Book:Choosing and Implementing a Cloud-based Service for Your Laboratory/Organizational cloud computing risk management/Five risk categories to consider

From LIMSWiki
Jump to navigationJump to search
-----Return to the beginning of this guide-----

3. Organizational cloud computing risk management

Figure 4. A diagram of an organization-wide risk management approach, as published in NIST SP 800-37 Rev. 2. NIST says this diagram "addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization."[1]

After discussing cloud standards, regulations, and security, it makes sense to next address the topic of cloud computing risk management. Risks beget risk management, which in turn begets security. Whether the risks are near the home, on an airplane, or with an online bank account, risk management practices limit the risks, usually through some mechanism of "security." "The five-year crime numbers in my neighborhood are going up," one might assess. "I shall manage the risk with a home security system," is the risk management action performed. In the same way, engineers add multiple layers of redundancy to an airplane's components to mitigate the assessed risk of instrument failure, and banks require access controls like strong passwords on online accounts to protect customer data and limit their liability. As such, it shouldn't be surprising to talk about employing security and process control measures as part of managing risks in the cloud.

We learned in the last chapter that the National Institute of Standards and Technology (NIST) represents a strong example of a standards and recommendations body in the U.S. In their 2018 SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST says the following about risk management for information systems[1]:

Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization, including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes.

As Figure 4—from the same NIST guide—notes, there are three main levels at which an organization must approach risk management activities for their information systems: the organization level, the mission/business process level, and the information system level. The arrow on the left highlights the criticality of proper communication across all three levels in order for the organization to make the most of their risk management activities. Just as IT forms the base of any software-driven business efforts, critical stakeholders in IT form the base of communication about IT risk and security requirements. Without those stakeholders' knowledge and feedback, business processes and company policy would be ill-informed. Now let's start from the top of the pyramid and head downward. Note that without strong leadership, well-crafted business goals, and management buy-in on quality, budget, and security, business processes would be a mess and IT-related efforts would be sub-par and at-risk.

The implication with Figure 4 and NIST's guide is that effective planning and communication is critical to ensuring information systems are implemented securely during their entire life cycle. Many organizations approach this task by developing, implementing, and enforcing a cybersecurity plan, in which identifying cybersecurity requirements and objectives—i.e., risk assessment and management—is a vital component. (See the Comprehensive Guide to Developing and Implementing a Cybersecurity Plan for much more on this topic.)


3.1 Five risk categories to consider

In January 2021, Business Tech Weekly highlighted the biggest security challenges to organizations adopting cloud. Among them were[2]:

  • inadequate access control
  • insufficient contract regulation
  • unsecure software interfaces
  • low data visibility
  • delays in deleting data
  • inability to maintain regulatory compliance

These and other related challenges are a product of the various risks of doing business in the cloud. Those risks—in the scope of business, essentially aspects of business and the environment it operates in that endanger objectives—in turn must be managed to better ensure an organization meets its goals. This requires risk management.

Risk management is the process of identifying, evaluating, and prioritizing risks, and then developing an economical and efficient strategy for monitoring, controlling, and mitigating those risks. Whether risk management is part of an overall cybersecurity plan (as it should be) or an independent process (perhaps more common in really small organizations), it always makes sense to have strategies for managing threats and responding to opportunities, not only for the organization as a whole but also specifically for IT and software implementations.

But what are the major risks associated with cloud computing initiatives that drive the need for risk management? And what are the potential consequences if those risks are left unchecked? Business consultancy KPMG released a 2018 report about managing risk in the cloud. In that report, author Sai Gadia identified five critical categories of risk to organizations venturing into the cloud: data security and regulatory risk, technology risk, operational risk, vendor risk, and financial risk.[3]

These five categories neatly sum up the areas of risk to apply and cloud risk assessment, but let's look at them a bit more closely.

Data security and regulatory risk: This category examines the concerns of data integrity and availability.

  • The potential risks: data is leaked, lost, or becomes unavailable.
  • The potential consequences: reputation loss, regulatory non-compliance, business interruptions, and loss of revenue.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining enforcement of existing corporate security policies, maintaining regulatory compliance, managing user access effectively, managing networking across multitenancy or shared infrastructures, and gaining greater flexibility with encryption and security controls offered by the cloud service provider (CSP).
  • Getting around these challenges: Organizations should "have mature data protection and regulatory compliance programs staffed with talented individuals who have sufficient authority and clear responsibilities. Such organizations also leverage leading third-party or homegrown automated tools and continuously improve their capabilities."[3]

Technology risk: This category examines the concerns of rapid shifts in underlying technologies.

  • The potential risks: cloud-specific technologies rapidly evolve, and standardization of those technologies doesn't keep up.
  • The potential consequences: added costs associated with rearchitecting cloud systems, shifting data to new platforms, developing new integrations, and requiring additional training.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for rearchitecting cloud applications and systems periodically, maintaining the personnel to stay engaged and focused on changes happening in the industry, and identifying tools (e.g., dashboards) that can extend the life cycle of your cloud implementation.
  • Getting around these challenges: Organizations should "recognize that cloud will require the role and responsibilities of in-house IT professionals to evolve and are making the necessary investment to train individuals and encourage the adoption of innovative technology. In the process, they are also increasing alignment with the vision and business of the organization."[3] IT professionals should also be considering aspects of cloud such as compatibility with other CSPs as new services are added.

