Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
In January 2021, ''Business Tech Weekly'' highlighted the biggest security challenges to organizations adopting cloud. Among them were<ref name="AntonenkoCloud21">{{cite web |url=https://www.businesstechweekly.com/cybersecurity/data-security/cloud-computing-security-issues-and-challenges/ |title=Cloud computing security issues and challenges |author=Antonenko, D. |work=Business Tech Weekly |date=04 January 2021 |accessdate=21 August 2021}}</ref>:
Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.<ref name="HillsonUsing03">{{cite web |url=https://www.pmi.org/learning/library/risk-management-strategic-advantage-tactics-7727 |title=Using risk management for strategic advantage |author=Hillson, D. |publisher=Project Management Institute |date=25 September 2003 |accessdate=21 August 2021}}</ref> But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.<ref name="HillsonUsing03" /><ref name="AmatoFive16">{{cite web |url=https://www.fm-magazine.com/news/2016/jul/integrated-risk-management-201614781.html |title=5 benefits of an integrated risk management programme |work=Financial Management |author=Amato, N. |date=12 July 2016 |accessdate=21 August 2021}}</ref>


* inadequate access control
An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.
* insufficient contract regulation
* unsecure software interfaces
* low data visibility
* delays in deleting data
* inability to maintain regulatory compliance


These and other related challenges are a product of the various risks of doing business in the cloud. Those risks—in the scope of business, essentially aspects of business and the environment it operates in that endanger objectives—in turn must be managed to better ensure an organization meets its goals. This requires risk management.
Cloud computing has existed for over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 7 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.


Risk management is the process of identifying, evaluating, and prioritizing risks, and then developing an economical and efficient strategy for monitoring, controlling, and mitigating those risks. Whether risk management is part of an overall cybersecurity plan (as it should be) or an independent process (perhaps more common in really small organizations), it always makes sense to have strategies for managing threats and responding to opportunities, not only for the organization as a whole but also specifically for IT and software implementations.
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 7.''' Examples of some common risk management and cybersecurity frameworks for cloud security.
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Type of framework
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Details
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ CIS Controls with Cloud Companion Guide]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The CIS Controls are a "prioritized set of actions to protect your organization and data from known cyber-attack vectors."<ref name="CIS_Controls">{{cite web |url=https://www.cisecurity.org/controls/ |title=CIS Controls |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref> The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.<ref name="CIS_ControlsCloud">{{cite web |url=https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ |title=CIS Controls Cloud Companion Guide |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloudsecurityalliance.org/research/cloud-controls-matrix/ Cloud Controls Matrix (CCM)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance (CSA)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."<ref name="CSA_CCM">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 Cloud Security Risk Management (ITSM.50.062)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security (CCCS)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."<ref name="CCCSCloud19">{{cite web |url=https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 |title=Cloud Security Risk Management (ITSM.50.062) |author=Canadian Centre for Cyber Security |publisher=Government of Canada |date=March 2019 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://dx.doi.org/10.14569/IJACSA.2019.0101226 Cloud Security Risk Management Framework (CSRMF)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Ahmed E. Youssef
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."<ref name="YoussefAFrame19">{{cite journal |title=A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations |journal=International Journal of Advanced Computer Science and Applications |author=Youssef, A.E. |volume=10 |issue=12 |pages=186-194 |year=2019 |doi=10.14569/IJACSA.2019.0101226}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 Cloud Security Risk Vectors]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Tim Maurer and Gerrett Hinck
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."<ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.iso.org/standard/43757.html ISO/IEC 27017:2015]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."<ref name="ISO27017">{{cite web |url=https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en |title=ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services |publisher=International Organization for Standardization |date=July 2015 |accessdate=21 August 2021}}</ref>
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.nist.gov/cyberframework NIST Cybersecurity Framework]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity framework
  | style="background-color:white; padding-left:10px; padding-right:10px;"|This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."<ref name="NIST_NewTo">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=Cybersecurity Framework - New to Framework |publisher=National Institute of Standards and Technology |date=23 September 2020 |accessdate=21 August 2021}}</ref> Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.<ref name="HazelmanWhatThe20">{{cite web |url=https://www.infosecurity-magazine.com/opinions/nist-framework-misses-cloud/ |title=What the NIST Framework Misses About Cloud Security |work=InfoSecurity |date=28 December 2020 |accessdate=21 August 2021}}</ref> If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://csrc.nist.gov/projects/risk-management/ NIST Risk Management Framework (RMF)]
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud and cybersecurity risk management
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."<ref name="NIST_RMF21">{{cite web |url=https://csrc.nist.gov/projects/risk-management/about-rmf |title=NIST Risk Management Framework - About the Risk Management Framework (RMF) |publisher=National Institute of Standards and Technology |date=21 August 2021 |accessdate=21 August 2021}}</ref> The risk management framework is closely tied to SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations''.
|-
|}


But what are the major risks associated with cloud computing initiatives that drive the need for risk management? And what are the potential consequences if those risks are left unchecked? Business consultancy KPMG released a 2018 report about managing risk in the cloud. In that report, author Sai Gadia identified five critical categories of risk to organizations venturing into the cloud: data security and regulatory risk, technology risk, operational risk, vendor risk, and financial risk.<ref name="GadiaHowTo18">{{cite web |url=https://assets.kpmg/content/dam/kpmg/ca/pdf/2018/03/cloud-computing-risks-canada.pdf |format=PDF |title=How to manage five key cloud computing risks |author=Gadia, S. |publisher=KPMG LLP |date=March 2018 |accessdate=21 August 2021}}</ref>
Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.


These five categories neatly sum up the areas of risk to apply and cloud risk assessment, but let's look at them a bit more closely.
NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=21 August 2021}}</ref> Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."<ref name="NISTSP800-53Rev5">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |title=SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations'' |publisher=National Institute of Standards and Technology |date=10 December 2020 |accessdate=21 August 2021}}</ref> This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices.


'''Data security and regulatory risk''': This category examines the concerns of [[data integrity]] and availability.
Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.
* ''The potential risks'': data is leaked, lost, or becomes unavailable.
* ''The potential consequences'': reputation loss, regulatory non-compliance, business interruptions, and loss of revenue.
* ''The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative'': maintaining enforcement of existing corporate security policies, maintaining regulatory compliance, managing user access effectively, managing networking across multitenancy or shared infrastructures, and gaining greater flexibility with encryption and security controls offered by the cloud service provider (CSP).
* ''Getting around these challenges'': Organizations should "have mature data protection and regulatory compliance programs staffed with talented individuals who have sufficient authority and clear responsibilities. Such organizations also leverage leading third-party or homegrown automated tools and continuously improve their capabilities."<ref name="GadiaHowTo18" />


'''Technology risk''': This category examines the concerns of rapid shifts in underlying technologies.
In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here<ref name="DeloitteFFIEC20">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf |format=PDF |title=FFIEC statement on risk management for cloud computing services |author=Bhat, V.; Kapur, S.; Hodgkinson, S. et al. |publisher=Deloitte Development, LLC |date=2020 |accessdate=21 August 2021}}</ref>:
* ''The potential risks'': cloud-specific technologies rapidly evolve, and standardization of those technologies doesn't keep up.
* ''The potential consequences'': added costs associated with rearchitecting cloud systems, shifting data to new platforms, developing new integrations, and requiring additional training.
* ''The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative'': maintaining room in the budget for rearchitecting cloud applications and systems periodically, maintaining the personnel to stay engaged and focused on changes happening in the industry, and identifying tools (e.g., dashboards) that can extend the life cycle of your cloud implementation.
* ''Getting around these challenges'': Organizations should "recognize that cloud will require the role and responsibilities of in-house IT professionals to evolve and are making the necessary investment to train individuals and encourage the adoption of innovative technology. In the process, they are also increasing alignment with the vision and business of the organization."<ref name="GadiaHowTo18" /> IT professionals should also be considering aspects of cloud such as compatibility with other CSPs as new services are added.


