With considerable benefits like easier access to innovative technologies, simpler scalability, and reduced IT expenditures, increasing numbers of companies are migrating their data and infrastructure to a cloud environment. In fact, cloud adoption has been so prolific over the last decade that 94% of companies now use cloud services of some kind – with an astonishing 61% of organisations migrating workloads to cloud environments in 2020 alone.
However, while most companies quickly recognise the benefits of cloud computing, some fail to account for the potential security risks that cloud-based services expose them to. By migrating all its data, assets, and workloads to the cloud, a company also moves them online and off-site, increasing the risk they’re exposed to – while decreasing the visibility and control security teams have over its infrastructure. To best mitigate this, organisations must consider and assess their risk factors ahead of time and formulate a cloud risk management strategy.
With this in mind, let’s explore the concept of cloud risk management, including why it’s important, how to carry out cloud risk assessments, and management best practices.
What is Risk Management in Cloud Computing?
Cloud risk management is the process of identifying, assessing, mitigating, and continually monitoring threats within an organisation’s cloud computing environment. Developing a cloud risk management strategy requires your company to take an accurate inventory of the assets within its network, identify the risks that each presents, and determine the best way to prevent them from being realised.
Subsequently, the process for creating a cloud risk management strategy is as follows:
- Risk identification: determining all the risks present within the cloud environment, allowing companies to determine the full extent of their risk profile and attack surface
- Risk assessment: analysing the scope of each risk, i.e., the likelihood of its occurrence and potential severity. After analysis, security teams can evaluate the risk and assign its mitigation a priority – such as “low”, “moderate”, and “high.”
- Risk mitigation: implementing the appropriate policies and controls to mitigate risk factors, starting with those with the highest priority, i.e., potential for the highest negative impact
- Continuous monitoring and review: tracking the effectiveness of the implemented risk mitigation measures. Additionally, security teams must constantly review previously identified risks to re-evaluate their priority, and seek out new risk factors as they add new applications, users, etc. to the environment.
Understanding Cloud Risk Assessment
To accurately perform a cloud security risk assessment, you first have to be aware of the types of risk within your cloud environment, which include:
One of the most significant and persistent challenges a company must face when migrating to the cloud is a lack of visibility and control over its infrastructure and data. When its IT infrastructure, i.e., applications, servers, etc., were located in-house, or “on-prem”, they have direct control over it, including access to logs, performance metrics, and insights into its network traffic.
With a cloud-service model, in most cases, the company’s infrastructure and data are located off-site and managed by its cloud service provider (CSP). Additionally, the resources CSPs use to provide the company’s infrastructure are virtualised and spread among multiple clients, i.e., other companies. This makes it difficult for a company to maintain the same level of visibility in the cloud as with on-prem infrastructure – which itself is a significant risk factor.
These encompass all the cyber threats your company’s cloud environment is susceptible to, which could compromise the security posture of the infrastructure itself or the data within it. Subsequently, security risks include the other types of cloud computing risks described below, e.g., data or insider risk, or increase the chance of their occurrence, e.g., financial or reputational risk.
Common cloud security risks include:
- Unauthorised access: credential theft (e.g., phishing), account hijacking, weak access controls, over-privileged account permissions
- Data breaches: loss, theft, disclosure, etc., of sensitive data
- Malware: the infection of your cloud environment with viruses, ransomware, Trojans, rootkits, etc.
- Misconfiguration: open ports, inadvertent internet-facing assets, insecure network configurations
- Application and system vulnerabilities: unpatched software, lack of updates to firmware and hardware
While some aspects fall under security risk, increased emphasis on data privacy, i.e., legislation and regulatory requirements, requires that data risk warrants its own careful consideration when conducting your cloud risk assessment.
As well as breaches, in which data is exposed or exfiltrated, managing data risk includes mitigating all factors that could compromise your data’s confidentiality, integrity, or availability, i.e., the CIA triad. This includes data loss, leakage, unintended modification, and policies and controls related to identity and access management (IAM).
As well as needing cybersecurity measures to protect sensitive customer data, an organisation’s policies and controls pertaining to data privacy must comply with various legislative or industry regulatory requirements. Depending on the scope of your company’s operations and your industry, this could include:
- General Data Protection Regulation (GDPR): legislation designed to protect the sensitive data of EU residents. Crucially, this doesn’t just apply to organisations based in the EU but to any that collects data from EU citizens.