Operational risk: This category examines the concerns of how IT services and tasks get effectively performed.

  • The potential risks: suboptimal service reliability; suboptimal service features; insufficient control over the underlying service; and theft, fires, and other natural disasters.
  • The potential consequences: costly downtime, slower workflows, slower disaster recoveries, and permanent losses of vital assets.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for leading technologies, maintaining room in the budget for a service that meets most if not all workflow and regulatory requirements, having the budget and knowledge to implement redundant systems (e.g., via hybrid cloud), and being able to rapidly bounce back from asset losses.
  • Getting around these challenges: Organizations should "adopt the agile development methodology as well as the DevOps model for cloud deployments. Such organizations are now using the learning from pilot projects to shape the enterprise development methodologies of the future."[3] Additionally, they should investigate how to best cost-optimize redundant cloud storage based on access patterns, geography, etc.[4] Additionally, if the organization is responsible for localized (i.e., private cloud) assets housing critical operational data and equipment, the organization should have sufficient plans in place on how to mitigate risks from physical disasters and other threats to that data and equipment.

Vendor risk: This category examines the concerns of doing business with a CSP.

  • The potential risks: vendor files for bankruptcy, is named in a lawsuit, is scrutinized by a regulatory body, or otherwise has an underlying lack of sustainability or compliance.
  • The potential consequences: loss of data, loss of service, reduced service, and lack of compliance (which has its own costs to an organization).
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: knowing the deep inner workings of the CSP, knowing the financial stability of the CSP, knowing the CSP's true reputation among a wide number of other customers, and putting faith in the CSP's trust center materials.
  • Getting around these challenges: Organizations should "take a long-term strategic view to manage their relationships with cloud service providers. Such companies are actively engaged and are shaping the road map of CSPs' service offerings to help accelerate their move to cloud while being offered better tools by the CSP to efficiently manage risks."[3] This long-term strategic view should include significant due diligence about the vendor's underlying operations, stability, and fall-back plans should they suffer a major business loss.

Financial risk: This category examines the concerns of the organization’s long-term revenues and ability to budget for cloud services.

  • The potential risks: underestimating initial implementation costs, long-term service costs, long-term capital expenditure carry-over (if any), and long-term business revenues.
  • The potential consequences: cost overruns, layoffs, budget cut-backs, and detrimental scaling back of necessary services.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: finding and retaining experienced and knowledgeable staff capable of budgeting future (and changing) cloud costs, as well as managing the financial activities of the organization.
  • Getting around these challenges: Organizations should “assign individuals with the responsibility for budgeting, tracking, and managing cloud costs. Such organizations are also making use of advanced third-party analytical tools available to manage cloud costs.”[3] Estimating those costs can be challenging, particularly in industries where high-throughput data is being created and managed. As such, negotiating a special agreement with the CSP may be of value.[5] Also, ensure the organization is considering costs associated with contract modifications and cancellation fees.

When identifying risks associated with doing business in the cloud, most likely you'll be able to fit them into one of these five categories. As indicated above, potential consequences come with potential risks, and you'll want to identify those consequences. Of course, it's not a simple matter of addressing those risks and consequences; they come with their own challenges. Identifying risks and consequences, and the challenges surrounding and limiting them, are all part of risk management. Finally, after identifying risks, consider the usefulness of an external review of those risks to ensure your organization hasn't missed anything significant.[6]

But how does an organization successfully go through the risk management process? That's best accomplished with the aid of one or more risk management and cybersecurity frameworks.

References

  1. 1.0 1.1 National Institute of Standards and Technology (December 2018). "SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". https://csrc.nist.gov/pubs/sp/800/37/r2/final. Retrieved 28 July 2023. 
  2. Antonenko, D. (4 January 2021). "Cloud computing security issues and challenges". Business Tech Weekly. https://www.businesstechweekly.com/cybersecurity/data-security/cloud-computing-security-issues-and-challenges/. Retrieved 28 July 2023. 
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Gadia, S. (March 2018). "How to manage five key cloud computing risks" (PDF). KPMG LLP. https://assets.kpmg.com/content/dam/kpmg/ca/pdf/2018/03/cloud-computing-risks-canada.pdf. Retrieved 28 July 2023. 
  4. "Cost-optimized redundant data storage in the cloud". Service Oriented Computing and Applications 11: 411–26. 2017. doi:10.1007/s11761-017-0218-9. 
  5. Navale, V.; Bourne, P.E. (2018). "Cloud computing applications for biomedical science: A perspective". PLoS Computational Biology 14 (6): e1006144. doi:10.1371/journal.pcbi.1006144. PMC PMC6002019. PMID 29902176. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6002019. 
  6. Bhat, V.; Kapur, S.; Hodgkinson, S. et al. (2020). "FFIEC statement on risk management for cloud computing services" (PDF). Deloitte Development, LLC. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf. Retrieved 28 July 2023.