'''Operational risk''': This category examines the concerns of how IT services and tasks get effectively performed.
* ''Governance'': Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.<ref name="DeloitteFFIEC20" />
* ''The potential risks'': suboptimal service reliability; suboptimal service features; insufficient control over the underlying service; and theft, fires, and other natural disasters.
* ''Cloud security management'': The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project<ref name="KantorTheRACI18">{{cite web |url=https://www.cio.com/article/2395825/project-management-how-to-design-a-successful-raci-project-plan.html |title=The RACI matrix: Your blueprint for project success |author=Kantor, B. |work=CIO |date=30 January 2018 |accessdate=21 August 2021}}</ref>—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.<ref name="DeloitteFFIEC20" /><ref name="HeroldWhyYou20">{{cite web |url=https://privacysecuritybrainiacs.com/privacy-professor-blog/why-you-should-use-a-right-to-audit-clause/ |title=Why You Should Use a Right to Audit Clause |author=Herold, R. |work=Privacy Security Brainiacs |date=28 March 2020 |accessdate=21 August 2021}}</ref>
* ''The potential consequences'': costly downtime, slower workflows, slower disaster recoveries, and permanent losses of vital assets.
* ''Change management'': When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services<ref name="HustonWhatIs15">{{cite web |url=https://smartbear.com/solutions/microservices/ |title=What is Microservices |author=Huston, T. |work=SmartBear |date=2015 |accessdate=21 August 2021}}</ref>—which, when implemented well, will limit exposure to surface area attacks.<ref name="DeloitteFFIEC20" />
* ''The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative'': maintaining room in the budget for leading technologies, maintaining room in the budget for a service that meets most if not all workflow and regulatory requirements, having the budget and knowledge to implement redundant systems (e.g., via hybrid cloud), and being able to rapidly bounce back from asset losses.
* ''Resilience and recovery'': Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, [[pandemic]]s, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.<ref name="LindrosHowTo17">{{cite web |url=https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html |title=How to create an effective business continuity plan |author=Lindros, K.; Tittel, E. |work=CIO |date=18 July 2017 |accessdate=21 August 2021}}</ref> The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?<ref name="DeloitteFFIEC20" />
* ''Getting around these challenges'': Organizations should "adopt the agile development methodology as well as the DevOps model for cloud deployments. Such organizations are now using the learning from pilot projects to shape the enterprise development methodologies of the future."<ref name="GadiaHowTo18" /> Additionally, they should investigate how to best cost-optimize redundant cloud storage based on access patterns, geography, etc.<ref name="WaibelCost17">{{cite journal |title=Cost-optimized redundant data storage in the cloud |journal=Service Oriented Computing and Applications |name=Waibel, P.; Matt, J.; Hochreiner, C. et al. |volume=11 |pages=411–26 |year=2017 |doi=10.1007/s11761-017-0218-9}}</ref> Additionally, if the organization is responsible for localized (i.e., private cloud) assets housing critical operational data and equipment, the organization should have sufficient plans in place on how to mitigate risks from physical disasters and other threats to that data and equipment.
* ''Audit and controls assessment'': If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required [[Information management|data management]] and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.<ref name="DeloitteFFIEC20" />


'''Vendor risk''': This category examines the concerns of doing business with a CSP.
While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.<ref name="DeloitteFFIEC20" /> Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.<ref name="DeloitteFFIEC20" /> Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.<ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=21 August 2021}}</ref>
* ''The potential risks'': vendor files for bankruptcy, is named in a lawsuit, is scrutinized by a regulatory body, or otherwise has an underlying lack of sustainability or compliance.
* ''The potential consequences'': loss of data, loss of service, reduced service, and lack of compliance (which has its own costs to an organization).
* ''The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative'': knowing the deep inner workings of the CSP, knowing the financial stability of the CSP, knowing the CSP's true reputation among a wide number of other customers, and putting faith in the CSP's trust center materials.
* ''Getting around these challenges'': Organizations should "take a long-term strategic view to manage their relationships with cloud service providers. Such companies are actively engaged and are shaping the road map of CSPs' service offerings to help accelerate their move to cloud while being offered better tools by the CSP to efficiently manage risks."<ref name="GadiaHowTo18" /> This long-term strategic view should include significant due diligence about the vendor's underlying operations, stability, and fall-back plans should they suffer a major business loss.
 
