A framework for evaluating cloud computing risk

One approach for building a customized, due-diligence process for evaluating cloud provider risk and presenting the results to management.

This tip is a part of the SearchCloudSecurity.com learning guide, Cloud computing risk management: Assessing key risks of cloud computing.

Most experts will agree that the SAS 70 or SSAE 16 audit reports should not be used as the sole source of information to evaluate risks involved with potential cloud computing providers.  The best approach is for a company to develop a due diligence audit process customized to the specific compliance or information security needs of the business.  However, information security professionals struggle to develop cloud audit procedures on their own while still performing their demanding daily tasks. 

Unfortunately, the difficulty increases more once the audit process has been developed because the results must be in a format that is quickly digestible by company management.  The goal here  is to provide an actionable framework for information security professionals to complete cloud computing risk assessments and clearly present the results to upper management. 

It's important to note that many of the same technology risks exist in the cloud as in internal computing environments. Whereas internal risks are usually mitigated through the use of technical controls, cloud computing risks are usually mitigated through contractual obligations.  Depending on the cloud service model, the cloud provider performs many of the technical risk mitigation that would have been the responsibility of the customers' internal technical resources in an internally hosted environment.  This is important because information security professionals must judge cloud provider risks just as if the service were hosted internally.  They must then look for evidence of the cloud provider mitigating these risks and decide if the mitigation strategies are enough to meet the business's risk tolerance.

In keeping with this theme,  cloud computing risk assessments involve these 10 categories:

1. Effectiveness of controls
Evaluate if the current controls provide adequate protections for the data or service the company is considering hosting in the cloud.  For example, is the separation of duties for cloud provider employees appropriate and does it limit the number with access to confidential data?

2. Auditing and oversight
Evaluate the cloud provider's current auditing  and how oversight of administrative changes is accomplished.  For example, ask for a change-control log where changes were tested and approved by appropriate management personnel. 

3. Technical security architecture
Evaluate current technical architecture including firewalls, VPNs, patching, intrusion prevention and network segregation.  This evaluation could also include programming languages and Web application frameworks.  Can the environment match business security requirements?

4. Data integrity
Investigate how the cloud computing vendor keeps each customer's data separate while utilizing the same hardware.  Does this separation match business security or compliance requirements?

5. Data encryption
Investigate how the cloud computing provider implements encryption for both data-in-transit as well as data-at-rest.  Most providers will utilize encryption for data-in-transit, but may not have a capability for encrypting data-at-rest.  Do the provider's encryption practices match business security or compliance requirements?

6. Operations security
Review the disaster recovery and business continuity plans for the cloud service provider.  Do they provide adequate protection for business needs?  How often are the plans tested?  Does the data center provide enough redundancy for business needs?

7. Standardized procedures
Evaluate the standard procedures that the cloud services provider utilizes in its operations.  An example would be the offsite tape backup procedure or the background pre-employment screening procedure.  Another important procedure to document is how the interests of the customer will be represented during a legal investigation or subpoena request.

8. Business stability
Evaluate the current financial condition and history of the cloud computing provider.  It might be necessary to utilize other company resources to assist in this evaluation.  It's easy to find information on publicly traded companies, but private companies may require more investigation. 

9. Intellectual property
Investigate potential issues with the cloud computing provider hosting business data.  This will include ownership, return and deletion of the data after the contract expires. 

10. Contractual language
Review the proposed contract with legal representation.  All of the controls documented in the previous nine audit categories listed above should match the contractual language in order to be meaningful.  Require that any deviation from these agreed-upon information security protections be communicated with the business and specify penalties associated with non-compliance.        

The due diligence audit must provide adequate information for each of these categories so the information security professional can accurately comment and score each one.  You can acquire this information through several methods, including phone conversations, report samples, technical drawings and onsite audits.  The method used may vary as it should reflect the type of service being provided by the cloud computing vendor as well as the associated business risks.  For example, the audit performed on a potential cloud computing vendor that provides a website containing company advertising would require less scrutiny than if it provides an ecommerce site that stores credit card information.

How to present cloud computing risk findings

All of this cloud computing risk  information must now be put into a format that can be presented to management for review.  A good way to build this report is to use a rating system that assigns a value to each security category representing the auditor's opinion of the cloud computing provider's security posture.  This can be as simple as a 1-5 rating system with a five representing the highest risk.  The ratings need to be weighted based on importance since the relevance of each security category will vary based on the type of cloud computing solution being considered.  For example, data encryption would be much more important for the aforementioned ecommerce site with credit card data when compared to the company advertising site. 

The relevance can be recorded on the same 1-5 scale with five being the most important or relevant to the cloud computing solution being provided.  A weighted score for each category can then be calculated by multiplying the relevance score by the risk score.  An average of all of the category scores can then be generated to represent a single value that can be easily communicated to management.  The following table demonstrates what the final results of this process would look like for a typical business critical application: 

 Cloud Computing Risk Assessment Example
  Relevance (1-5) Risk (1-5) Total
Controls 5 2.5 12.5
Audits 5 4 20.0
Architecture 3 3.5 10.5
Data Integrity 5 4 20.0
Data Encryption 2.5 4.5 11.3
Hosting Security 5 1 5.0
Procedures 4 2.5 10.0
Business Stability 5 2.5 12.5
Legal -- Contract 5 4 20.0
Intellectual Property 5 2.5 12.5
Total Project Risk (out of 25)   13.4

This framework provides a means of comparison between cloud computing vendors or even between cloud and internal hosting options.  The most important feature of this framework is it does not require any technical or security knowledge to interpret the scores or evaluate risk.  However, the technical details have been under much more scrutiny than in other audits, such as SAS 70 or SSAE 16.  It also allows the business to weigh the relevant risks to the cloud computing resource being provided.

This is only one method that can be used to build a customized, due-diligence process for evaluating the risk of using cloud computing providers. There is much more detail involved in building any due-diligence process, but this framework is a good place to start.  The important point is any framework used to evaluate cloud computing risks must also be able to effectively communicate these risks to business leaders.  The role of the information security professional is to evaluate and provide this information for business leaders to make the best possible decisions regarding cloud computing providers.  

About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services.  He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.

Dig Deeper on Evaluating Cloud Computing Providers