Cloud computing promises many benefits. Cost reductions, improved efficiency and improved security is what many companies can gain from moving into the cloud.
As with a traditional IT outsourcing venture there are also many threats, so you might want to perform an IT risk assessment before you go cloud. You'll need to decide upon what data and applications to move to the cloud, what type of cloud service fits your purpose, and of course assess the vendor you are considering.
Cloud security is different dependent on whether you want to jump into the cloud with a Software as a Service, Platform as a Service or Infrastructure as a Service solution (SaaS, PaaS, IaaS). As an IaaS customer, you will often have more operational security responsibilities, compared to SaaS, where you basically subscribe to the security services offered by your cloud provider.
Use a threat-based methodology
Regardless which type of cloud service you choose, you'll need to have an information security risk management process in place. This process should be based on a best practice methodology. I recommend you check out the ISO 27005 standard; it is a threat-based methodology that provides guidelines for information security risk management.
An alternative to the threat based approach is the control based approach. The risk management professionals in our team find that the threat based approach offers a more accurate risk picture, as you in the assessment process decide which threats causes business risks that need to be managed. In contrast, the control based approach can result in a list of of controls that may or may not offer business value.
ISO 27001 and ISO 27005 alignment
As an added bonus of following the ISO 27005 methodology, you will be on your way to compliance with the risk management requirements of ISO 27001.
The Cloud Security Alliance has compiled a list of the biggest threats to cloud security, which will help you assess potential cloud service providers.
Assess the potential impact to your business
ISO 27005 suggests you perform a Business Impact Analysis (BIA), and that's also a good advice before moving to the cloud. You will have to identify your critical and non-critical business processes. 'Critical processes' can be defined as those whose disruption would be unacceptable to your business.
Assess vulnerability or incident likelihood
Vulnerability assessments are also an ISO 27005 recommendation. These can be time-consuming to conduct, but luckily there are resources that can help. The Cloud Security Alliance (again) has a STAR registry that documents the security controls provided by various cloud-computing providers. All the providers in the registry has carried out self-assessments based on a control matrix from CSA. You can find the Cloud Security Alliance STAR Registry here.
Instead of vulnerability assessments, you may find it faster to assess how likely it is that security incidents will happen at your provider. Some organizations use past performance as an indicator of incident likelihood assessment.
Combining BIA and likelihood into risks
When you know the business impact of an incident, and you know incident likelihood, you can calculate your risk level, and then decide if it's acceptable to your business or not. The risk treatment process of ISO 27005 suggests four treatment options:
-
Accept Risk
-
Avoid Risk
-
Reduce Risk
-
Share Risk (in the past referred to as "Transfer Risk")
Are these tips useful in the assessment of your security? Do you have any experience in this field? Feel free to share your comments here on the blog.
---------------------------------
PS! The ISO 27001/2 standards are recognized and widely implemented in many organizations worldwide for good reasons. That is why we designed our GRC platform to provide you with risk management tools – based on the ISO 27005 and ISO 27001 standards. Here's how we can help your cloud security risk management:
- It helps you manage your business impact assessments
- It helps you manage vulnerability or probability assessments in relation to your cloud provider
- It helps you calculate, evaluate and report your risks
- It helps you treat your risks.