Book:Choosing and Implementing a Cloud-based Service for Your Laboratory/Organizational cloud computing risk management/Risk management and cybersecurity frameworks

From LIMSWiki
Jump to navigationJump to search

3.2 Risk management and cybersecurity frameworks

Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.[1] But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.[1][2]

An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.

Cloud computing has existed for well over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 8 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.

Table 8. Examples of some common risk management and cybersecurity frameworks for cloud security.
Framework Developer Type of framework Details
CIS Controls with Cloud Companion Guide Center for Internet Security (CIS) Cybersecurity for cloud The CIS Controls are a "prioritized set of actions to protect your organization and data from cyber-attack vectors."[3] The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.[4]
Cloud Controls Matrix (CCM) Cloud Security Alliance (CSA) Cybersecurity for cloud "The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."[5]
Cloud Security Risk Management (ITSM.50.062) Canadian Centre for Cyber Security (CCCS) Cloud risk management "To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."[6]
Cloud Security Risk Management Framework (CSRMF) Ahmed E. Youssef Cloud risk management "In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."[7]
Cloud Security Risk Vectors Tim Maurer and Gerrett Hinck Cloud risk management "The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."[8]
ISO/IEC 27017:2015 International Organization for Standardization Cybersecurity for cloud ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."[9]
NIST Cybersecurity Framework National Institute of Standards and Technology (NIST) Cybersecurity framework This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."[10] Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.[11] If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
NIST Risk Management Framework (RMF) National Institute of Standards and Technology (NIST) Cloud and cybersecurity risk management "Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."[12] The risk management framework is closely tied to SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations.

Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.

NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."[13] Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."[14] This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices.

Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here[15]:

  • Governance: Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.[15]
  • Cloud security management: The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project[16]—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.[15][17]
  • Change management: When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services[18]—which, when implemented well, will limit exposure to surface area attacks.[15]
  • Resilience and recovery: Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, pandemics, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.[19] The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?[15]
  • Audit and controls assessment: If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required data management and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.[15]

While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.[15] Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.[15] Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.[20]

References

  1. 1.0 1.1 Hillson, D. (25 September 2003). "Using risk management for strategic advantage". Project Management Institute. https://www.pmi.org/learning/library/risk-management-strategic-advantage-tactics-7727. Retrieved 28 July 2023. 
  2. Amato, N. (12 July 2016). "5 benefits of an integrated risk management programme". Financial Management. https://www.fm-magazine.com/news/2016/jul/integrated-risk-management-201614781.html. Retrieved 28 July 2023. 
  3. "CIS Controls". Center for Internet Security. https://www.cisecurity.org/controls. Retrieved 28 July 2023. 
  4. "CIS Controls Cloud Companion Guide". Center for Internet Security. March 2022. https://www.cisecurity.org/insights/white-papers/cis-controls-v8-cloud-companion-guide. Retrieved 28 July 2023. 
  5. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. https://cloudsecurityalliance.org/research/cloud-controls-matrix/. Retrieved 28 July 2023. 
  6. Canadian Centre for Cyber Security (March 2019). "Cloud Security Risk Management (ITSM.50.062)". Government of Canada. https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062. Retrieved 28 July 2023. 
  7. Youssef, A.E. (2019). "A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations". International Journal of Advanced Computer Science and Applications 10 (12): 186-194. doi:10.14569/IJACSA.2019.0101226. 
  8. Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597. Retrieved 28 July 2023. 
  9. "ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". International Organization for Standardization. July 2015. https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en. Retrieved 28 July 2023. 
  10. "Cybersecurity Framework - Getting Started". National Institute of Standards and Technology. 21 April 2023. https://www.nist.gov/cyberframework/getting-started. Retrieved 28 July 2023. 
  11. "What the NIST Framework Misses About Cloud Security". InfoSecurity. 28 December 2020. https://www.infosecurity-magazine.com/opinions/nist-framework-misses-cloud/. Retrieved 28 July 2023. 
  12. "NIST Risk Management Framework - About the Risk Management Framework (RMF)". National Institute of Standards and Technology. 6 July 2023. https://csrc.nist.gov/projects/risk-management/about-rmf. Retrieved 28 July 2023. 
  13. "security control". Computer Security Resource Center. National Institute of Standards and Technology. 2019. https://csrc.nist.gov/glossary/term/security_control. Retrieved 28 July 2023. 
  14. "SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations". National Institute of Standards and Technology. 10 December 2020. https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final. Retrieved 28 July 2023. 
  15. 15.0 15.1 15.2 15.3 15.4 15.5 15.6 15.7 Bhat, V.; Kapur, S.; Hodgkinson, S. et al. (2020). "FFIEC statement on risk management for cloud computing services" (PDF). Deloitte Development, LLC. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf. Retrieved 28 July 2023. 
  16. Kantor, B. (14 September 2022). "The RACI matrix: Your blueprint for project success". CIO. https://www.cio.com/article/287088/project-management-how-to-design-a-successful-raci-project-plan.html. Retrieved 28 July 2023. 
  17. Herold, R. (28 March 2020). "Why You Should Use a Right to Audit Clause". Privacy Security Brainiacs. https://privacysecuritybrainiacs.com/privacy-professor-blog/why-you-should-use-a-right-to-audit-clause/. Retrieved 28 July 2023. 
  18. "What are Microservices?". SmartBear. https://smartbear.com/learn/api-design/microservices/. Retrieved 28 July 2023. 
  19. Lindros, K.; Tittel, E. (18 July 2017). "How to create an effective business continuity plan". CIO. https://www.cio.com/article/288554/best-practices-how-to-create-an-effective-business-continuity-plan.html. Retrieved 28 July 2023. 
  20. White, R. (20 June 2023). "A Helpful Guide to Cloud Computing in a Laboratory". InterFocus Blog. InterFocus Ltd. https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/. Retrieved 28 July 2023.