LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Organizational cloud computing risk management

From LIMSWiki
Jump to navigationJump to search
-----Return to the beginning of this guide-----

3. Organizational cloud computing risk management

Figure 4. A diagram of an organization-wide risk management approach, as published in NIST SP 800-37 Rev. 2. NIST says this diagram "addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization."[1]

After discussing cloud standards, regulations, and security, it makes sense to next address the topic of cloud computing risk management. Risks beget risk management, which in turn begets security. Whether the risks are near the home, on an airplane, or with an online bank account, risk management practices limit the risks, usually through some mechanism of "security." "The five-year crime numbers in my neighborhood are going up," one might assess. "I shall manage the risk with a home security system," is the risk management action performed. In the same way, engineers add multiple layers of redundancy to an airplane's components to mitigate the assessed risk of instrument failure, and banks require access controls like strong passwords on online accounts to protect customer data and limit their liability. As such, it shouldn't be surprising to talk about employing security and process control measures as part of managing risks in the cloud.

We learned in the last chapter that the National Institute of Standards and Technology (NIST) represents a strong example of a standards and recommendations body in the U.S. In their 2018 SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST says the following about risk management for information systems[1]:

Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization, including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes.

As Figure 4—from the same NIST guide—notes, there are three main levels at which an organization must approach risk management activities for their information systems: the organization level, the mission/business process level, and the information system level. The arrow on the left highlights the criticality of proper communication across all three levels in order for the organization to make the most of their risk management activities. Just as IT forms the base of any software-driven business efforts, critical stakeholders in IT form the base of communication about IT risk and security requirements. Without those stakeholders' knowledge and feedback, business processes and company policy would be ill-informed. Now let's start from the top of the pyramid and head downward. Note that without strong leadership, well-crafted business goals, and management buy-in on quality, budget, and security, business processes would be a mess and IT-related efforts would be sub-par and at-risk.

The implication with Figure 4 and NIST's guide is that effective planning and communication is critical to ensuring information systems are implemented securely during their entire life cycle. Many organizations approach this task by developing, implementing, and enforcing a cybersecurity plan, in which identifying cybersecurity requirements and objectives—i.e., risk assessment and management—is a vital component. (See the Comprehensive Guide to Developing and Implementing a Cybersecurity Plan for much more on this topic.)

3.1 Five risk categories to consider

In January 2021, Business Tech Weekly highlighted the biggest security challenges to organizations adopting cloud. Among them were[2]:

  • inadequate access control
  • insufficient contract regulation
  • unsecure software interfaces
  • low data visibility
  • delays in deleting data
  • inability to maintain regulatory compliance

These and other related challenges are a product of the various risks of doing business in the cloud. Those risks—in the scope of business, essentially aspects of business and the environment it operates in that endanger objectives—in turn must be managed to better ensure an organization meets its goals. This requires risk management.

Risk management is the process of identifying, evaluating, and prioritizing risks, and then developing an economical and efficient strategy for monitoring, controlling, and mitigating those risks. Whether risk management is part of an overall cybersecurity plan (as it should be) or an independent process (perhaps more common in really small organizations), it always makes sense to have strategies for managing threats and responding to opportunities, not only for the organization as a whole but also specifically for IT and software implementations.

But what are the major risks associated with cloud computing initiatives that drive the need for risk management? And what are the potential consequences if those risks are left unchecked? Business consultancy KPMG released a 2018 report about managing risk in the cloud. In that report, author Sai Gadia identified five critical categories of risk to organizations venturing into the cloud: data security and regulatory risk, technology risk, operational risk, vendor risk, and financial risk.[3]

These five categories neatly sum up the areas of risk to apply and cloud risk assessment, but let's look at them a bit more closely.

Data security and regulatory risk: This category examines the concerns of data integrity and availability.

  • The potential risks: data is leaked, lost, or becomes unavailable.
  • The potential consequences: reputation loss, regulatory non-compliance, business interruptions, and loss of revenue.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining enforcement of existing corporate security policies, maintaining regulatory compliance, managing user access effectively, managing networking across multitenancy or shared infrastructures, and gaining greater flexibility with encryption and security controls offered by the cloud service provider (CSP).
  • Getting around these challenges: Organizations should "have mature data protection and regulatory compliance programs staffed with talented individuals who have sufficient authority and clear responsibilities. Such organizations also leverage leading third-party or homegrown automated tools and continuously improve their capabilities."[3]

Technology risk: This category examines the concerns of rapid shifts in underlying technologies.