'''Financial risk''': This category examines the concerns of the organization’s long-term revenues and ability to budget for cloud services.
* ''The potential risks'': underestimating initial implementation costs, long-term service costs, long-term capital expenditure carry-over (if any), and long-term business revenues.
* ''The potential consequences'': cost overruns, layoffs, budget cut-backs, and detrimental scaling back of necessary services.
* ''The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative'': finding and retaining experienced and knowledgeable staff capable of budgeting future (and changing) cloud costs, as well as managing the financial activities of the organization.
* ''Getting around these challenges'': Organizations should “assign individuals with the responsibility for budgeting, tracking, and managing cloud costs. Such organizations are also making use of advanced third-party analytical tools available to manage cloud costs.”<ref name="GadiaHowTo18" /> Estimating those costs can be challenging, particularly in industries where high-throughput data is being created and managed. As such, negotiating a special agreement with the CSP may be of value.<ref name="NavaleCloud18">{{cite journal |title=Cloud computing applications for biomedical science: A perspective |journal=PLoS Computational Biology |author=Navale, V.; Bourne, P.E. |volume=14 |issue=6 |at=e1006144 |year=2018 |doi=10.1371/journal.pcbi.1006144 |pmid=29902176 |pmc=PMC6002019}}</ref> Also, ensure the organization is considering costs associated with contract modifications and cancellation fees.
 
When identifying risks associated with doing business in the cloud, most likely you'll be able to fit them into one of these five categories. As indicated above, potential consequences come with potential risks, and you'll want to identify those consequences. Of course, it's not a simple matter of addressing those risks and consequences; they come with their own challenges. Identifying risks and consequences, and the challenges surrounding and limiting them, are all part of risk management. Finally, after identifying risks, consider the usefulness of an external review of those risks to ensure your organization hasn't missed anything significant.<ref name="DeloitteFFIEC20">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf |format=PDF |title=FFIEC statement on risk management for cloud computing services |author=Bhat, V.; Kapur, S.; Hodgkinson, S. et al. |publisher=Deloitte Development, LLC |date=2020 |accessdate=21 August 2021}}</ref>
 
But how does an organization successfully go through the risk management process? That's best accomplished with the aid of one or more risk management and cybersecurity frameworks.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:17, 3 February 2022

Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.[1] But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.[1][2]

An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.

Cloud computing has existed for over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 7 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.

Table 7. Examples of some common risk management and cybersecurity frameworks for cloud security.
Framework Developer Type of framework Details
CIS Controls with Cloud Companion Guide Center for Internet Security (CIS) Cybersecurity for cloud The CIS Controls are a "prioritized set of actions to protect your organization and data from known cyber-attack vectors."[3] The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.[4]
Cloud Controls Matrix (CCM) Cloud Security Alliance (CSA) Cybersecurity for cloud "The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."[5]
Cloud Security Risk Management (ITSM.50.062) Canadian Centre for Cyber Security (CCCS) Cloud risk management "To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."[6]
Cloud Security Risk Management Framework (CSRMF) Ahmed E. Youssef Cloud risk management "In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."[7]
Cloud Security Risk Vectors Tim Maurer and Gerrett Hinck Cloud risk management "The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."[8]
ISO/IEC 27017:2015 International Organization for Standardization Cybersecurity for cloud ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."[9]
NIST Cybersecurity Framework National Institute of Standards and Technology (NIST) Cybersecurity framework This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."[10] Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.[11] If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
NIST Risk Management Framework (RMF) National Institute of Standards and Technology (NIST) Cloud and cybersecurity risk management "Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."[12] The risk management framework is closely tied to SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations.

Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.

NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."[13] Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."[14] This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices.

Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here[15]:

  • Governance: Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.[15]
  • Cloud security management: The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project[16]—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.[15][17]
  • Change management: When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services[18]—which, when implemented well, will limit exposure to surface area attacks.[15]
  • Resilience and recovery: Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, pandemics, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.[19] The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?[15]
  • Audit and controls assessment: If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required data management and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.[15]

While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.[15] Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.[15] Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.[20]

References

  1. 1.0 1.1 Hillson, D. (25 September 2003). "Using risk management for strategic advantage". Project Management Institute. https://www.pmi.org/learning/library/risk-management-strategic-advantage-tactics-7727. Retrieved 21 August 2021. 
  2. Amato, N. (12 July 2016). "5 benefits of an integrated risk management programme". Financial Management. https://www.fm-magazine.com/news/2016/jul/integrated-risk-management-201614781.html. Retrieved 21 August 2021. 
  3. "CIS Controls". Center for Internet Security. https://www.cisecurity.org/controls/. Retrieved 21 August 2021. 
  4. "CIS Controls Cloud Companion Guide". Center for Internet Security. https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/. Retrieved 21 August 2021. 
  5. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. https://cloudsecurityalliance.org/research/cloud-controls-matrix/. Retrieved 21 August 2021. 
  6. Canadian Centre for Cyber Security (March 2019). "Cloud Security Risk Management (ITSM.50.062)". Government of Canada. https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062. Retrieved 21 August 2021. 
  7. Youssef, A.E. (2019). "A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations". International Journal of Advanced Computer Science and Applications 10 (12): 186-194. doi:10.14569/IJACSA.2019.0101226. 
  8. Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597. Retrieved 21 August 2021. 
  9. "ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". International Organization for Standardization. July 2015. https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en. Retrieved 21 August 2021. 
  10. "Cybersecurity Framework - New to Framework". National Institute of Standards and Technology. 23 September 2020. https://www.nist.gov/cyberframework/new-framework. Retrieved 21 August 2021. 
  11. "What the NIST Framework Misses About Cloud Security". InfoSecurity. 28 December 2020. https://www.infosecurity-magazine.com/opinions/nist-framework-misses-cloud/. Retrieved 21 August 2021. 
  12. "NIST Risk Management Framework - About the Risk Management Framework (RMF)". National Institute of Standards and Technology. 21 August 2021. https://csrc.nist.gov/projects/risk-management/about-rmf. Retrieved 21 August 2021. 
  13. "security control". Computer Security Resource Center. National Institute of Standards and Technology. 2019. https://csrc.nist.gov/glossary/term/security_control. Retrieved 21 August 2021. 
  14. "SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations". National Institute of Standards and Technology. 10 December 2020. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. Retrieved 21 August 2021. 
  15. 15.0 15.1 15.2 15.3 15.4 15.5 15.6 15.7 Bhat, V.; Kapur, S.; Hodgkinson, S. et al. (2020). "FFIEC statement on risk management for cloud computing services" (PDF). Deloitte Development, LLC. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf. Retrieved 21 August 2021. 
  16. Kantor, B. (30 January 2018). "The RACI matrix: Your blueprint for project success". CIO. https://www.cio.com/article/2395825/project-management-how-to-design-a-successful-raci-project-plan.html. Retrieved 21 August 2021. 
  17. Herold, R. (28 March 2020). "Why You Should Use a Right to Audit Clause". Privacy Security Brainiacs. https://privacysecuritybrainiacs.com/privacy-professor-blog/why-you-should-use-a-right-to-audit-clause/. Retrieved 21 August 2021. 
  18. Huston, T. (2015). "What is Microservices". SmartBear. https://smartbear.com/solutions/microservices/. Retrieved 21 August 2021. 
  19. Lindros, K.; Tittel, E. (18 July 2017). "How to create an effective business continuity plan". CIO. https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html. Retrieved 21 August 2021. 
  20. "A Helpful Guide to Cloud Computing in a Laboratory". InterFocus Blog. InterFocus Ltd. 5 October 2020. https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/. Retrieved 21 August 2021.