- California Consumer Privacy Act (CCPA): a privacy law that gives residents of California control over their data, including who it’s sold to and being able to request its deletion. The CCPA is an example of privacy acts gradually being introduced by individual American states, with the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) going into effect in 2023.
- Health Insurance Portability and Accountability Act (HIPAA): a US privacy law introduced to protect an individual’s protected health information (PHI). This not only applies to healthcare companies but any organisation that handles PHI, like vendors or consultative services, e.g., accountants and IT companies.
- Payment Card Industry Data Security Standard (PCI DSS): developed collaboratively by the major credit card companies (Visa, MasterCard, American Express, etc.), PCI DSS protects the sensitive data of credit and debit cardholders.
- Sarbanes-Oxley Act (SOX): this legislation focuses on financial reporting requirements for publicly traded US companies. This includes implementing controls that secure financial data against relevant cyber risk.
Subsequently, compliance risk refers to incidents or scenarios within your cloud ecosystem that result in non-compliance with the above legislation and regulation – or others relevant to your industry.
Cloud vendor risk
Every company’s cloud computing environment is composed of applications, systems, and platforms provided by different vendors. Depending on a vendor’s commitment and ability to develop secure software, its products may contain vulnerabilities that malicious actors can exploit. By then using that software, you’ve added another attack vector to your cloud environment and increased the risk within it. With this in mind, third-party risk management must be a fundamental part of your overall cloud risk mitigation strategy.
Cloud services can also increase the prevalence of Shadow IT, i.e., a business unit’s use of applications or systems without its IT department’s knowledge or approval. This increases cloud vendor risk and introduces security risk as security teams aren’t aware of the service to monitor it.
With your company’s infrastructure and data located in a cloud, you’re more dependent on a reliable internet connection than a with traditional local network setup. While a cloud environment enables access from any internet-enabled device, if an employee can’t establish a reliable connection, they’re restricted in their ability to do their job.
Similarly, while you’re dependent on your own internet connection, you also rely on your CSP’s ability to keep their services – and, by extension, your services – online. Any downtime affects your business continuity – impacting your ability to serve your customers, which carries financial and reputational consequences.
While availability could be impacted by innocuous issues like infrastructure problems or network congestion, it can also be caused by malicious actions, such as denial of service (DoS) attacks or botnet attacks.
This refers to security threats that come from within your company. As well as malicious activity such as theft, fraud, or compromising data, insider threats include non-intentional incidents such as divulging credentials in social engineering attacks (phishing, etc.) or user error.
However, while those risks are still present within an on-prem infrastructure, migration to a cloud environment results in CSP’s admins, engineers, etc., having varying access to your data, amplifying insider risk.
The realisation of any risk events described above carries consequences for your company – some of which will be financial. If, for example, you suffer a data breach and one of your customers is impacted due to their sensitive data being compromised, you may be liable to pay them compensation.
Subsequently, factoring in the potential financial consequences of cyber threats is essential when conducting a cloud security risk assessment. Evaluating the cost of risk events allows you to prioritise them more accurately, refining your cloud risk management plan. Similarly, expressing the consequences of a risk event in terms of cost can help when communicating to management and other stakeholders, especially when trying to obtain buy-in for implementing cloud risk mitigation measures.
As well as financial implications, risk events can incur reputational costs for a company. In keeping with the example of a data breach, the news of your company being the victim of a cyber attack will make existing and prospective customers wonder if their data is safe in your hands. If you’re unable to alleviate their fears or, worse, continue to suffer data breaches, it could irreparably damage your reputation and negatively impact your bottom line.
Benefits of effective cloud risk management
Now that we’ve explored the importance of cloud risk management and the types of risks to consider, let’s look at the advantages of comprehensive cloud security risk assessment.
Stronger cloud security posture
Having properly identified and assessed the possible risks within your cloud environment, your security team can implement the appropriate policies and controls for their mitigation, enhancing your overall cloud security posture.
Similarly, your company will increase compliance with relevant regulations by better identifying risks to its sensitive customer data and implementing policies and controls to secure it. Additionally, the ongoing monitoring that’s part of a comprehensive cloud risk management strategy allows you to determine which assets don’t meet compliance standards and reconfigure them accordingly.
