With organizations continuing to move into the cloud at a rapid pace, you'd naturally think that security and compliance...
teams would be conducting in-depth risk assessments of cloud service providers and cloud service use in general. Sadly, more often than we realize, this doesn't seem to be the case.
Tenable Network Security recently published its "2017 Global Cybersecurity Assurance Report Card," which found that cloud risk assessments are considered to be one of the biggest enterprise security weaknesses worldwide. The report found that just 60% of respondents were able to conduct cloud risk assessments, and that number had decreased from the previous year. Additionally, many are not confident in their risk assessment capabilities and thoroughness for containerization and DevOps environments, both of which play pivotal roles in many cloud deployment scenarios for the enterprise today.
Many enterprises struggle with cloud risk assessment for several reasons. First, the set of technologies involved in cloud deployments is new and rapidly evolving, making it difficult to pinpoint specific security controls and risk parameters in many cases. In addition, cloud providers are constantly updating and changing their environments and service offerings, making a definitive risk assessment a moving target in some ways. Add the changing compliance and regulatory landscape on top of this, and the task of performing a cloud-focused risk assessment can seem daunting.
Another major reason risk assessments for cloud aren't happening is likely due to skill shortages in cloud security, and possibly even a simple lack of adequate manpower to get the job done.
Cloud risk assessment frameworks
Fortunately, real efforts have been made by several organizations to create and publish cloud risk assessment frameworks and standards, and enterprise risk teams can make use of these to help guide and perform their own risk analysis efforts when moving to the cloud.
The European Network and Information Security Agency (ENISA) released a reasonable risk assessment framework that can be used to determine the risks involved with a move to the cloud.
There are two documents published by ENISA -- one is a general cloud information assurance framework, with all the components necessary to evaluate the security of a cloud infrastructure. The second document, a complementary guide to the framework, provides the outline of an overall risk assessment. The ENISA documents provide a comprehensive view of major categories of cloud risk, including personnel security, physical security, operations, application assurance and much more.
Another guide that can help organizations assess the state of cloud provider environments from a security perspective is the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire. This guide covers many of the same areas as ENISA, but also aligns with the CSA Cloud Controls Matrix, and it is updated more frequently than the ENISA documents.
One last document that some may find useful when planning cloud risk assessments is the Cloud Risk guide from Shared Assessments, which makes a number of recommendations related to risk review for cloud, but doesn't provide quite as usable a framework as ENISA or CSA.
Regardless of which framework organizations use as a starting point -- and there is likely merit in reviewing and using references and recommendations from more than one -- security and risk teams will need to enhance and modify these guides to meet their own unique needs.
In addition, these guides are less prescriptive about internal controls that come into play with hybrid cloud architectures; instead, they focus primarily on controls the cloud provider has set up internally and/or made available to the tenants.
Make sure to emphasize data security controls like encryption and key management, role-based access control and multifactor authentication, data lifecycle controls and legal requests, and data breach notification specifics in contracts.
Above all, ensure you have a governance program that facilitates meaningful conversations about cloud risk between security teams and other business stakeholders. Executives should have a good understanding of the risks involved in cloud deployments, the potential impacts on the organization and what options are available to them. Developing a well-documented and repeatable cloud risk assessment process is the best way to accomplish this.
Find out how to assess the risks of cloud malware
Check out how to assess cloud service provider APIs
Learn how to assess cloud risk tolerance