  • The potential risks: cloud-specific technologies rapidly evolve, and standardization of those technologies doesn't keep up.
  • The potential consequences: added costs associated with rearchitecting cloud systems, shifting data to new platforms, developing new integrations, and requiring additional training.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for rearchitecting cloud applications and systems periodically, maintaining the personnel to stay engaged and focused on changes happening in the industry, and identifying tools (e.g., dashboards) that can extend the life cycle of your cloud implementation.
  • Getting around these challenges: Organizations should "recognize that cloud will require the role and responsibilities of in-house IT professionals to evolve and are making the necessary investment to train individuals and encourage the adoption of innovative technology. In the process, they are also increasing alignment with the vision and business of the organization."[3] IT professionals should also be considering aspects of cloud such as compatibility with other CSPs as new services are added.

Operational risk: This category examines the concerns of how IT services and tasks get effectively performed.

  • The potential risks: suboptimal service reliability; suboptimal service features; insufficient control over the underlying service; and theft, fires, and other natural disasters.
  • The potential consequences: costly downtime, slower workflows, slower disaster recoveries, and permanent losses of vital assets.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: maintaining room in the budget for leading technologies, maintaining room in the budget for a service that meets most if not all workflow and regulatory requirements, having the budget and knowledge to implement redundant systems (e.g., via hybrid cloud), and being able to rapidly bounce back from asset losses.
  • Getting around these challenges: Organizations should "adopt the agile development methodology as well as the DevOps model for cloud deployments. Such organizations are now using the learning from pilot projects to shape the enterprise development methodologies of the future."[3] Additionally, they should investigate how to best cost-optimize redundant cloud storage based on access patterns, geography, etc.[4] Additionally, if the organization is responsible for localized (i.e., private cloud) assets housing critical operational data and equipment, the organization should have sufficient plans in place on how to mitigate risks from physical disasters and other threats to that data and equipment.

Vendor risk: This category examines the concerns of doing business with a CSP.

  • The potential risks: vendor files for bankruptcy, is named in a lawsuit, is scrutinized by a regulatory body, or otherwise has an underlying lack of sustainability or compliance.
  • The potential consequences: loss of data, loss of service, reduced service, and lack of compliance (which has its own costs to an organization).
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: knowing the deep inner workings of the CSP, knowing the financial stability of the CSP, knowing the CSP's true reputation among a wide number of other customers, and putting faith in the CSP's trust center materials.
  • Getting around these challenges: Organizations should "take a long-term strategic view to manage their relationships with cloud service providers. Such companies are actively engaged and are shaping the road map of CSPs' service offerings to help accelerate their move to cloud while being offered better tools by the CSP to efficiently manage risks."[3] This long-term strategic view should include significant due diligence about the vendor's underlying operations, stability, and fall-back plans should they suffer a major business loss.

Financial risk: This category examines the concerns of the organization’s long-term revenues and ability to budget for cloud services.

  • The potential risks: underestimating initial implementation costs, long-term service costs, long-term capital expenditure carry-over (if any), and long-term business revenues.
  • The potential consequences: cost overruns, layoffs, budget cut-backs, and detrimental scaling back of necessary services.
  • The challenges associated with limiting those potential risks and consequences when embracing a cloud computing initiative: finding and retaining experienced and knowledgeable staff capable of budgeting future (and changing) cloud costs, as well as managing the financial activities of the organization.
  • Getting around these challenges: Organizations should “assign individuals with the responsibility for budgeting, tracking, and managing cloud costs. Such organizations are also making use of advanced third-party analytical tools available to manage cloud costs.”[3] Estimating those costs can be challenging, particularly in industries where high-throughput data is being created and managed. As such, negotiating a special agreement with the CSP may be of value.[5] Also, ensure the organization is considering costs associated with contract modifications and cancellation fees.

When identifying risks associated with doing business in the cloud, most likely you'll be able to fit them into one of these five categories. As indicated above, potential consequences come with potential risks, and you'll want to identify those consequences. Of course, it's not a simple matter of addressing those risks and consequences; they come with their own challenges. Identifying risks and consequences, and the challenges surrounding and limiting them, are all part of risk management. Finally, after identifying risks, consider the usefulness of an external review of those risks to ensure your organization hasn't missed anything significant.[6]

But how does an organization successfully go through the risk management process? That's best accomplished with the aid of one or more risk management and cybersecurity frameworks.

