What to Expect from cloud Security Risk Responses?

Risk responses provides a consistent, organization-wide responses to risk by the organizational risk frame by taking these steps:

  1. Developing alternative courses of action for responding to risk (Risk Responses)
  1. Evaluating the alternative courses of action
  1. Determining appropriate courses of action consistent with organizational risk tolerance
  1. Implementing risk responses based on selected courses of action

What are the Traditional Risk Responses used by Cloud computing?

Traditional Risk Responses
Traditional Risk Responses

The four traditional ways to address risk are described in this section.

Risk can be accepted: In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios.

Risk acceptance is the practice of accepting certain risks, typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

For example, an executive may be confronted with risks identified during a risk assessment for her organization.

These risks have been prioritized by high, medium, and low impact to the organization.

The executive notes that to mitigate or transfer the low-level risks, significant costs could be involved.

Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, whereas transference of the risk to an insurance company would require premium payments.

The executive then further notes that minimal impact to the  organization would occur if any of the reported low-level threats were realized.

Therefore, she rightly concludes that it is wiser for the organization to forego the costs and accept the risk.

The decision to accept risk should not be taken lightly, nor without appropriate information to justify the decision.

The cost versus benefit, the organization’s willingness to monitor the risk long term, and the impact it has on the outside world’s view of the organization must be taken into account when deciding to accept risk.

When accepting risk, the business decision to do so must be documented. Some organizations may track containment of risk.

Containment lessens the impact to an organization when exposure is exploited through the distribution of critical assets (that is, people, processes, data, technologies, and facilities).

Risk can be avoided: Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.

Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice.

This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers want to purchase).

In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wants to continue the business.

This could have a catastrophic effect on the company’s ability to continue business operations.

Risk can be transferred: Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company.

The transfer of risk may be accompanied by a cost.

This can be seen in insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction.

This may also be true if an organization must purchase and implement security controls to make its organization less desirable to attack.

Not all risks can be transferred.

Although the financial risk is simple to transfer through insurance, the reputational risk may rarely be fully transferred. (Risk Responses)

If a banking system is breached, there may be a cost in the money lost, but what about the reputation of the bank as a secure place to store assets?

How about the stock price of the bank and the customers the bank may lose due to the breach?

Risk can be mitigated: Risk mitigation is the practice of the elimination of, or the significant decrease in the level of, the risk presented.

Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world.

For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential, organizations put countermeasures in places, such as firewalls, IDSs and IPSs, and other mechanisms.

What is Residual Risk in Cloud computing?

Residual Risk
Residual Risk

Although elimination of risk is a goal of the holistic risk management process, it is an unrealistic goal to set that all risks will be eliminated from a system or environment.

There will always be some amount of risk left in any system after all countermeasures and strategies have been applied.

This is referred to as the residual risk.

What is Risk Assignment in Cloud computing?

Risk Assignment
Risk Assignment

Who is assigned and responsible for risk?” is a serious question with an intriguing answer: it depends.

Ultimately, the organization (that is, senior management or stakeholders) owns the risks that are present during the operation of the company.

Senior management, however, may rely on business unit (or data) owners or custodians to assist in the identification of risks so that they can be mitigated, transferred, or avoided.

The organization also likely expects that the owners and custodians will minimize or mitigate risk as they work, based on policies, procedures, and regulations present in the environment.

If expectations are not met, a consequence such as disciplinary action, termination, or prosecution will usually result.

Here is an example. A claims processor is working with a medical healthcare claim submitted to his organization for completion.

The claim contains electronic personally identifiable healthcare information for a person the claims processor knows.

Although he has acknowledged his responsibilities for the protection of the data, he calls his mother, who is a good friend of the individual who filed the claim.

His mother in turn calls multiple people, who in turn contact the person who filed the claim.

The claimant contacts an attorney, and the employee and company are sued for the intentional breach of information. Several things are immediately apparent from this example.

The employee is held immediately accountable for his action in intentionally exploiting a vulnerability (that is, sensitive information was inappropriately released, according to the U.S. federal law HIPAA).

Although the employee was a custodian of the data (and a co-owner of the risk), the court also determined that the company was co-owner of the risk and hence also bore the responsibility for compensating the victim (in this example, the claimant).

Once the findings from the assessment have been consolidated and the calculations have been completed, it is time to present a finalized report to senior management.

This can be done in a written report or through a presentation.

Any written reports should include an acknowledgment to the participants, a summary of the approach taken, findings in detail (in either tabulated or graphical form), recommendations for remediation of the findings, and a summary.

Organizations are encouraged to develop their formats to make the most of the activity as well as the information collected and analyzed.

What are the Countermeasures for Risk Response?

Countermeasures
Countermeasures

One of the most important steps for the organization is to appropriately select countermeasures to apply to risks in the environment.

Many aspects of the countermeasure must be considered to ensure that they are a proper fit for the task.

