The prevailing question in cloud computing nowadays is whether the public cloud is safe. However, the full answer depends on whether organizations understand their level of risk acceptance.
By assessing your security requirements, you get to understand how much risk you can withstand and know how much value you have pegged on your information assets like applications, data and processes.
You can only make an informed decision about risk assessment when you understand the appropriate service delivery models and deployment models which suit your needs. Before you adopt a public or hybrid cloud model, it is important to identify your information assets.
By choosing either model, you will yield some control over where your information will be stored and how it will be protected. Many organizations can now manage internally hosted and operated private clouds compared to the other combinations.
You should also not forget that all your information assets are not limited to information or data. Your applications and processes can be exclusive or sensitive like other business information. In many organizations, the intelligence, finance, programs and algorithms always stay secreted. If exposed, an organization can suffer a massive loss.
The following are some steps in how cloud computing risks can be assessed.
Assess your risk
You should have a brief risk analysis and ask the following questions:
- Categorize the threats – what can happen to your information assets?
- Impacts of the threat – how bad can that be?
- Threat frequency – how frequently do the threats happen?
- Uncertainty factor – how sure can you be in answering the above questions?
Uncertainty, which is mostly expressed in terms of probability, is the central issue with risk. The countermeasures or risk mitigation steps state that you only act on what you know. The following are some further questions which you can try to answer once you have analyzed and addressed the risks:
- Mitigation – what should you do to reduce the risk?
- Mitigation cost – what does the entire mitigation process incur?
- Mitigation benefit – is the mitigation process cost effective?
Information assets risk
Uncertainty is the central issue with risk assessment. When considering this factor, you must ensure you examine your information assets thoroughly. It can be a bit tricky for organizations to identify information assets, especially in digital content where the rule of “create-once and copy-often” reigns supreme.
A typical organization does not entirely control its information, thus, it is not fully assured of the inexistence of other copies of any piece of their data. This might be the worst aspect from the viewpoint of protecting data. Most appropriate controls are not sufficient to prevent duplication and intentional or unintentional information leaking.
That’s why the following questions should be asked in the context of:
- What could happen if there was manipulation of the information asset?
- What could happen if the information asset was exposed?
- What could happen if an external entity modified the information asset?
- What could happen if the information asset became suddenly unavailable?
If concerns about avoidable risks are raised by these questions, you should approach the problem by taking risk-sensitive information assets a private cloud.
Privacy and confidentiality concerns
Sometimes you might be dealing with data which is subject to regulatory and compliance requirements. When your data falls into such conditions, the cloud model you use to store your data depends on whether the cloud services provider is fully compliant to avoid the risk of violating these requirements.
The obligation of confirming secure data management falls under the tenant user, and when it comes to privacy, business and national security, the implications for maintaining information security are very significant.
It is important for you to understand that the safety of data and its governance are two different issues. It’s your responsibility as a client to fully understand the provider’s privacy governance alongside other security practices and guidelines.
Personal information is governed by privacy laws. Information related to national security and other classes of business information are subjected to much more strict regulations and laws.
Even though cloud computing is somewhat a new model; there should be privacy laws to restrict any classified information from being stored in a public cloud. However, challenge with this is the other government functions which do not process classified or sensitive data.