Demystifying the Risk-Based Approach to Cloud Computing

Clearly, cloud computing enables enterprises to stay ahead in today’s era of information technology. However, it also introduces multiple types of risks. According to Cloud Security Alliance1, the top nine threats of cloud computing are data breaches, data loss, account hijacking, insecure APIs, denial of service attacks, malicious insiders, abuse of cloud services, insufficient due diligence, and shared technology issues.

A well-defined risk assessment framework or a risk-based approach to cloud computing adoption can help minimize these various risks which, in turn, will enable enterprises to deploy critical data and applications in the cloud in a consistent manner.

Impact of Risks on the Cloud
Many businesses are struggling to adopt the cloud due to the various risks that surface at different stages. A few of the top cloud risks that enterprises fear are:

Loss and Breach of Data: To improve agility, many enterprises enable their users to work on and access applications via the cloud. However, if users upload critical or sensitive data in the cloud without effective security precautions, it could lead to data breaches and leakages, enabling cybercriminals to access critical data. The classic example of data loss is that of Sony PlayStation2 where information belonging to 77 million user accounts was stolen. Given these risks, it is imperative that any data moved to the cloud is surrounded by robust security controls to prevent all forms of data loss.

Insufficient Due Diligence: Many enterprises blindly move to the cloud without understanding their cloud service providers’ environment, policies, and protection mechanisms. They are often uncertain of what to expect in disaster scenarios, backup and recovery failures, or regulatory compliance environments. Failure to conduct sufficient due diligence in the cloud is risky, and can lead to greater threats.

Shared Technology Issues: Storing data in a multi-tenant cloud environment -- where different organizations share infrastructure, databases, or applications -- is a primary concern due to security reasons. The risks of multi-tenancy vary in different cloud service models such as Infrastructure as a Service (IaaS), Platform as a Service (Paas), and Software as a Service (SaaS). Due to the sharing of physical resources, there is greater security dependence on logical separation at multiple layers. If unauthorized users overcome these separation mechanisms, they could access restricted zones. Additionally, destruction of data becomes a potential risk, specifically when the data is stored on shared media. A lack of robust controls and defenses such as method filtering at the application tier and data access enforcement at the database tier can result in third parties gaining access to confidential data.

The Risk-Based Approach to Cloud Computing

When it comes to cloud computing, the number one challenge most companies face is inadequate understanding of their data. Prior to moving forward with cloud computing adoption, enterprises need to understand the type of data that will be moved to the cloud. A proper risk assessment of data needs to be performed to analyze how important the data is. Additionally, to maintain the confidentiality, integrity, and availability of data sets, organizations need to increase data protection measures with data leakage prevention tools, data encryption, multi-factor authentication, filtering, and other such measures. It is also necessary to maintain transparency by opting for industry-standard cloud providers such as SSAE 16 Type II audited Tier IV data centers.

To keep security risks in control while moving to the cloud, risk assessment and mitigation strategies need to be implemented:

• Detect the risks linked to cloud-based solution deployments.
• Evaluate the risks based on likelihood and impact.
• Develop robust strategies for risk mitigation.
• Integrate final risk ratings into cloud adoption planning.

By establishing robust risk mitigation strategies, organizations are likely to feel more secure. Continuous risk evaluation and mitigation is a must.

While selecting a cloud service provider, here are some of the guidelines that enterprises should follow to keep risks in check:

• Understand and communicate compliance requirements to the cloud service provider.
• Select a relevant cloud service provider with a detailed history of transparency in security and policies built into the cloud platform.
• Understand the cloud application, data, and traffic flow.
• Outline the roles and responsibilities of both the enterprise and the cloud service provider.
•  Gain an understanding of the accreditations and compliance followed by the cloud service provider.

Role of a Governance, Risk and Compliance (GRC) Program in Cloud Computing

Implementing a robust GRC program for the cloud ecosystem will enable enterprises to enhance continuous control monitoring, improve visibility into their risk appetite, and strengthen regulatory compliance. Effective governance and oversight is as significant as the security technology that is being used. With a GRC framework in the cloud, enterprises can achieve:

• Enhanced information security, compliance, and risk management
• High levels of reliability and operational control
• Continuous transparency and confidence
• Robust business continuity and disaster recovery
• Proactive and risk-driven intelligence for decision-making
• Adherence to regulatory compliance mandates

Today, cloud computing is a top priority for enterprises around the globe. However, the elements of IT infrastructure that need to be moved into the cloud will differ from organization to organization.

As technology shifts relentlessly, the evaluation of cloud solutions is not a one-time exercise. Organizations need to ensure that these solutions are implemented in the right manner by adopting a “RISK-BASED APPROACH” while transitioning to the cloud.