Proactive cyber threat mitigation
Instead of being forced to respond to cyber attacks once they’ve already occurred, developing a cloud risk management plan helps you better prepare for and prevent them ahead of time. Identifying the possible risk events in your cloud ecosystem allows you to proactively implement the necessary mitigation measures. More importantly, by analysing and prioritising the risks, your security teams know which policies and controls to implement first, protecting your organisation from the most severe and/or frequent cyber attacks.
Improved business continuity and disaster recovery
In identifying all the risks that threaten your business operations, security teams can put measures in place to reduce the likelihood of their occurrence. Additionally, knowing such threats beforehand allows you to institute strategies for the fastest possible disaster recovery and ensure business continuity.
By creating a cloud risk management strategy, your organisation will reap more of the benefits that drove the migration to the cloud in the first place. Conversely, without fully realising the risks involved, your IT and security teams will likely spend more time dealing with cyber threats and other risk factors, instead of on value-adding activities that contribute to the company’s revenue and growth objectives.
Between the costs of cyber attacks, penalties for non-compliance, and the potentially-significant costs of ceasing operations, a cloud risk management plan can save your organisation considerable money. Not to mention, as alluded to above, in successfully harnessing the benefits of their cloud computing setup, companies will reduce their overall IT expenditure compared to the cost of maintaining their on-prem infrastructure.
Best Practices for Risk Management in Cloud Computing
Let’s turn our attention to examining the best practices for cloud risk management.
Perform due diligence ahead of cloud migration
Conducting comprehensive due diligence before migrating your infrastructure and workflows to a cloud environment is a fundamental best practice for identifying and mitigating risk.
This first involves carefully assessing your potential CSPs, evaluating their security policies and controls, the security solutions and tools you can integrate, and how well they comply with regulations and legislation relevant to your company.
Another critical aspect of due diligence is inventorying your on-prem assets, determining their policies and controls, and how they’ll be replicated in your cloud environment. This requires asking:
- What policies and controls were applied to the asset on-prem?
- Are the same controls and policies available in the cloud?
- Who implements said policies and controls – our organisation or our CSP?
Understanding and embracing the shared responsibility model
Because they were responsible for securing their infrastructure in an on-prem setup, some companies incorrectly assume their CSPs will provide all the necessary cyber risk mitigation measures when they migrate to the cloud. Conversely, cloud services introduce a shared responsibility model, so it’s best practice for organisations to understand this and accurately determine which factors of cloud risk management they’re responsible for and which fall to the CSP.
The first, and often main, determiner of the balance of responsibility is the type of cloud service purchased from a CSP; for instance:
- Platform as a Service (PaaS): The CSP secures the underlying infrastructure, i.e., hardware, OS, and runtime environment. The company is responsible for securing applications they developed and deployed on the PaaS and all associated data.
- Infrastructure as a Service (IaaS): The CSP is responsible for infrastructure security, including data centres, network security, and virtualisation (i.e., hypervisor security). The organisation must secure OS, applications, and data.
- Software as a Service (SaaS): The CSP secures the application and its infrastructure (i.e., application code, data storage, access controls, etc.). The company must manage data security, access control, proper configuration, etc.
You’ll notice that in all three cases, it’s up to the company to apply its own policies and controls to data.
In addition to understanding the shared responsibility model, it’s beneficial for your company to establish a relationship of cooperation and trust with your CSP. Through frequent communication between your security teams and CSP’s security and compliance personnel, you’ll better establish your balance of responsibilities and further your understanding of the controls applied to your cloud environment.
Implement cloud risk mitigation measures
After identifying and assessing cloud risk, you must apply the policies and controls required for mitigation. As you may have identified a wide range of risk factors and addressing them all will take time and resources (if mitigating them all is feasible – or even necessary), security teams should start with risks labelled as a high priority.
Your company may adopt a cloud security framework, which provides guidelines and best practices for implementing the appropriate policies and controls to best secure your cloud environment and ensure compliance.
Notable cloud security frameworks include:
- NIST Cybersecurity Framework (CSF)
- ISO 27017
- Cloud Controls Matrix (CCM)
- CIS Controls
Install cloud security solutions
Adding the right tools and solutions to your cloud environment will assist your security teams in identifying and managing risk more quickly and efficiently.
Some of the most important cybersecurity solutions for a cloud computing environment include:
- Cloud Security Information and Event Management (SIEM): this provides you with continuous monitoring capabilities, helping security teams to recognise cyber threats and respond accordingly
- Cloud security posture management (CSPM) enables security teams to continuously monitor cloud environments for vulnerabilities, misconfigurations, non-compliant assets and other risks.
