Cloud security, for any organization moving or already having its data, application or infrastructure on cloud platform, is a challenging task, simply because the heterogeneous nature of cloud deployment models. A cloud deployment model includes Software-as-a-Service (SaaS), Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS) components. These components are provided by multiple service providers which follow their own risk management practices. A cloud deployment could be a public or private, hosted internally or externally and with open or restricted dataflow. Additionally, different service providers deliver with different models, have varying infrastructures, processes and security controls in place. Hence, a generic risk assessment approach is insufficient to address all aspects of cloud security risk assessment.
Cloud Security Risk Assessment Methodology
A security risk assessment is required in 2 scenarios –
- Organization assets are already on cloud
- Organization is planning to move assets to cloud
Various steps involved in cloud security risk assessment are –
- Assets Identification – There are 3 types of assets relevant in case of cloud deployment –
- Data – Organization data is stored or to be moved to cloud environment
- Applications/ Processes – Organization is utilizing an application hosted on cloud environment or processes for handling organization’s functions, or planning to do so
- Infrastructure – Organization has its own applications/ functions hosted on public or private cloud infrastructure, or planning to do so
The first step in evaluating risk is to identify exactly what data, applications and processes are in cloud or being considered for cloud deployment. Also, what infrastructure components are required/ used for data storage and applications/ processes deployment. For example – a digital platform which deals with healthcare data (PHI) of its customers is migrating its operations to cloud. The migration will result in transfer of following assets to cloud – customer data (includes PHI), digital platform (includes PHI processing applications) and network infrastructure (includes web hosting and email services). The organization has opted for public cloud deployment, external hosting infrastructure and open dataflow between cloud service and customers.
- Evaluate Assets – Now when organization assets are identified, next step is to evaluate the criticality of each asset for organization. Criticality of an asset depends on confidentiality, integrity and availability ratings of the asset. Some sample questions to consider while evaluating an asset –
- How much the organization be affected if the asset is disclosed publicly?
- How much the organization be affected if the asset is disclosed to an employee of cloud provider?
- How much the organization be affected if the asset is modified by an end user in unauthorized manner?
- How much the organization be affected if the asset is modified by an employee of cloud provider in unauthorized manner?
- How much the organization be affected if the asset become unavailable to end users?
- How much the organization be affected if the asset become unavailable to cloud provider?
- How much the organization be affected if the asset become unavailable to organization employees?
The result of asset evaluation are confidentiality, integrity and availability ratings, which are collectively called CIA rating of the asset.
- Define Exposure – Organization should clearly outline dataflow scenarios between organization, cloud providers and customers. It is very important in risk assessment to understand when and how data is transmitted in and out of the cloud. Based on dataflow requirements, exposure to an asset is determined.
- Evaluate Cloud Deployment Models and Service Providers – A very important evaluation criteria in this phase is – the degree of control an organization has on risk management for assets on cloud or moving to cloud. An organization should verify if cloud provider’s risk management strategy is in-line with organization’s risk management practices or provides an extensive coverage to assets security requirements. If there are any specific requirements such as – restriction on handling of data by cloud provider, then these requirements should be considered in the evaluation.
- Determine Risk – Risk to an asset vary from one cloud deployment model to other because different deployment models may support different levels of exposure to the asset which in turn, changes the threat landscape for the asset. Since risk is a derivative of exposure and threat, its value also varies. For example – the digital platform has opted for public cloud deployment, which expands assets exposure to cloud provider and its employees involved in managing the cloud. Hence, risk items in such scenario would be –
- Assets are disclosed to public
- Assets are disclosed to an employee of cloud provider
- Assets are modified by end users in unauthorized manner
- Assets are modified by an employee of cloud provider in unauthorized manner
- Assets are unavailable due to an interruption caused by external sources such as – natural catastrophe
- Assets are unavailable due to an interruption caused by sources internal to cloud provider such as – network failure, power failure
- Assets are unavailable due to an interruption caused by sources internal to organization such as – malicious insider
Outcome of this phase are risk ratings assigned to each asset which were evaluated in previous phase.
The cloud security risk assessment enables organizations to choose appropriate cloud deployment model and service provider. It also helps organizations which already have assets on cloud determining gaps in cloud provider’s risk management strategy with respect to organization’s risk management. At the end of risk assessment, organizations have a clear idea about exposure points of its assets in cloud environment.
We offer cloud security risk assessment services for organizations to uncover risks and establish cloud-focused risk mitigation strategy. Please visit Cloud Security section in Service Offerings or Contact Us to hear more from us.