Cloud computing is all the rage these days, but moving your data to the cloud doesn’t come without substantial risks. In addition to the data security risks, organizations need to be prepared for cloud failure, which we have seen this year with the cloud outages at Microsoft and Amazon. With these points in mind, it is critical for organizations to understand the potential risks of cloud computing and formalize the cloud computing risk management process.
This SearchCloudSecurity mini learning guide discusses cloud computing risk management, including how organizations can prepare for cloud outages, conduct a cloud computing risk assessment and evaluate cloud providers.
Table of contents:
Recently, the Cloud Security Alliance (CSA) released Version 2.1 of its Cloud Controls Matrix (CCM), a set of baseline controls adjusted to the CSA guidance and mapped to industry standards, regulations and frameworks, such as PCI DSS, HIPAA and COBIT.
In this SearchCloudSecurity.com Q&A, Becky Swain, co-chair of the Cloud Controls Matrix working group, discusses the Cloud Controls Matrix (CCM) and how organizations can use it to help with their cloud computing risk management efforts.
Recent cloud outages at Microsoft, Amazon and others are alarming reminders that cloud services are not perfect. They can be interrupted despite the promises of skilled advertisers; meaning cloud computing risk management should also involve managing the risk of cloud outages.
What can a company do to prepare for a cloud outage? In this tip, you will learn seven best practices for cloud risk management and managing the risk of cloud outages.
Cloud computing risk management requires revisiting risk assumptions. Enterprises looking to move services to the cloud must understand and account for emerging and changing risks and adjust their security programs accordingly for cloud computing risk management and business continuity planning.
In this tip, contributor Ed Moyle discusses cloud computing risk management and the importance of adjusting risk management controls based on emerging risks.
One extremely important role of information security professionals is educating management on how to gain “trust” when outsourcing their IT infrastructure to cloud providers. Are there guidelines for determining if a cloud provider is trustworthy?
In this tip, Joseph Granneman discusses why ISO 27000 is a good tool for evaluating the security of a prospective cloud service provider, and explains how organizations can use the ISO 27000 standards in their cloud risk assessments.
Many experts agree that SAS 70 or SSAE 16 audit reports should not be the only means for evaluating the risks of using cloud computing service providers. The most effective cloud computing risk management approach is developing a due diligence audit process customized to the specific compliance or information security needs of the business. However, information security professionals struggle to develop cloud audit procedures on their own, while still managing their daily tasks.
Here, contributor Joseph Granneman explains how organizations can evaluate cloud computing risk with a framework for building a customized due diligence process for evaluating cloud computing risk. Also, learn how to present the results to management.
According to the Cloud Security Alliance (CSA), the recent cloud outages at Amazon, Microsoft and other providers have highlighted the need for better cloud computing risk management. In this opinion piece, Jim Reavis of the CSA reflects on recent cloud outages and discusses cloud risk management best practices.
Face-off: Assessing cloud computing risks
Security experts Bruce Schneier and Marcus Ranum debate the kinds of risks associated with cloud computing and whether they should be absorbed by the customer.