data impermanence of
cloud components based and traditional Supply chain Inability to provide Vendor
from multiple cloud virtual systems Lack of internal
applications adequate level of
Changing compliance Exposure to stores continuity service globally
lock-in controls for financial
landscape due to evolving distributed- denial-of– Failure to limit processes and
regulations and standards service attacks against Inadequate facilities incident spill-over to transactions in the
to capture and store Insecure deletion of
public- facing cloud other cloud tenants High cost of migrating cloud
application logs data from multiple-use Interruption of cloud
interfaces cloud-resident
hardware resources services due to critical
Noncompliance with
Lack of defense against
Inability to Physical and technology due to Failure to control
multijurisdictional data subcontractor failure troubleshoot proprietary architecture cloud expenses
attacks originating environmental
privacy laws due to lack of performance issues due to ease of
visibility into data location from within the cloud due to continuous proliferation of cloud
environment Complexity in architecting
environment changes usage
Encryption technical solutions that
Inadequate physical minimize vendor lock-in Economic denial-of-
and environmental
service by exhausting
safeguards for cloud
Failure to plan for metered cloud
Lack of controls to locations
cloud portability and resources
prevent cloud provider
interoperability
from accessing
encryption keys Increased data loss for
multiple customers Lack of agreed upon Tax
from physical machine exit obligations for
Poorly implemented theft both provider and
encryption and key
customer
management due Failure to analyze
to cloud service and plan for tax
immaturity considerations
Contacts
National
Rohit Mahajan Shree Parthasarathy
President Partner
Risk Advisory Deloitte India
rmahajan@deloitte.com sparthasarathy@deloitte.com

Regional
West North South
Ashish Sharma Gautam Kapoor Maninder Bharadwaj
Partner Partner Partner
Deloitte India Deloitte India Deloitte India
sashish@deloitte.com gkapoor@deloitte.com manbharadwaj@deloitte.com

Abhijit Katkar Anand Venkatraman Anand Tiwari Manish Sehgal Deepa Seshadri Gaurav Shukla
Partner Partner Partner Partner Partner Partner
Deloitte India Deloitte India Deloitte India Deloitte India Deloitte India Deloitte India
akatkar@deloitte.com anandv@deloitte.com anandtiwari@deloitte.com masehgal@deloitte.com deseshadri@deloitte.com shuklagaurav@deloitte.com

Munjal Kamdar Priti Ray Praveen Sasidharan Muthukumar Karuppiah

Partner Partner Partner Partner
Deloitte India Deloitte India Deloitte India Deloitte India
mkamdar@deloitte.com pritiray@deloitte.com psasidharan@deloitte.com mkaruppiah@deloitte.com

Tarun Kaura Vishal Jain

Partner Partner
Deloitte India Deloitte India
tkaura@deloitte.com jainvishal@deloitte.com

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive
treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not
independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member
firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant
professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action
that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it,
the user accepts this entire notice and terms of use.

©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited