Cloud Solution Governance and Oversight Consulting

Cybersecurity Risk Categories

The following six major risk categories should be included in any cloud risk governance and oversight assessment:

Data Security
Data security risk can be associated with loss, leakage, or unavailability of data. This can cause business interruption, loss of revenue, loss of reputation, or failure to meet regulatory compliance requirements. Specific data risks that require evaluation include:

• Increased complexity of access controls and security groups due to involvement of CSP personnel in the actual provisioning processes

• Lack of visibility into controls over initiation, authorization, recording, processing, or reporting of transactions

• Unauthorized data access by a service provider and/or less control over who sees what data

• Data leakage or access risks due to multitenancy/shared infrastructure between different organizations 

• Lack of flexibility over data protection mechanisms, such as encryption and implementation of specific controls by data type

• Lack of visibility into the controls over configuration, analysis, and retention of security event logs and audit trails

• Improper reliance on CSP security operation processes for the identification, research, and if required incident response suspicious activities  

Regulatory
Regulatory risk is associated with noncompliance with various national/geographic regulations, industry, or service specific legal and regulatory requirements.  According to the Cloud Security Alliance survey The Cloud Balancing Act for IT: Between Promise and Peril, the primary obstacle to moving systems of record to the cloud noted by 67.8 percent of companies was the ability to enforce established security policies when operations are migrated to a cloud service provider.  

Technology
Technology risk can be associated with constantly evolving technologies and lack of standardization in how they integrate or interoperate. Technology risks could lead to costly re-architecture efforts for adoption or integration with new technology. Specific technology risks which may behave differently in a cloud solution include: 

• Increased velocity of technology change and deployment might require the organization to upgrade or rearchitect its computing resources and retrain its technology support staff to maintain connectivity and interaction with the CSP environment

• Increased potential for human error due to the number of configurable points and frequency of deployments.

• Constantly evolving technology features might require the organization to rearchitect its cloud applications much more frequently compared to mature technologies. 

• Failure to leverage advanced security capabilities offered by the CSP for free or at a nominal cost 

• Limitation on what and how much an organization can customize (infrastructure, platform, or applications), depending on which service model the organization is using 

• Limitations on compatibility with other cloud providers 

• Limitation on technology and related tool choices allowed within the environment 

​
Each public cloud solution vendor typically offers its own administration console. With the rapid rise in the number of Software as a Service (SaaS) solutions in use at organizations, this is increasingly becoming a daunting task due to the lack of a single/consolidated management dashboard. 

Operational governance
The operational governance principle consists of two cost-cutting measures - identifying and terminating unused “zombie” assets, and scheduling stop/start times for non-production instances used in development, testing, staging, and QA.  Specific operational risks the organization should actively manage include:

• Suboptimal service reliability and uptime 

• Lack of a customized service level for different IT services, which might require the organization to choose a proximate acceptable service level, including those related to application availability and disaster recovery 

• Less control over quality of service 

• Reduced control on critical application availability and disaster recovery

Financial
The financial management governance principles for cloud-based solutions consist of budget policies and cost trend policies. These two policies are closely related to the risk management procedures needed to determine whether budgets are going to be met or if they need adjusting. Specific financial risks requiring evaluation include:

• Accurately budgeting the time/effort and initial costs to build/transition to a cloud solution

• Procedures for the secure disposal of hardware and software being obsoleted by the transition

• Timely, ongoing management of costs resulting from cloud resource usage due to poor planning and requirements from the business. 

​
The company needs to explicitly assign the responsibility for budgeting, tracking, and managing cloud costs.

Vendor
Vendor risk comes from leverage or association with vendors. Unforeseen vendor circumstances such as bankruptcy, lawsuits, SEC probe, or any other act of defamation for the vendor could significantly damage an organization’s reputation and goodwill. This risk has historically been applied to third-party service providers.  With the use of CSPs, procedures need to ensure that adequate controls are in place to comply with various laws, rules, and regulations.