A cloud risk management policy is about mitigating high risks to a lower level of risk. You should follow a four-step process when setting up the policy, taking into account how different users will perceive it (e.g., some users will want more flexibility than what's in the policy).
How to set up a cloud risk management policy
Step one: Identify the assets
- A Software as a Service (SaaS) user is limited to the desktop, laptop, and/or tablet they use to access a SaaS application.
- A Platform as a Service (PaaS) developer works with more assets. A PaaS developer uses computers and their tools to develop and manage an application; this person also runs their application on an operating system provided by the service provider.
- An Infrastructure as a Service (IaaS) specialist works with network, storage, or compute resources provided by the service provider.
Step two: Assess the risks
You need to assess each asset's risk and rate them low, medium, or high. It doesn't matter whether a risk is man-made (e.g., faulty application logic) or a natural disaster (e.g., an earthquake-prone area).
Step three: Implement safeguards
Before implementing a safeguard, you should make sure it would result in mitigating a high risk to a lower risk level. Safeguard examples include a failover mechanism, leap year recognition, and nested firewalls and two-factor authentication (e.g., a strong password plus facial recognition). If a safeguard for an asset does not offer a positive return on investments, you should get insurance for that asset.
Step four: Review assets, risks, and safeguards
You should periodically review assets, risks, and safeguards (usually every three or six months). When you do, you may discover that:
- New assets have been acquired. For example, you get the latest tablet model from your organization, and you use it to access a SaaS application. Go back to the first step of identifying assets and start over.
- New risks have emerged due to changing business requirements of an application you are developing with a PaaS. If your inventory doesn't show any new assets, go back to the second step of assessing the risks. Otherwise, return to the first step and start over.
- New safeguards may need to be implemented. This can happen when a new technology can make a safeguard more efficient for less money or when new risks emerge. It doesn't matter whether you are a PaaS developer or an IaaS infrastructure specialist. Do the four-step process again.
How different users may perceive the policy
The way a user perceives the benefits of cloud risk management is influenced by:
- the cloud role they undertake;
- the organization they work for; and,
- the controls they are granted by the cloud service provider.
A SaaS user's perception
At any organization, the only control a SaaS user has is access to a SaaS application from whatever the device they choose — it doesn't matter if the application is accounting, human resources, or supply chain tracking. This user doesn't have control over application development or virtual machines.
A SaaS user is likely to perceive the service provider's cloud risk management policy as limited, because the provider will not let the user use his or her security tools to scan for SaaS application vulnerabilities.
A PaaS developer's perception
A PaaS developer can use any security tools they like; therefore, they perceive the provider's risk management policy as flexible. A PaaS developer controls the entire application life cycle, from concept to deployment, and they can build a security tool to test their safeguards. SaaS users will be happy with any safeguards that would be difficult obstacles for hackers to overcome.
A PaaS developer doesn't have control over the operating system updates and virtual machines supporting the PaaS platform. The developer will likely be disappointed the provider will not let them implement safeguards for the operating system and virtual machines.
An IaaS network specialist's perception
An IaaS network specialist can use his or her own security tools in the virtual infrastructure. This specialist likely perceives the provider's cloud risk management policy as very flexible.
IaaS network specialists have control over the tools they need to safeguard the virtual machines from unplanned downtime. They understand the provider will not let them control its infrastructure of physical servers and networks.
Your best bet for mitigating or resolving cloud-related security issues is to consider the various people who will be using this policy and how each side might react to how you're managing risks.
Judith M. Myerson is a Systems Engineering Consultant and Security Professional. She is the editor of Enterprise System Integration and the author of RFID in the Supply Chain. She has researched and published articles on a wide range of cloud computing topics, RFID, security, networking, and mobile. She was awarded a Master of Science degree in Engineering (Computer and Information Sciences). President of a toastmasters group, Judith was awarded her Advanced Communications Gold certificate. She is a member of The Operational Security Professional Association.