Know how to manage your cloud risk
How to easily manage the critical enterprise risk on the cloud — CyberForged
We need to manage the cloud risk as good as we can
Good morning everyone! Today we are going to talk about a topic that we have mentioned in some previous articles but that we have not fully developed: How to easily manage the critical enterprise risk on the cloud. The fact is that if we analyze what really happens when we migrate a complete system to the cloud, we see that there are new risks in the equation, but not only that, but we can also see that the way to face the risk when we talk about cloud changes. Why? Let’s see it.
Shall we start?
The change of risk in the cloud
There are multiple factors why we can assume that risk changes when we talk about a new system or migrating an existing one to the cloud. Some factors that affect this paradigm shift are the following.
Control over physical risk
You have very little (or no) control over the physical infrastructure of the systems, so you can’t really control the internal processes of the provider in which this type of physical infrastructure is managed.
Limited control tools
Precisely because of this lack of control, wherein an on-premise system everything is controlled internally by the company and no additional tool is needed, in the cloud we must rely heavily on contracts to enforce the processes that we need to be fulfilled. In this article, we saw how to control governance depending on the service or deployment model.
Precisely if we follow this reasoning that we can practically only rely on what it says in the contract regarding the physical infrastructure, (and, again, depending on the provider’s own deployment and service model) it means that we must invest a lot of time in ensuring that the clauses of the contract are being met and that the service provider is certainly complying with what has been established.
This is particularly important because cloud providers are continually upgrading their products, so we must be vigilant that the new versions of the products continue to comply with what was agreed and signed in the contract.
All these are situations that worsen and complicate the problem of business risk in the cloud. But what if I tell you now that there is an advantage to all this in terms of risk? This advantage is precisely the same as the disadvantage: The loss of control in the cloud.
This is because if we look at the shared risk table (below, for example, the one published by Microsoft) we can see that actually the cloud provider’s customer can (and should) assume that not all risks are theirs, but that there is a shared responsibility in which, depending on the deployment and service model, they will have more or less control.
This does not mean that you have to control everything 100%, but it does mean that there will be parts that you will not be able to control and that you should treat the risks associated with this layer specifically (such as the physical one) as risks transferred to the provider.
It is very important to know that, although we may treat risk as transferred to the supplier’s side, it will still be our responsibility to ensure that the supplier treats these risks in a way that is appropriate to the requirements of our systems and the laws that apply.
How to effectively deal with cloud risk
Well, once we understand the risk modifiers that cloud use brings with it, we must know how to manage this risk. It all starts with a vendor assessment, which will generally follow these steps:
The first step before being able to understand the risk situation we have with a supplier is to request all the necessary documentation. This documentation should not only be technical but also about processes, data processing, laws applicable to the service provider’s business…. All documents that can help us understand how the provider’s services work should be obtained at this stage.
Review, review, and review
Once we have all the documentation, we should review it. This review should have two parts
- Review of the security program established by the provider, internal processes for incident and emergency management, types of notifications we will receive as customers…everything that has to do with the security established by the provider should be analyzed in this step.
- Review all the information about legality, regulation, and the requirements that these two issues bring with them.
When we have reviewed both issues (security & legal/regulatory) we will be able to have an accurate view of how the provider offers its services.
Once we understand the security program and the laws that apply to the provider, we must understand if their ways of operating are adequate for our systems.
This phase is simply a decision whether or not to accept the provider’s services based on the reviews we have done in the previous step.
Evaluate the provider
Finally, when we are sure that this provider offers what we need in the way we need it, we should investigate things like their reputation with other clients, their financial stability, if they have insurance to back it up…everything we have not investigated up to this point should be included in this phase.
Once we have gone through all this assessment, we will have a pretty clear idea of the specific risks that we will have to deal with in the cloud. The provider itself will have security mechanisms such as firewalls, so there will be risks that can automatically be considered as mitigated.
The risks that remain after this analysis are called residual risks. These risks are the ones that we will actually have to cover with compensatory measures such as data encryption on the disks managed by the cloud provider.
It is very important that this assessment is repeated as often as necessary (at least every year) in order to be sure that the changes introduced by the evolutions of the providers and their products do not affect the security posture of our systems.
With this, we would have the risk of operating in the cloud under control and, above all, we would be sure that we are doing our job to the best of our ability. What do you think, do you think this process is too short or too general? Let me know in the comments.
Originally published at https://cyberforged.com on April 26, 2021.