Basic Cloud Risk Assessment Tips

Basic Cloud Risk Assessment

You should worry about the risks of cloud computing. But don’t get too scared. With a few simple steps you can easily get a basic understanding of your risks in the cloud and even have a good start in managing these risks.

If you are a large corporation in a regulated industry, a cloud risk assessment can take weeks or months of work. But even that process starts from simple principles.

Oddly enough, I think any risk assessment of a cloud plan should start with the benefit you are expecting from the cloud service. There are two reasons for that. First, the benefit determines the risk appetite. You can accept a little risk if the benefit is large enough. But if the benefit is small, why take any chances?

The second reason is that not realizing the benefit is a risk as well.

 

For example, if there is a choice between running your CRM system in-house versus in the cloud, you might find that it takes too long to set up the system in-house and it won’t be accessible by sales people in the field. The cloud system will be quicker to deploy and easier to access from outside your company, so the benefit can be realized quicker.

Pretty essential in any cloud risk assessment is figuring out what the data is that you want to store in the cloud. Most of the cloud risk management is built on that pillar.

Pay particular attention to data that identifies persons, log files, credit card numbers, intellectual property, and anything that is essential to the conduct of your business. You can easily guess what this means for a CRM system: customers, proposals, contact details.

The second question then is:

What do you want to do with that data?

How is the cloud provider giving you access to that data? Is the access convenient enough, can you get the reports that you need? In this step you sometimes need to revisit the previous step. For example as you do your reports you figure out that you not only stored customer orders in the cloud, but also your product catalog. So add that to the data that you should worry about.

Once you have a clear idea of the data and the functionality, you can start looking at the value at risk.

hp-bigdata

Beginning with the data, think about what the worst thing is that can happen to the data. What about it getting lost, or falling into the hands of the wrong people? What about the chance that it is changed without you knowing (maybe by a colleague who happens to have too many access rights)? In my experience, people overestimate the risk of the cloud provider leaking your data, and underestimate the risk of internal people leaking your data.

Similarly, what happens to the business if the data or the reports are not available for some period of time? How long can your business get by without having full access to the data? In the worst case the provider goes out of business. Can you survive the time it takes to set up a new service?

With that general picture in your head, you can start looking at the threats. The top risks are that the cloud provider fails to deliver, and that the cloud provider leaks information.

A little more subtle are the cases where you think they should be doing something, but they don’t. If you use IaaS, you may think that the cloud provider is patching your operating systems. Typically, they don’t. And any backup that the cloud provider makes does not protect you from a provider going out of business. So you want to review your assumptions on who takes care of which risk.

If anything, you should think about which data you still want to use after you stop working with that cloud service. This is easier to do before the cloud provider runs into trouble. Regular data extraction can be fairly simple. If your provider does not make that easy, well, maybe they should not be your provider.

Further reading? The European Network and Information Security Agency (ENISA) has produced a very good list of cloud risks. (See my earlier blog: https://cloudtweaks.com/2015/03/top-cloud-security-risks/) I also produced a brief video on that, search for “ENISA top 8 risks” and you will find it on YouTube. For risk assessment purposes I have also created a brief risk triage worksheet. You can get that by signing up to my cloud newsletter at http://www.ccsk.eu.

By Peter HJ van Eijk

Jeremy Cioara

Demand for Cloud and AI Skills Continues To Increase

Demand for Cloud Skills Increases Thinking about adding more cloud skills to your repertoire? Stop thinking. The time to do it is now. For IT professionals, cloud computing skills are becoming an essential resume item.  ...
Scott Leatherman

Speeding up Digital Transformation During the Pandemic – 7 Steps to Unlocking the Benefits of Cloud

7 Steps to Unlocking the Benefits of Cloud The pressure for IT leaders to support more workloads and remote staff with limited resources is as contagious as the pandemic. The most powerful tool in their ...
Kash Shaikh

A Clairvoyant Look Back on 2021

In a lookback from the future, here is what happened in 2021 as reported on January 1, 2022. 2021 was the year that our world worked its way out of the 2020 pandemic and back ...
Cybersecurity Maturity Model Certification (CMMC)

The Rise Of The Corporate VPN

The Rise Of The Corporate VPN Over the past few years, VPNs have become increasingly widely used by the general public. Initially, they were used exclusively by the tech-savvy and privacy obsessed, but as the ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others call it “game over.” By being more agile, able to ...

PROXY SERVICES

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.