While cloud services have gained tremendous popularity with enterprises in the past few years for their numerous benefits, they aren't without risk in areas like data security, data privacy and data availability.
Cybercriminals are increasingly targeting the growing concentration, exposure and value of assets in the cloud, and all the while, compliance regulations are becoming more stringent.
It's become apparent that a consensus on how to assess the risks of cloud computing is necessary, but it is difficult to achieve because the industry lacks a single, standard, structured framework to aid enterprises in cloud risk assessment and mitigation.
Today a variety of organizations want to address this issue, perhaps most notably the Cloud Security Alliance (CSA), with its mission to promote the use of best practices for security assurance within the cloud provides multiple initiatives for cloud assessment and certification with respect to the control objectives deemed by the CSA to be important for cloud security and compliance.
The European Network and Information Security Agency (ENISA) produced a cloud computing information assurance framework (IAF) based on the broad classes of controls from the ISO/IEC 271101/2 and BS 2599 standards.
Over the last few years, a plethora of documents have been fostered by these groups and others containing risk exposure information, ad hoc guidance and control checklists to be consulted when considering cloud computing. However, most of these cloud risk assessment documents are deep on security concerns and likely risks, but don't offer a granular, comprehensive framework for assessment that organizations can adopt.
The litany of high-profile outages and security breaches only further confuse businesses as they attempt to correlate their current internal control environments and proposed controls for the cloud with the external incidents chronicled in the press. In this tip, we'll discuss how to choose, develop and begin implementing a standards-based framework for enterprise cloud computing risk assessment.
A cloud security risk assessment approach
As a starting point for conducting a risk-based assessment of a cloud environment, use generic risk frameworks available for enterprises to use as a starting point, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management—Integrated Framework. There are also domain-specific risk frameworks, practices and process models, such as ISO 27001. The IT risk-based COBIT framework from ISACA can fill the gap between generic risk management frameworks and domain-specific frameworks based on the assumptions that IT risk is not purely a technical issue.
However, to address an organization's specific cloud security challenges, it must develop a solid cloud security risk assessment framework by using one or more industry-provided guidelines. For example, the CSA has an assessment initiative questionnaire, and the cloud controls matrix (CCM). Similar to that, ENISA offers an important basis for establishing effective integration with third-party certifications and attestations, for example, ISO 27001/27002, PCI DSS, SOX and SAS 70.
Understanding the business and security context
While numerous cloud service providers offer enterprise-grade (or better) security capabilities, risks are also growing. Cybercriminals are increasingly targeting the growing concentration, exposure and value of assets in the cloud, and all the while, compliance regulations are becoming more stringent. With that in mind, below are the four key steps involved with using a framework to define and assess cloud risk on an ongoing basis.
From the editors: More on cloud risk assessment
Learning guide: Cloud computing risk management
Model the risk profile -- Risk models define the key terms used in cloud risk assessments, including risk factors to be assessed and the relationships among those factors. These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities and other risk factors to effectively determine risk. At the time of planning and conducting the business impact assessment, each application or business process in the cloud environment needs to be modeled. From there, two questions should be asked: What are the inherent risks or potential consequences? What is the residual risk left after applying compensating controls?
Select assessment criteria -- The criteria for cloud services should be selected against an organization's risk profile with the intent of identifying critical assets and then analyzing potential vulnerabilities and threats to those assets. The security risks can be assessed in a structured approach by assessing against selected industry standards or guidelines -- ISO 2700x, COBIT, NIST 800-53 and the PCI DSS Cloud Computing Guidelines -- that are applicable to the exposures within the cloud environment. For organizations that are liable to have more than one regulatory compliance requirement, it makes sense to adapt the guidelines of each regulatory standard or guideline to an organization as applicable and then come up with a custom combined framework to assess the desired control sets to fulfill the compliance requirement(s) the organization is subject to.
Perform periodic assessment and continuous monitoring -- It is vital that organizations monitor risk factors identified in risk assessments on an ongoing basis and understand subsequent changes to those factors. They should also update key components of risk assessments reflecting monitoring activities on a periodic basis. Organizations can seek to lower the effort and cost of assessing and monitoring by leveraging third-party assessments when appropriate.
Revisit and update the framework -- Organizations must revisit and update their assessment criteria as new use cases, compensating controls or risks emerge. It will be necessary to periodically repeat risk modeling and assessment to see if different patterns for cloud use are required. It is very important to update assessment criteria when new or updated cloud security standards, guidelines, compliance frameworks or requirements arise.
Cloud computing remains a developing area with its strengths and weaknesses not yet fully researched, documented or tested. Organizations should begin the process of working with a cloud risk assessment framework by using the guidelines mentioned above. In addition, the identified controls should be assessed, tested and validated in the cloud environment on a regular basis and facilitate completion of any relevant compliance requirements.
About the author
Ajay Kumar is an information security manager who has worked for a decade in the information security and risk management domain and has expertise in infrastructure security, identity and access management, threat and vulnerability management, data protection and privacy, cloud security, and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at firstname.lastname@example.org.
This was first published in April 2013