How to assess your business risks when going cloud

Cloud computing promises many benefits. Cost reductions, improved efficiency and improved security is what many companies can gain from moving into the cloud.

As with a traditional IT outsourcing venture, there are also many threats, so you might want to perform an IT risk assessment before you go to the cloud. You'll need to decide upon what data and applications to move to the cloud, what type of cloud service fits your purpose, and of course assess the vendor you are considering.

Cloud security is different depending on whether you want to jump into the cloud with a Software as a Service, Platform as a Service or Infrastructure as a Service solution (SaaS, PaaS, IaaS). As an IaaS customer, you will often have more operational security responsibilities compared to SaaS, where you basically subscribe to the security services offered by your cloud provider.

Use a threat-based methodology

Regardless which type of cloud service you choose, you'll need to have an information security risk management process in place. This process should be based on a best practice methodology. I recommend you check out the ISO 27005 standard; it is a threat-based methodology that provides guidelines for information security risk management.

An alternative to the threat-based approach is the control-based approach. The risk management professionals in our team find that the threat-based approach offers a more accurate risk picture, as you, in the assessment process, decide which threats cause business risks that need to be managed. In contrast, the control-based approach can yield a list of controls that may or may not deliver business value.

ISO 27001 and ISO 27005 alignment

As an added bonus of following the ISO 27005 methodology, you will be on your way to compliance with the risk management requirements of ISO 27001.

The Cloud Security Alliance has compiled a list of the biggest threats to cloud security, which will help you assess potential cloud service providers.

Assess the potential impact to your business

ISO 27005 suggests you perform a Business Impact Analysis (BIA), and that's also a good advice before moving to the cloud. You will have to identify your critical and non-critical business processes. 'Critical processes' can be defined as those whose disruption would be unacceptable to your business.

Assess vulnerability or incident likelihood

Vulnerability assessments are also an ISO 27005 recommendation. These can be time-consuming to conduct, but luckily there are resources that can help. The Cloud Security Alliance (again) has a STAR registry that documents the security controls provided by various cloud-computing providers. All the providers in the registry have carried out self-assessments based on a control matrix from CSA. You can find the Cloud Security Alliance STAR Registry here.

Instead of vulnerability assessments, you may find it faster to assess the likelihood of security incidents at your provider. Some organisations use past performance as an indicator of incident likelihood assessment.

Combining BIA and likelihood into risks

When you know the business impact of an incident, and you know incident likelihood, you can calculate your risk level, and then decide if it's acceptable to your business or not. The risk treatment process of ISO 27005 suggests four treatment options:

1. Accept Risk

2. Avoid Risk

3. Reduce Risk

4. Share Risk (in the past referred to as "Transfer Risk")

PS! The ISO 27001/2 standards are recognised and widely implemented worldwide for good reasons. That is why we designed our GRC platform to provide you with risk management tools, based on the ISO 27005 and ISO 27001 standards. Here's how we can help your cloud security risk management:

• It helps you manage your business impact assessments
• It helps you manage vulnerability or probability assessments in relation to your cloud provider
• It helps you calculate, evaluate and report your risks
• It helps you treat your risks.