3.2 Risk management and cybersecurity frameworks

Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.[7] But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.[7][8]

An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.

Cloud computing has existed for well over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 8 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.

Table 8. Examples of some common risk management and cybersecurity frameworks for cloud security.
Framework Developer Type of framework Details
CIS Controls with Cloud Companion Guide Center for Internet Security (CIS) Cybersecurity for cloud The CIS Controls are a "prioritized set of actions to protect your organization and data from cyber-attack vectors."[9] The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.[10]
Cloud Controls Matrix (CCM) Cloud Security Alliance (CSA) Cybersecurity for cloud "The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."[11]
Cloud Security Risk Management (ITSM.50.062) Canadian Centre for Cyber Security (CCCS) Cloud risk management "To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."[12]
Cloud Security Risk Management Framework (CSRMF) Ahmed E. Youssef Cloud risk management "In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."[13]
Cloud Security Risk Vectors Tim Maurer and Gerrett Hinck Cloud risk management "The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."[14]
ISO/IEC 27017:2015 International Organization for Standardization Cybersecurity for cloud ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."[15]
NIST Cybersecurity Framework National Institute of Standards and Technology (NIST) Cybersecurity framework This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."[16] Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.[17] If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
NIST Risk Management Framework (RMF) National Institute of Standards and Technology (NIST) Cloud and cybersecurity risk management "Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."[18] The risk management framework is closely tied to SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations.

Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.

NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."[19] Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."[20] This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices.

Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here[6]:

  • Governance: Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.[6]
  • Cloud security management: The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project[21]—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.[6][22]
  • Change management: When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services[23]—which, when implemented well, will limit exposure to surface area attacks.[6]
  • Resilience and recovery: Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, pandemics, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.[24] The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?[6]
  • Audit and controls assessment: If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required data management and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.[6]

While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.[6] Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.[6] Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.[25]

3.3 A brief note on cloud-inclusive cybersecurity insurance

Calculator-385506 1280.jpg

In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.[26] In 2023, Network Assured found the percentage of organizations with some form of cybersecurity insurance had gone up to 55 percent, with cybersecurity insurance claims increasing 100 percent since 2020.[27] Though the concept of cyber insurance has been around for several decades, it certainly has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible[26], questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.

In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing[28]:

Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.

Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.[29] These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.

When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the Health Insurance Portability and Accountability Act's (HIPAA's) requirement for business associate agreements. Ultimately your organization is still the primary data owner and holds much of the liability.[29] This is a primary reason to consider the value of cyber insurance that extends to the cloud.

However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance[29]:

Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.

But what does cyber insurance in 2023 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below[30]:

  • Network security coverage grant: This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
  • Privacy liability coverage: This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
  • Network business interruption coverage: This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
  • Media liability coverage: This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
  • Errors and omissions (E&O): This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.[29] Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.

However, as the number of claims have risen into 2023, insurers are upping the requirements they place on the insured. Of key importance is noting the close positive correlation between the insured having poor cloud security policies and misconfigured cloud systems, and the fact that cyber insurance claims are increasing. As AgileIT notes, "businesses seeking cyber insurance will be mandated to strengthen their cloud security postures and particularly show how they will minimize misconfigurations" before qualifying for insurance.[31] Other additional considerations insurers may make include whether or not your lab has an extended detection and response (XDR) plan, robust vulnerability prioritization strategies, and incident response service provider utilization.[31]

Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Can your lab meet the growing list of requirements from insurers? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.


