Risk Assesment

Basic Cloud Risk Assessment Tips

Basic Cloud Risk Assessment

You should worry about the risks of cloud computing. But don’t get too scared. With a few simple steps you can easily get a basic understanding of your risks in the cloud and even have a good start in managing these risks.

If you are a large corporation in a regulated industry, a cloud risk assessment can take weeks or months of work. But even that process starts from simple principles.

Oddly enough, I think any risk assessment of a cloud plan should start with the benefit you are expecting from the cloud service. There are two reasons for that. First, the benefit determines the risk appetite. You can accept a little risk if the benefit is large enough. But if the benefit is small, why take any chances?

The second reason is that not realizing the benefit is a risk as well.

 

For example, if there is a choice between running your CRM system in-house versus in the cloud, you might find that it takes too long to set up the system in-house and it won’t be accessible by sales people in the field. The cloud system will be quicker to deploy and easier to access from outside your company, so the benefit can be realized quicker.

Pretty essential in any cloud risk assessment is figuring out what the data is that you want to store in the cloud. Most of the cloud risk management is built on that pillar.

Pay particular attention to data that identifies persons, log files, credit card numbers, intellectual property, and anything that is essential to the conduct of your business. You can easily guess what this means for a CRM system: customers, proposals, contact details.

The second question then is:

What do you want to do with that data?

How is the cloud provider giving you access to that data? Is the access convenient enough, can you get the reports that you need? In this step you sometimes need to revisit the previous step. For example as you do your reports you figure out that you not only stored customer orders in the cloud, but also your product catalog. So add that to the data that you should worry about.

Once you have a clear idea of the data and the functionality, you can start looking at the value at risk.

hp-bigdata

Beginning with the data, think about what the worst thing is that can happen to the data. What about it getting lost, or falling into the hands of the wrong people? What about the chance that it is changed without you knowing (maybe by a colleague who happens to have too many access rights)? In my experience, people overestimate the risk of the cloud provider leaking your data, and underestimate the risk of internal people leaking your data.

Similarly, what happens to the business if the data or the reports are not available for some period of time? How long can your business get by without having full access to the data? In the worst case the provider goes out of business. Can you survive the time it takes to set up a new service?

With that general picture in your head, you can start looking at the threats. The top risks are that the cloud provider fails to deliver, and that the cloud provider leaks information.

A little more subtle are the cases where you think they should be doing something, but they don’t. If you use IaaS, you may think that the cloud provider is patching your operating systems. Typically, they don’t. And any backup that the cloud provider makes does not protect you from a provider going out of business. So you want to review your assumptions on who takes care of which risk.

If anything, you should think about which data you still want to use after you stop working with that cloud service. This is easier to do before the cloud provider runs into trouble. Regular data extraction can be fairly simple. If your provider does not make that easy, well, maybe they should not be your provider.

Further reading? The European Network and Information Security Agency (ENISA) has produced a very good list of cloud risks. (See my earlier blog: https://cloudtweaks.com/2015/03/top-cloud-security-risks/) I also produced a brief video on that, search for “ENISA top 8 risks” and you will find it on YouTube. For risk assessment purposes I have also created a brief risk triage worksheet. You can get that by signing up to my cloud newsletter at http://www.ccsk.eu.

By Peter HJ van Eijk

Peter HJ van Eijk

Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants.

He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter.

Peter is a certified trainer for CSA Certificate of Cloud Security Knowledge (CCSK), CompTIA Cloud Essentials, Virtualization Essentials and Cloud Technology Associate. He wrote these courses or contributed to them.

Countdown to GDPR: Preparing for Global Data Privacy Reform

Countdown to GDPR: Preparing for Global Data Privacy Reform

Preparing for Global Data Privacy Reform Multinational businesses who aren’t up to speed on the regulatory requirements of the European Union’s General Data Protection Regulation (GDPR) are in for a rude awakening when 2018 rolls ...
Why Open Source Technology is the Key to Any Collaboration Ecosystem

Why Open Source Technology is the Key to Any Collaboration Ecosystem

Open Source Collaboration Ecosystem Open source – software whose source code is public and can be modified or shared freely – is a hot topic in the world of technology development and for good reason ...
Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies Gartner added eight new technologies to the Hype Cycle this year including 5G, Artificial General Intelligence, Deep Learning, Edge Computing, Serverless PaaS. Virtual Personal Assistants, Personal Analytics, Data Broker ...
Advanced IoT systems provide analysis catalyst for the petrochemical refinery of the future

Advanced IoT systems provide analysis catalyst for the petrochemical refinery of the future

Advanced IoT Systems The next BriefingsDirect Voice of the Customer Internet-of-Things (IoT) technology trends interview explores how IT combines with IoT to help create the refinery of the future. We’ll now learn how a leading-edge petrochemical company in Texas ...
How Blockchain Has Unexpectedly Improved Big Data Integrity

How Blockchain Has Unexpectedly Improved Big Data Integrity

Big Data Integrity Blockchain technology was developed to improve the integrity of bitcoin. However, as bitcoin became more popular, its underlying technology is gaining more attention as well. Perhaps the most significant development in IT ...
CloudTweaks Comic
The Lighter Side Of The Cloud - Due Diligence
The Ligther Side Of The Cloud - Speed Browsing
The Lighter Side Of The Cloud - Techwear
The Lighter Side Of The Cloud - YTF
The Lighter Side Of The Cloud - Autonomous Sleigh
Star Wars IoT CES
The Lighter Side Of The Cloud - Machine Learning
The Lighter Side Of The Cloud - F96qL#5

CLOUDBUZZ NEWS

Cambridge Analytica files for bankruptcy in U.S. following Facebook debacle

Cambridge Analytica files for bankruptcy in U.S. following Facebook debacle

(Reuters) - Cambridge Analytica, the political consultancy at the center of Facebook Inc’s (FB.O) privacy scandal, filed for Chapter 7 bankruptcy in the United States late on Thursday. This past March allegations surfaced that Cambridge ...
Security in the Cloud—A Little Known Advantage, Actually

Security in the Cloud—A Little Known Advantage, Actually

Okay, I’ll go ahead and say it: Public cloud infrastructures are more secure, and the security is more cost-effective, than the majority of on-premises data centers. That should get the blood flowing. With the word ...
China Approves Toshiba's $18 Billion Sale of Its Memory-Chip Unit

China Approves Toshiba’s $18 Billion Sale of Its Memory-Chip Unit

TOKYO—Private-equity firm Bain Capital received approval from Chinese antitrust regulators for its deal to buy Toshiba Corp.’s memory-chip unit, a person familiar with the matter said Thursday. A Bain-led consortium reached the $18 billion deal ...