The Top Cloud Computing Risk Treatment Options
Cloud threats pose great harm to organizations’ business objectives. Storage, compute, and even network services have been subjected to nefarious attacks. Since cloud compliance and security is a shared responsibility, every organization should collaborate with their cloud service providers to implement an effective governance model to ensure proper scope.
An important part of a risk governance model is the process and criteria for selecting risk treatment options. There are four main risk treatment methods: risk mitigation, risk avoidance, risk transfer, and risk acceptance. This blog, derived from CSA’s recently released Top Threats Micro-Training course, defines these four methods. You can dive deeper into cloud computing risks and how to address them by signing up for the micro-training course here.
Risk mitigation means taking countermeasures to reduce the likelihood and/or the consequence of the risk. Organizations are encouraged to use the controls in CSA’s Cloud Controls Matrix (CCM) to mitigate their cloud risks. The CCM, in combination with CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing, is a comprehensive cloud native controls catalog that can be used to select the appropriate set of mitigation recommendations.
There are three types of controls to consider. The understanding of these types enables organizations to design and implement a cloud security architecture that selects the most effective control type. They are:
- Technical or logical: Controls implemented and executed by the system
- Administrative: Policies and procedures to guide human behavior
- Physical: Systems or people that limit or monitor access and ensure availability of the system
There are also three control functions:
- Preventive: To stop a threat from coming in contact with the system or asset
- Detective: To identify an incident in progress or uncover one that has already achieved its objective
- Corrective: To restore the system or process back to the state prior to the incident
The knowledge of control functions enables organizations to design and implement a cloud security architecture that layers security functions to prevent, detect, and recover from security incidents rapidly and in a cost effective manner.
Risk avoidance is the elimination of threats, activities, and vulnerabilities that can cause risk. The option to eliminate the activity should be considered when none of the other treatment options are viable.
An example of risk avoidance is when an organization decides to cease the sale of certain products due to new regulations and compliance mandates. Security should encourage innovation and enable businesses to take on new opportunities with a clear understanding of the residual risks.
Risk transfer is a strategy of dealing with risks by transferring the risk to another person or entity, such as an insurance agency. Cloud customers can transfer risk responsibility to cloud service providers (CSPs) by executing effective contracts and service level agreements (SLAs).
The shared responsibility model of the cloud will result in the transfer of some risks to the CSP. However, ultimately, the cloud customer is still accountable for all risk. Therefore, risk transfer techniques need careful consideration and evaluation according to the risk acceptance criteria before being accepted.
Risk acceptance processes define the criteria organizations use to make the decision to retain a risk. They are often triggered when the controls to mitigate the remaining risk would be greater than the potential damage of the risk itself.
Any mature enterprise risk program will require the accumulation and quantification of all accepted risks. This is an important number to manage and understand in order to estimate the total exposure the organization may face based on the nature of an enterprise-wide loss.
Learn More About Cloud Risks
CSA’s Top Threats course is based on our top threats to cloud computing research initiatives and related artifacts. After completion, you will be able to do the following:
- Understand the background and context of cloud threats
- Explain cloud security and compliance business drivers and objectives
- Identify and describe the top threats to cloud computing
- Describe threat modeling and its objectives
- Describe cloud vulnerabilities and the evolution from on-premises to the cloud
- Describe cloud risk, mitigation, and lessons learned
You will also receive a certificate for 1 course hour that may be submitted for possible CPE credits. Learn more and register for the course here.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.