Minimising risk with the cloud

by |
As the cloud becomes more and more popular it is becoming increasingly harder for security and compliance teams to tell organisations they cannot move to the cloud. With the benefits too hard to ignore, risk teams now need to focus on learning how to adapting to the cloud environment, according to John Overbaugh, managing director of Security Services at Caliber Security Partners.

He states that those who refuse to make this change will find themselves sidelined.

Writing in a blog post for the ISACA, Overbaugh suggests the following tips for organisational risk leaders to help their companies adopt cloud technologies while minimising the risk:

1. Adopting and adapting application-security-assessment tools. Overbaugh writes that questionnaires for cloud services need to go beyond the standard set of questions and should cover into important topics like framework compliance, and monitoring/reporting. “By devising (or revising) questionnaires that help uncover where risk will be transferred successfully, where the client will need to mitigate risk, and where risk will be accepted, teams enable their companies to benefit from cloud efficiencies while retaining relevance in the conversation,” he wrote.

2. Recognising that going to the cloud has benefits. There will be some transfer of risk such as physical access control and disaster recovery that will go to the cloud provider. Overbaugh writes that cloud customers should have their providers document how they manage these risks and attest to or provide appropriate proof of compliance. In the end, the transfer of these risks can often be financially advantageous.

3. Redefining controls required for risk mitigation. In IAAS and PAAS environments, controls such as encryption-at-rest are absolutely required for sensitive data states Overbaugh. Strict controls on administrative access to systems and resources need to be implemented and validated regularly to ensure cloud providers are not able to gain unauthorised access. In SAAS environments, strong monitoring and reporting tools must be made available to the client for the very same reason.

4. Educating IT and business leaders on risks being accepted. Overbaugh states that risk managers are, by nature, risk averse but businesses accept risk all the time. By identifying risk and alerting leaders, risk managers can help the business put risk into business contexts so leaders can make informed decisions.

Corporate Risk & Insurance forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions