Cloud Risk Management
Blog Article Published: 07/02/2020
By Ashwin Chaudhary with Accedere
Cloud Risk Management is an important aspect in today’s world where majority of the organizations have adopted the cloud in some form or the other. Cloud risks continue to remain high for a CISO or a CIO and is gaining more importance in today’s world where more organizations are embracing work from home policy. In the wake of Data Security and Privacy, misconfigured cloud servers remain a high risk for data breach. Several reports point that many of the data breaches today are due to cloud risks.
Cloud risks can also be termed as vendor or third-party risks. From a 2019 report by IAPP and EY, it was understood that less than 50% organizations had some kind or formal audit process covering data privacy and majority of these who did have some kind of assurance process relied on the ISO 27001 or ISMS which is more of information security and hardly covers privacy. There were very few organizations that used external audits to manage assurance for privacy risks. Majority of organizations still use some kind of self-assessments or their legal teams to manage privacy risks.
In the wake of the rapid cloud adoption and news laws such as GDPR, CCPA etc. it is more important to manage the cloud data security and privacy risks. Adapting a Risk Management Framework and a life cycle approach is gaining more importance again along with basic security concepts such as Security by Design and Privacy by Design. Many small and medium organizations still do not follow the spirit of the Risk Life Cycle Management, nor have a dedicated resource for it. Effective risk monitoring is more or less absent in these organizations leading to increased risks to cloud security, data security and privacy.
It is recommended that organizations have an effective Risk Management Life Cycle that measures and monitors the critical and high risks on real-time basis. Listing down what exactly needs to be measured and the acceptable variance is important too to provide an assurance that risks are indeed being mitigated. Periodic external audits to can help. Some tools than can be used are:
- NIST Risk Management Framework
- CSA’s CCM Framework
- SOC reports covering cloud CCM controls
- ISO 27017/18 and ISO 27701 Frameworks