close
close

Managing risks when transitioning to the cloud

Posted on by angelo
Managing risks when transitioning to the cloud

As the digital landscape becomes increasingly complex, staying ahead of cyber threat actors and managing cyber risks is a priority for many CEOs and board members. Executives view cyber threats as one of the most pressing long-term risk factors they face, according to a report from Protiviti Global Business Consulting.1

At the same time, many organizations are increasingly moving their operations to the cloud to improve agility, scalability and efficiency. However, the risk inherent in concurrent cyber threats must be assessed and managed in the context of an organization’s risk appetite. Examples of sources of inherent risk that apply to the cloud domain include data security, application security, misconfiguration, identity and access management, and vendor risk. Effective cyber risk management in and out of the cloud is important to protect sensitive data, maintain business continuity and ensure regulatory compliance. Recognizing that organizations may rely on third-party providers for certain cloud services and controls is also an important piece of the puzzle.

To execute a secure and successful transition to the cloud, it is imperative to explore key considerations and strategies for robust cyber risk management.

Risk assessment

Before moving to the cloud, it is essential to conduct a general risk assessment to identify and assess cyber threats, vulnerabilities and their potential impact. To conduct a comprehensive assessment, it is essential to involve all key stakeholders, including executive management, the board of directors (BoD), and IT, information security, business, risk and management functions. compliance.

As part of a cloud adoption strategy, before migrating to the cloud, it is essential to conduct a risk assessment to identify and assess cyber threats, vulnerabilities and their potential impact.

Risk mitigation

Once an organization has assessed the risk identified in the risk assessment, it can then develop mitigation strategies to manage the risks within its approved risk appetite.

Data classification and protection
Correct classification of data in accordance with organizational policies and standards is crucial for adequate protection, reducing the risk of data loss or violations of privacy regulations. Such exposure could potentially lead to a loss of customer and stakeholder trust.

Implementing encryption tools to protect data in transit and at rest helps mitigate the risk of unauthorized access and security breaches. It is important to ensure that encryption keys are managed appropriately using a key management system to protect sensitive information. Poor encryption key management can lead to operational disruptions, non-compliance with regulations and data breaches. Additionally, properly classifying data based on sensitivity and importance helps identify key data sets and applications.

Identity and access management
Implementing robust identity and access management (IAM) policies to control and monitor access to resources and technology assets in the cloud is a key control because it authenticates users and regulates access to systems , networks and data. Some of the IAM challenges that increase cyber risk include:

  • Poor user provisioning and deprovisioning practices (for example, a former employee’s account is not deprovisioned in a timely manner)
  • Too many poorly managed system administrator accounts, especially those with high privileges, that attackers can target to gain access to valuable information.
  • Misconfigured overly privileged cloud identities, providing more permissions than necessary for a role
  • Weak app security controls, such as allowing easily guessable passwords

Implementing multi-factor authentication (MFA) or similar techniques significantly improves security. Another crucial aspect of IAM is regularly reviewing and updating access privileges to adhere to the principle of least privilege, ensuring that users only have the access they need at any time. More advanced user authentication methods focus on behavioral biometrics. This form of authentication analyzes human behavior patterns such as gait, mouse movements, keystrokes, and gestures.

Supplier Risk Assessment

Evaluating third-party cloud provider security measures is essential to managing an organization’s cyber risks associated with the use of cloud service providers. It is also important to regularly review and update vendor security assessments, as the threat landscape is constantly evolving.

To manage risk, it is essential to understand the shared responsibility model for the cloud and assess whether the third-party service provider’s security practices are aligned with the organization’s security standards. However, in practice, it may be difficult to determine the security posture of the third-party provider due to a lack of information or ability to negotiate favorable contractual terms with the third party. Contracts with cloud providers should, at a minimum, include provisions for an appropriate level of security that meets the organization’s risk appetite.

Organizations often use third-party security assessment questionnaires, but may not receive complete responses, especially if the questionnaires appear lengthy or complex. Other sources of information to consider and leverage when assessing the security posture of third-party service providers include independent audit reports and other testing results from the vendor, intelligence provider or service providers. risk assessment services.

Continuous monitoring and auditing

Regular monitoring and auditing of controls to mitigate risks, such as tracking activities in the cloud environment, is just as crucial as the initial design of the controls. Without proper monitoring, it can be difficult to detect and respond to security threats and performance issues that may arise. Lack of continuous monitoring can lead to data loss, downtime and reduced productivity. Organizations with a mature control environment typically perform regular audits of configurations, access logs, and security controls.

Incident response planning

It is also important to develop a comprehensive incident response plan tailored to the cloud environment and have the ability to respond when cyber events materialize. A good incident response plan includes a clear description of roles and responsibilities, establishes communication protocols, and requires periodic testing to ensure a rapid and effective response to any cybersecurity incident.

If an incident response plan is not tested, it may not work as intended in an emergency, preventing the organization from quickly containing and recovering from the incident. Periodic testing of an incident response plan is essential to mitigate the severity of the impact of a cyberattack. The U.S. National Institute of Standards and Technology (NIST) offers an incident response guide.2 The four key elements of the NIST guide are:

  1. Preparation—Establish and maintain incident response capability
  2. Detection and analysis—Identify and understand the nature of the incident
  3. Containment, eradication and recovery—Contain the incident to prevent further damage, eradicate the cause, and return affected systems to normal operation
  4. Post-incident activity— Learn lessons from the incident to improve future response efforts

These components must be integrated into a cyclical process to ensure continuous improvement and adaptation to emerging threats.

Conclusion

Cloud security and achieving a level of maturity aligned with an organization’s risk appetite is an ongoing journey. Adopting a proactive and comprehensive approach to cyber risk management is essential for organizations to realize the benefits of the cloud while protecting their assets, reputation and the trust of customers and other key stakeholders.

When migrating to the cloud, key steps to consider include evaluating and selecting a cloud platform that fits business needs and technology strategy, carefully planning the migration, preparing applications and data for the move, implementing cloud migration strategies, testing and fixing any gaps. and maintain and continually improve the system. By effectively integrating these strategies, organizations can ensure a secure and smooth transition to the cloud.

Endnotes

1 Protivity, Executive perspectives on key risks for 2023 and 2032
2 National Institute of Standards and Technology, NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, United States, 2012

Gaya Ratnam, CRISC, CC, GCIH, GSEC, CIA

Is an experienced risk management and audit professional with over 15 years of experience in risk assessment and controls in various roles across different industries. She has broad and in-depth knowledge of risk management processes and frameworks such as COBIT and NIST to manage risks. Ratnam is currently responsible for enterprise technology risk management at TD Bank.