Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The Top Cloud Computing Risk Treatment Options

Published 12/17/2022

The Top Cloud Computing Risk Treatment Options
Written by Megan Theimer, Content Program Specialist, CSA.


Cloud threats pose great harm to organizations’ business objectives. Storage, compute, and even network services have been subjected to nefarious attacks. Since cloud compliance and security is a shared responsibility, every organization should collaborate with their cloud service providers to implement an effective governance model to ensure proper scope.

An important part of a risk governance model is the process and criteria for selecting risk treatment options. There are four main risk treatment methods: risk mitigation, risk avoidance, risk transfer, and risk acceptance. This blog, derived from CSA’s recently released Top Threats Cloud Infrastructure Security course, defines these four methods. You can dive deeper into cloud computing risks and how to address them by signing up for the course here.

Risk Mitigation

Risk mitigation means taking countermeasures to reduce the likelihood and/or the consequence of the risk. Organizations are encouraged to use the controls in CSA’s Cloud Controls Matrix (CCM) to mitigate their cloud risks. The CCM, in combination with CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing, is a comprehensive cloud native controls catalog that can be used to select the appropriate set of mitigation recommendations.

There are three types of controls to consider. The understanding of these types enables organizations to design and implement a cloud security architecture that selects the most effective control type. They are:

  • Technical or logical: Controls implemented and executed by the system
  • Administrative: Policies and procedures to guide human behavior
  • Physical: Systems or people that limit or monitor access and ensure availability of the system

There are also three control functions:

  • Preventive: To stop a threat from coming in contact with the system or asset
  • Detective: To identify an incident in progress or uncover one that has already achieved its objective
  • Corrective: To restore the system or process back to the state prior to the incident

The knowledge of control functions enables organizations to design and implement a cloud security architecture that layers security functions to prevent, detect, and recover from security incidents rapidly and in a cost effective manner.

Risk Avoidance

Risk avoidance is the elimination of threats, activities, and vulnerabilities that can cause risk. The option to eliminate the activity should be considered when none of the other treatment options are viable.

An example of risk avoidance is when an organization decides to cease the sale of certain products due to new regulations and compliance mandates. Security should encourage innovation and enable businesses to take on new opportunities with a clear understanding of the residual risks.

Risk Transfer

Risk transfer is a strategy of dealing with risks by transferring the risk to another person or entity, such as an insurance agency. Cloud customers can transfer risk responsibility to cloud service providers (CSPs) by executing effective contracts and service level agreements (SLAs).

The shared responsibility model of the cloud will result in the transfer of some risks to the CSP. However, ultimately, the cloud customer is still accountable for all risk. Therefore, risk transfer techniques need careful consideration and evaluation according to the risk acceptance criteria before being accepted.

Risk Acceptance

Risk acceptance processes define the criteria organizations use to make the decision to retain a risk. They are often triggered when the controls to mitigate the remaining risk would be greater than the potential damage of the risk itself.

Any mature enterprise risk program will require the accumulation and quantification of all accepted risks. This is an important number to manage and understand in order to estimate the total exposure the organization may face based on the nature of an enterprise-wide loss.

Learn More About Cloud Risks

CSA’s Top Threats course is based on our top threats to cloud computing research initiatives and related artifacts. After completion, you will be able to do the following:

  • Understand the background and context of cloud threats
  • Explain cloud security and compliance business drivers and objectives
  • Identify and describe the top threats to cloud computing
  • Describe threat modeling and its objectives
  • Describe cloud vulnerabilities and the evolution from on-premises to the cloud
  • Describe cloud risk, mitigation, and lessons learned

You will also receive a certificate for 1 course hour that may be submitted for possible CPE credits. Learn more and register for the course here.

Share this content on your favorite social network today!