  1. 1.0 1.1 National Institute of Standards and Technology (December 2018). "SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy". Retrieved 28 July 2023. 
  2. Antonenko, D. (4 January 2021). "Cloud computing security issues and challenges". Business Tech Weekly. Retrieved 28 July 2023. 
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Gadia, S. (March 2018). "How to manage five key cloud computing risks" (PDF). KPMG LLP. Retrieved 28 July 2023. 
  4. "Cost-optimized redundant data storage in the cloud". Service Oriented Computing and Applications 11: 411–26. 2017. doi:10.1007/s11761-017-0218-9. 
  5. Navale, V.; Bourne, P.E. (2018). "Cloud computing applications for biomedical science: A perspective". PLoS Computational Biology 14 (6): e1006144. doi:10.1371/journal.pcbi.1006144. PMC PMC6002019. PMID 29902176. 
  6. 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 Bhat, V.; Kapur, S.; Hodgkinson, S. et al. (2020). "FFIEC statement on risk management for cloud computing services" (PDF). Deloitte Development, LLC. Retrieved 28 July 2023. 
  7. 7.0 7.1 Hillson, D. (25 September 2003). "Using risk management for strategic advantage". Project Management Institute. Retrieved 28 July 2023. 
  8. Amato, N. (12 July 2016). "5 benefits of an integrated risk management programme". Financial Management. Retrieved 28 July 2023. 
  9. "CIS Controls". Center for Internet Security. Retrieved 28 July 2023. 
  10. "CIS Controls Cloud Companion Guide". Center for Internet Security. March 2022. Retrieved 28 July 2023. 
  11. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. Retrieved 28 July 2023. 
  12. Canadian Centre for Cyber Security (March 2019). "Cloud Security Risk Management (ITSM.50.062)". Government of Canada. Retrieved 28 July 2023. 
  13. Youssef, A.E. (2019). "A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations". International Journal of Advanced Computer Science and Applications 10 (12): 186-194. doi:10.14569/IJACSA.2019.0101226. 
  14. Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. Retrieved 28 July 2023. 
  15. "ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". International Organization for Standardization. July 2015. Retrieved 28 July 2023. 
  16. "Cybersecurity Framework - Getting Started". National Institute of Standards and Technology. 21 April 2023. Retrieved 28 July 2023. 
  17. "What the NIST Framework Misses About Cloud Security". InfoSecurity. 28 December 2020. Retrieved 28 July 2023. 
  18. "NIST Risk Management Framework - About the Risk Management Framework (RMF)". National Institute of Standards and Technology. 6 July 2023. Retrieved 28 July 2023. 
  19. "security control". Computer Security Resource Center. National Institute of Standards and Technology. 2019. Retrieved 28 July 2023. 
  20. "SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations". National Institute of Standards and Technology. 10 December 2020. Retrieved 28 July 2023. 
  21. Kantor, B. (14 September 2022). "The RACI matrix: Your blueprint for project success". CIO. Retrieved 28 July 2023. 
  22. Herold, R. (28 March 2020). "Why You Should Use a Right to Audit Clause". Privacy Security Brainiacs. Retrieved 28 July 2023. 
  23. "What are Microservices?". SmartBear. Retrieved 28 July 2023. 
  24. Lindros, K.; Tittel, E. (18 July 2017). "How to create an effective business continuity plan". CIO. Retrieved 28 July 2023. 
  25. White, R. (20 June 2023). "A Helpful Guide to Cloud Computing in a Laboratory". InterFocus Blog. InterFocus Ltd. Retrieved 28 July 2023. 
  26. 26.0 26.1 Floresca, L. (23 January 2020). "Buying Cyber Insurance: It May Be Required, But Is It Worth It?". Insights. Woodruff Sawyer. Retrieved 28 July 2023. 
  27. Cole, N. (2 May 2023). "23 Eye-Opening Cybersecurity Insurance Statistics (2023)". Retrieved 15 August 2023. 
  28. Levite, A.; Kalwani, G. (9 November 2020). "Cloud Governance Challenges: A Survey of Policy and Regulatory Issues". Carnegie Endowment for International Peace. Retrieved 28 July 2023. 
  29. 29.0 29.1 29.2 29.3 Floresca, L. (9 July 2020). "Cloud Computing Risk and Cyber Liability Insurance". Insights. Woodruff Sawyer. Retrieved 28 July 2023. 
  30. Burke, D. (10 October 2022). "Cyber 101: Understand the Basics of Cyber Liability Insurance". Insights. Woodruff Sawyer. Retrieved 28 July 2023. 
  31. 31.0 31.1 "Changes to Cybersecurity Insurance in 2023". AgileIT. 24 March 2023. Retrieved 15 August 2023. 

-----Go to the next chapter of this guide-----

Citation information for this chapter

Chapter: 3. Organizational cloud computing risk management

Title: Choosing and Implementing a Cloud-based Service for Your Laboratory

Edition: Second edition

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: August 2023