- Cloud access security broker (CASB): positioned between your cloud environment and your CSP’s infrastructure, a CASB enforces data security policies (i.e., who can access data and their privileges), authentication, malware, and more.
- Cloud workload protection platform (CWPP): allows security teams to better detect and protect cloud-based workloads, i.e., hosts, VMs, APIs, etc.
- Cloud Data Loss Prevention (DLP): by monitoring and controlling data movement, DLP tools help prevent data loss, leakage, and exposure.
As well as providing continuous monitoring functionality, some cloud security solutions allow for automatic risk identification and, according to pre-defined rules, automatic risk mitigation. This gives a security team greater visibility and control over its cloud environment, enabling it to better manage its vast and complex attack surface.
Third-party risk management
Manage third-party risk within your cloud environment by establishing a vendor selection process. This includes assessing potential cloud service vendors’ security posture, taking things like past security breaches, frequency of updates, reputation, and customer reviews into account.
This could also involve developing service level agreements (SLAs) that detail the standard of security the vendor is contractually obligated to provide you with, along with clear benchmarks to measure their performance.
With many risk factors caused by unauthorised access, strengthening access control measures is an important cloud risk management best practice. Methods of improving access control within your cloud environment include:
- Stronger password policies: enforcing stronger passwords, e.g., that contain capitals, numbers, and special characters ($,%, etc.)
- Multi-factor authentication requires users to prove their identity in multiple ways, e.g., a PIN or access card in addition to login credentials.
- Zero trust: an access control model that operates on the concept of “never trust, always verify”, requiring users and devices to re-authenticate themselves.
- Network segmentation: a way of organising your network so critical data and services are separated from public-facing assets, granting malicious actors less access in case of a breach.
With your data no longer stored on-premises and constantly moving through your network and across cloud infrastructure, implementing data encryption methods is essential. Effective cloud risk management requires ensuring data is encrypted at rest, i.e., when stored, and in transit, i.e., when transferred across the network. Adequate data encryption procedures not only improve your overall cloud security posture but help you achieve compliance as well.
Patch management process
This refers to your company’s system for identifying and applying updates and fixes to software and services within your cloud environment. The more refined your patch management process, which should ideally include auto-updates, where possible, the better your ability to mitigate risks created by exploitable software vulnerabilities.
Redundancy and backup strategies
This refers to your strategies for ensuring business continuity and fast disaster recovery during a severe cyber attack.
The first stage involves creating redundancy: duplicating critical assets as a failover measure in case the primary system or service, e.g., a server, is made unavailable by the realisation of a cyber threat. Secondly, this requires establishing a regular backup schedule to have recent, complete, uncorrupted copies of data that can act as a recovery point if your cloud environment is attacked.
Developing a formal cloud risk management plan
Collate the above best practices and your company’s other cyber security policies, procedures, and controls into a formal, documented cloud risk management plan. This could be combined with forming a cloud risk management committee comprising a cross-section of representatives from your company, such as department heads and senior management, as well as technical personnel.
How RiskXchange can help with Cloud Risk Management
With our detailed cloud risk assessment process and the extensive insight it’ll provide on the true extent of your attack surface, RiskXchange can assist your company to mitigate cyber threats within your cloud environment. We’ll help you identify the cloud risks that could impact your organisation the most and to create a comprehensive cloud risk mitigation plan to strengthen your cyber security posture long-term.
Cloud Risk Management FAQ
What are the steps of risk management in cloud computing?
The steps involved in risk management in cloud computing are risk identification, risk assessment, risk mitigation, and risk monitoring and review. The last step, monitoring and review, is an ongoing process to measure the efficacy of implemented mitigation methods and to identify new risks within the cloud environment.
How do you assess risk in cloud computing?
Cloud risk assessment involves identifying, analysing, and evaluating risk factors to determine which could most impact your organisation. During an assessment, a security team will analyse the nature of a threat and evaluate the likelihood of its occurrence before assigning it a priority, e.g., low, moderate or high.
What are the four pillars of cloud risk management?
The pillars of cloud risk management are proper risk identification, thorough cloud risk assessment, implementation of required policies and controls, and an ongoing monitoring and review process. These elements enable your organisation to implement a comprehensive cloud risk management strategy that effectively mitigates threats against your cloud environment.