As the digital landscape grows increasingly complex, staying ahead of cyberthreat actors and managing cyberrisk is top of mind for many chief executive officers (CEOs) and board members. According to a report by Protiviti Global Business Consulting, executives consider cyberthreats as one of the most pressing long-term risk factors they face.1
At the same time, many organizations are increasingly transitioning their operations to the cloud to enhance agility, scalability, and efficiency. However, an inherent risk of accompanying cyberthreats must be assessed and managed within the context of an organization’s risk appetite. Examples of inherent risk sources that apply to the cloud domain include data security, application security, misconfiguration, identity and access management, and vendor risk. Effective cyberrisk management in and of the cloud is important to safeguard sensitive data, maintain business continuity, and achieve regulatory compliance. Recognizing that organizations may rely on third-party vendors for certain cloud services and controls is also an important piece of the puzzle.
To execute a safe and successful transition to the cloud, it is imperative to explore key considerations and strategies for robust cyberrisk management.
Risk Assessment
Before moving to the cloud it is critical to conduct a general risk assessment to identify and evaluate cyberthreats, vulnerabilities, and their potential impact. To conduct a comprehensive assessment, it is essential to engage all key stakeholders, including executive management, the board of directors (BoD), and the IT, information security, business, risk, and compliance functions.
As part of a cloud adoption strategy, before moving to the cloud it is critical to conduct a risk assessment to identify and evaluate cyberthreats, vulnerabilities, and their potential impact.
Risk Mitigation
Once an organization has assessed the risk identified in the risk assessment, it can then develop mitigation strategies to manage risk within its approved risk appetite.
Data Classification and Protection
Correctly classifying data in line with organizational policies and standards is crucial for adequate protection, which reduces the likelihood of data loss or privacy regulation breaches. Such exposure could potentially result in the loss of client and stakeholder trust.
Implementing encryption tools to protect data both in transit and at rest helps to mitigate the risk of unauthorized access and security breaches. It is important to ensure that encryption keys are managed appropriately using a key management system to protect sensitive information. Mismanagement of encryption keys can lead to disrupted operations, noncompliance with regulations, and data breaches. Furthermore, properly classifying the data based on sensitivity and importance helps identify key datasets and applications.
Identity and Access Management
Implementing robust identity and access management (IAM) policies to control and monitor access to resources and technology assets in the cloud is a key control, as it authenticates users and regulates access to systems, networks, and data. Some of the challenges with IAM that increase cyberrisk include:
- Poor user provisioning and deprovisioning practices (e.g., a former employee account is not deprovisioned on a timely basis)
- Too many poorly managed system administrator accounts, especially with high privileges, which attackers can target to gain access to valuable information
- Poor misconfiguration of over-privileging cloud identities, offering more permissions than required for a role
- Weak application security controls such as allowing easily guessable passwords
Implementing multifactor authentication (MFA) or similar techniques significantly enhances security. Another crucial aspect of IAM is the regular review and update of access privileges to adhere to the principle of least privilege, ensuring users have only the necessary access at any given time. More advanced user authentication methods are focused on behavioral biometrics. This form of authentication analyses patterns of human behavior such as gait, mouse movement, keystrokes, and gestures.
Vendor Risk Assessment
Evaluating the security measures of third-party cloud vendors is essential for managing an organization’s cyberrisk associated with using cloud service providers. It is also important to regularly review and update vendor security assessments, as the threat landscape is always evolving.
To manage risk, it is essential to understand the shared responsibility model for the cloud and assess whether the third-party service provider's security practices are aligned with the organization's security standards. However, in practice, it can be challenging to determine the security posture of the third-party provider due to a lack of information or ability to negotiate favorable contract terms with the third party. The contracts with cloud vendors should, at minimum, include provisions for an appropriate level of security that meets the organization's risk appetite.
Organizations often use third-party security assessment questionnaires but may not receive complete responses, especially if the questionnaires appear lengthy or complex. Other sources of information to consider and leverage to assess the security posture of third-party service providers include independent audit reports and other test results from the provider, intelligence provider, or risk-rating service providers.
Continuous Monitoring and Auditing
Regularly monitoring and auditing controls to mitigate risk, such as tracking activities within the cloud environment, is just as crucial as the initial control design. Without proper monitoring, it can be difficult to detect and respond to security threats and performance issues that may arise. Lack of continuous monitoring can lead to data loss, downtime, and reduced productivity. Organizations with a mature control environment typically conduct regular audits of configurations, access logs, and security controls.
Incident Response Planning
Developing a comprehensive incident response plan tailored to the cloud environment and having the capacity to respond when cyberevents materialize is also important. A good incident response plan includes a clear description of roles and responsibilities, establishes communication protocols, and requires periodic testing to ensure a timely and effective response to any cybersecurity incident.
If an incident response plan is not tested it may not work as expected during an emergency, thus causing the organization to fail to contain and recover from the incident promptly. The periodic testing of an incident response plan is crucial in mitigating the severity of the impact of a cyberattack. The US National Institute of Standards and Technology (NIST) provides an incident response guide.2 The four key components in the NIST guide are the following:
- Preparation—Establishing and maintaining an incident response capability
- Detection and analysis—Identifying and understanding the nature of the incident
- Containment, eradication, and recovery—Containing the incident to prevent further damage, eradicating the cause, and recovering affected systems to normal operations
- Post-incident activity—Learning from the incident to improve future response efforts
These components should be integrated into a cyclical process to ensure continuous improvement and adaptation to emerging threats.
Conclusion
Cloud security and achieving a level of maturity aligned with an organization’s risk appetite is an ongoing journey. Adopting a proactive and comprehensive cyberrisk management approach is key for organizations to realize the benefits of the cloud while safeguarding their assets, reputation, and trust of customers and other key stakeholders.
When migrating to the cloud, key steps to consider include assessing and selecting a cloud platform that aligns with business needs and technology strategy, carefully planning the migration, preparing applications and data for the move, implementing cloud migration strategies, testing and addressing any gaps, and maintaining and continuously improving the system. By effectively incorporating these strategies, organizations can ensure a safe and smooth transition to the cloud.
Endnotes
1 Protiviti, Executive Perspectives on Top Risks for 2023 and 2032
2 National Institute of Standards and Technology, NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, USA, 2012
Gaya Ratnam, CRISC, CC, GCIH, GSEC, CIA
Is an experienced risk management and audit professional with more than 15 years of experience assessing risk and controls in various roles across different industries. She has breadth and depth of knowledge of risk management processes and frameworks such as COBIT and NIST to manage risk. Ratnam is currently a manager of enterprise technology risk management at TD Bank.