Basic Cloud Risk Assessment Tips

Basic Cloud Risk Assessment

You should worry about the risks of cloud computing. But don’t get too scared. With a few simple steps you can easily get a basic understanding of your risks in the cloud and even have a good start in managing these risks.

If you are a large corporation in a regulated industry, a cloud risk assessment can take weeks or months of work. But even that process starts from simple principles.

Oddly enough, I think any risk assessment of a cloud plan should start with the benefit you are expecting from the cloud service. There are two reasons for that. First, the benefit determines the risk appetite. You can accept a little risk if the benefit is large enough. But if the benefit is small, why take any chances?

The second reason is that not realizing the benefit is a risk as well.


For example, if there is a choice between running your CRM system in-house versus in the cloud, you might find that it takes too long to set up the system in-house and it won’t be accessible by sales people in the field. The cloud system will be quicker to deploy and easier to access from outside your company, so the benefit can be realized quicker.

Pretty essential in any cloud risk assessment is figuring out what the data is that you want to store in the cloud. Most of the cloud risk management is built on that pillar.

Pay particular attention to data that identifies persons, log files, credit card numbers, intellectual property, and anything that is essential to the conduct of your business. You can easily guess what this means for a CRM system: customers, proposals, contact details.

The second question then is:

What do you want to do with that data?

How is the cloud provider giving you access to that data? Is the access convenient enough, can you get the reports that you need? In this step you sometimes need to revisit the previous step. For example as you do your reports you figure out that you not only stored customer orders in the cloud, but also your product catalog. So add that to the data that you should worry about.

Once you have a clear idea of the data and the functionality, you can start looking at the value at risk.


Beginning with the data, think about what the worst thing is that can happen to the data. What about it getting lost, or falling into the hands of the wrong people? What about the chance that it is changed without you knowing (maybe by a colleague who happens to have too many access rights)? In my experience, people overestimate the risk of the cloud provider leaking your data, and underestimate the risk of internal people leaking your data.

Similarly, what happens to the business if the data or the reports are not available for some period of time? How long can your business get by without having full access to the data? In the worst case the provider goes out of business. Can you survive the time it takes to set up a new service?

With that general picture in your head, you can start looking at the threats. The top risks are that the cloud provider fails to deliver, and that the cloud provider leaks information.

A little more subtle are the cases where you think they should be doing something, but they don’t. If you use IaaS, you may think that the cloud provider is patching your operating systems. Typically, they don’t. And any backup that the cloud provider makes does not protect you from a provider going out of business. So you want to review your assumptions on who takes care of which risk.

If anything, you should think about which data you still want to use after you stop working with that cloud service. This is easier to do before the cloud provider runs into trouble. Regular data extraction can be fairly simple. If your provider does not make that easy, well, maybe they should not be your provider.

Further reading? The European Network and Information Security Agency (ENISA) has produced a very good list of cloud risks. (See my earlier blog: I also produced a brief video on that, search for “ENISA top 8 risks” and you will find it on YouTube. For risk assessment purposes I have also created a brief risk triage worksheet. You can get that by signing up to my cloud newsletter at

By Peter HJ van Eijk

Matt Holleran

Cloud Platforms, Marketplaces, and Startups

Cloud Platforms, Marketplaces, and Startups One of the most exciting recent developments in the cloud software business is the proliferation of partner ecosystems, with large public and late-stage private cloud companies creating their own marketplaces ...
Steve Prentice

The Human Element of Zero Trust

The Awareness of Malicious and Threat Actors Security specialists have long known that a single weak link in a chain is all that is needed to bring down a cyberdefense. Sometimes this comes down to ...
Ronald van Loon

Cognitive Science + Data Science: Next-Gen Data Driven Marketing

Next-Gen Data Driven Marketing What are the psychological motivators driving customer purchasing decisions? The era of ubiquitous digitalization, advanced analytics, and big data is here. Yet marketers frequently grapple with obtaining information that answers critical ...
Bruce Guptill

Resolving IT-Finance Asynchronization on Cloud Improvements

Resolving IT-Finance Asynchronization While CIO-CFO communications and alignment may never seem better, what is considered to be C-level, strategic “alignment” increasingly obscures realities that keep IT and Finance from synchronizing their thinking and activity. This ...

How cloud technologies improve innovation in the healthcare industry?

How cloud technologies improve innovation in the healthcare industry? The uptake of VPS hosting in the cloud within the heavily regulated healthcare industry has until recently been perceived as relatively slow. There is little doubt ...
Mark Barrenechea

Introducing the Information Advantage

Technology. Information. Disruption. The world is moving faster than ever before at unprecedented scale. Businesses today are operating in the next industrial revolution, and the rules have changed. This is Industry 4.0. It is imposing ...