Risk Assesment

Basic Cloud Risk Assessment Tips

Basic Cloud Risk Assessment

You should worry about the risks of cloud computing. But don’t get too scared. With a few simple steps you can easily get a basic understanding of your risks in the cloud and even have a good start in managing these risks.

If you are a large corporation in a regulated industry, a cloud risk assessment can take weeks or months of work. But even that process starts from simple principles.

Oddly enough, I think any risk assessment of a cloud plan should start with the benefit you are expecting from the cloud service. There are two reasons for that. First, the benefit determines the risk appetite. You can accept a little risk if the benefit is large enough. But if the benefit is small, why take any chances?

The second reason is that not realizing the benefit is a risk as well.

risk-assemsent

For example, if there is a choice between running your CRM system in-house versus in the cloud, you might find that it takes too long to set up the system in-house and it won’t be accessible by sales people in the field. The cloud system will be quicker to deploy and easier to access from outside your company, so the benefit can be realized quicker.

Pretty essential in any cloud risk assessment is figuring out what the data is that you want to store in the cloud. Most of the cloud risk management is built on that pillar.

Pay particular attention to data that identifies persons, log files, credit card numbers, intellectual property, and anything that is essential to the conduct of your business. You can easily guess what this means for a CRM system: customers, proposals, contact details.

The second question then is:

What do you want to do with that data?

How is the cloud provider giving you access to that data? Is the access convenient enough, can you get the reports that you need? In this step you sometimes need to revisit the previous step. For example as you do your reports you figure out that you not only stored customer orders in the cloud, but also your product catalog. So add that to the data that you should worry about.

Once you have a clear idea of the data and the functionality, you can start looking at the value at risk.

hp-bigdata

Beginning with the data, think about what the worst thing is that can happen to the data. What about it getting lost, or falling into the hands of the wrong people? What about the chance that it is changed without you knowing (maybe by a colleague who happens to have too many access rights)? In my experience, people overestimate the risk of the cloud provider leaking your data, and underestimate the risk of internal people leaking your data.

Similarly, what happens to the business if the data or the reports are not available for some period of time? How long can your business get by without having full access to the data? In the worst case the provider goes out of business. Can you survive the time it takes to set up a new service?

With that general picture in your head, you can start looking at the threats. The top risks are that the cloud provider fails to deliver, and that the cloud provider leaks information.

A little more subtle are the cases where you think they should be doing something, but they don’t. If you use IaaS, you may think that the cloud provider is patching your operating systems. Typically, they don’t. And any backup that the cloud provider makes does not protect you from a provider going out of business. So you want to review your assumptions on who takes care of which risk.

If anything, you should think about which data you still want to use after you stop working with that cloud service. This is easier to do before the cloud provider runs into trouble. Regular data extraction can be fairly simple. If your provider does not make that easy, well, maybe they should not be your provider.

Further reading? The European Network and Information Security Agency (ENISA) has produced a very good list of cloud risks. (See my earlier blog: https://cloudtweaks.com/2015/03/top-cloud-security-risks/) I also produced a brief video on that, search for “ENISA top 8 risks” and you will find it on YouTube. For risk assessment purposes I have also created a brief risk triage worksheet. You can get that by signing up to my cloud newsletter at http://www.ccsk.eu.

(Image Source: Shutterstock)

By Peter HJ van Eijk

Peter HJ van Eijk

Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants.

He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter.

Peter is a certified trainer for CSA Certificate of Cloud Security Knowledge (CCSK), CompTIA Cloud Essentials, Virtualization Essentials and Cloud Technology Associate. He wrote these courses or contributed to them.

How to Improve the Backup Success Rate of Data Centers?

How to Improve the Backup Success Rate of Data Centers?

Improve Backup Success Rate According to industry analysts, a significant number of backup jobs (from 5 to 25%) are failing ...
Making Enterprise IT Affordable for Small Businesses with the Cloud

Making Enterprise IT Affordable for Small Businesses with the Cloud

Making Enterprise IT Affordable Recent advancements in cloud technology have made enterprise IT services, like DNS management, a reality for ...
Cloud Data Migration

Big Data: Drawing Insight From Security Breaches

Insight From Security Breaches In the past, security breaches were viewed as a single event occurring at a certain point ...
The Need For Planning In The Drone World

The Need For Planning In The Drone World

The Drone Highway Do we need to plan the sky? Given the current state of drones that seems a bit ...
The Economy Just Limps Along. Guess Who’s to Blame?

The Economy Just Limps Along. Guess Who’s to Blame?

Productivity seems down the drain. Unemployment is at historic lows yet real wage growth is pathetic. Why? Hard to believe ...
To Migrate or to Not Migrate: In-House vs. Outsourced Cloud Computing

To Migrate or to Not Migrate: In-House vs. Outsourced Cloud Computing

Outsourced Cloud Computing Through working as an executive in the managed DNS industry for over 15 years, I have become a ...
Coping with the Internet of (Risky) Things

Coping with the Internet of (Risky) Things

Internet of (Risky) Things The train appears to have left the station, and device manufacturers – makers of everything from ...
5 Reasons to Head for the Cloud – Part 1

5 Reasons to Head for the Cloud – Part 1

Head for the Cloud Last month Salesforce held its 14th annual Dreamforce event in San Francisco. It has become the ...
Major Cloud Outages

Major Cloud Outages: Five Things Organizations Can Do To Protect Against Network Failures

Recent Major Cloud Outages It is no surprise that whenever there is an outage in a public or private cloud, ...
How Wearable Devices Are Making A Healthy Society Around Us

How Wearable Devices Are Making A Healthy Society Around Us

Wearable Devices Having smartphones to smarter the way we communicate or stay connected is an old fable. Technology has evolved ...