Following are considerations for countermeasures or controls:

  1. Accountability (can be held responsible)
  1. Auditability (can be tested)
  1. Trusted source (source is known)
  1. Independence (self-determining)
  1. Consistent application
  1. Cost-effectiveness
  1. Reliability
  1. Independence from other countermeasures (no overlap)
  1. Ease of use
  1. Automation
  1. Sustainability
  1. Security
  1. Protection of AIC of assets
  1. Ability to be backed out in event of an issue
  1. Creates no additional issues during operation
  1. Leaves no residual data from its function

From this list, it is clear that countermeasures must be above reproach when deployed to protect an organization’s assets.

Once the risk assessment is completed and there is a list of remediation activities to be undertaken, an organization must ensure that it has personnel with appropriate capabilities to implement the remediation activities as well as to maintain and support them.

This may require the organization to provide additional training opportunities to personnel involved in the design, deployment, maintenance, and support of security mechanisms in the environment.

In addition, it is crucial that appropriate policies, with detailed procedures and standards that correspond to each policy item, be created, implemented, maintained, monitored, and enforced throughout the environment.

The organization should assign resources that can be accountable to each task and track tasks over time, reporting progress to senior management and allowing time for appropriate approvals during this process.

How to Implement of Risk Countermeasures in Cloud computing?

Implementing Countermeasures
Implementing Countermeasures

When the security architects sit down to start pondering how to design the enterprise security architecture, they should be thinking about many things.

What frameworks should they use as points of reference?

What business issues do they need to take into account?

Who are the stakeholders?

Why are they only addressing this and not that area of the business?

How will they be able to integrate this system design into the overall architecture?

Where will the single points of failure (SPOFs) be in this architecture?

The challenge for the architect is to coordinate all those streams of thought and channel them into a process that will let them design a coherent and strong enterprise security architecture.

When the security architects sit down to start pondering how to design the enterprise security architecture, they should be thinking about many things.

What frameworks should they use as points of reference?

What business issues do they need to take into account?

Who are the stakeholders?

Why are they only addressing this and not that area of the business?

How will they be able to integrate this system design into the overall architecture?

Where will the single points of failure (SPOFs) be in this architecture?

The challenge for the architect is to coordinate all those streams of thought and channel them into a process that will let them design a coherent and strong enterprise security architecture.

For all three security actors, common sense means several things situational awareness, paying attention to details, not assuming, and so on.

It also means that they must become experts at understanding and managing risk in their area, but with an eye toward a common goal.

That goal is to manage risk in such a way that it does not negatively influence the enterprise.

That goal is shared by everyone who interacts with the architecture at any level for any reason.

The end-users need to use systems in such a way that they do not expose them to threats and vulnerabilities due to their behavior.

The system administrators need to ensure that the systems are kept up to date in terms of security patching to ensure that all known vulnerabilities are being mitigated within the system.

Senior management needs to provide the appropriate resources to ensure that the systems can be maintained as needed to guarantee safe operating conditions for all users.

The identification and management of risk through the deployment of countermeasures is the common ground that all system users, regardless of role or function, share in the enterprise. Here are some examples:

  1. Mobile applications
  • Risks: Lost or stolen devices, malware, multi communication channel exposure, and weak authentication
  • Countermeasures: Meeting mobile security standards, tailoring security audits to assess mobile application vulnerabilities, secure provisioning, and control and monitoring of application data on personal devices
  1. Web 2.0
  • Risks: Securing social media, content management, and security of third-party technologies and services
  • Countermeasures: Security API, CAPTCHA, unique security tokens, and transaction approval workflows
  1. Cloud-computing services
  • Risks: Multitenant deployments, security of cloud computing deployments, third-party risk, data breaches, DoS attacks, and malicious insiders
  • Countermeasures: Cloud-computing security assessment, compliance-audit assessment on cloud-computing providers, due diligence, encryption in transit and at rest, and monitoring

The security actors need to identify and understand the risks they face within their area of the enterprise and move to deploy countermeasures that are appropriate to address them.

The most important thing to ensure the relative success of these individual efforts is the ability to document and communicate effectively all the efforts being undertaken by area and platform.

In this way, as complete a picture as possible of the current state of risk within the enterprise is always available.

This risk inventory should be made available through some form of centrally managed enterprise content management platform that allows secure remote access when required.

It should also deploy a strong version control and change-management functionality so that the information is accurate and up to date at all times.

Access control needs to be integrated into this system as well to ensure that role- or job-based access can be granted as appropriate to users.

How to Monitor Risk in Cloud computing?

Risk Monitoring
Risk Monitoring

Risk monitoring is the process of keeping track of identified risks.

It should be treated as an ongoing process and implemented throughout the system life cycle.

The mechanisms and approaches used to engage in risk monitoring can vary from system to system, based on a variety of variables.

The most important elements of a risk monitoring system include the ability to identify risk, the ability to classify or categorize the risk, and the ability to track the risk over time.

There are three purposes of the risk-monitoring component: 

  1. Determine the ongoing effectiveness of risk responses (consistent with the organizational risk frame/Risk Responses).
  1. Identify risk-impacting changes to organizational information systems and the environments in which the systems operate
  1. Verify that planned risk responses are implemented and information security requirements derived from and traceable to organizational missions and business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied

Leave a comment