Through our many risk assessments of cloud services there a few practical tips which you may find useful in selecting the right cloud services.
I. Do the risk assessment early. On a number of occasions a cloud service has advanced to pilot stage prior to a risk assessment. The assessment identifies some key risks which require remediation or mitigation. The result is either a severe impact on the rollout plan or the project is abandoned.
II. Data classification. Make sure the business understands the need to classify the data and/or business process to ensure the appropriate security controls are understood and implemented by the cloud provider
III. Service availability. Ensure the cloud provider’s service recovery plan aligns with business expectations. It might be nice that a cloud provider offers a fee credit for an outage but this may be irrelevant compared to a focus on service restoration within a time period.
IV. Incident management. The company’s information security policies and procedures define the responsibilities, actions and reporting requirements in the event of an incident. The shift to the Cloud sees a blurring of responsibilities between the company and the cloud provider. The service level agreement needs to reflect a clear understanding of who is responsible for taking actions in relation to a security incident and the reporting protocols.
V. IaaS preferred providers. Perform a risk assessment on a select group of IaaS providers. Initially this can be achieved by a self-assessment questionnaire, security review, or confirming their compliance to industry standards or a risk management framework. Once assessed, the company then has a baseline rating for providers to recommend to business units depending on the technical controls and mapping to data integrity, availability and confidentiality needs.
VI. Compliance requirements. The business unit considering a cloud deployment must clearly understand the company’s own security compliance requirements and risk appetite. This needs to be conveyed to the cloud provider so it can comply with the appropriate levels of risk assessments and audits. There can be considerable reluctance on the part of the cloud provider after deployment for testing of the provider’s applications and infrastructure if this has not been agreed upfront.
VII. PaaS and SaaS services. Make sure data integrity, availability and confidentiality requirements are agreed. Where possible have these services deployed on one of the IaaS preferred suppliers platforms.
VIII. Impact of an Outage. The increased interdependence of cloud and on premises data should not be underestimated. The impact an incident or outage of a cloud service would have on the company’s overall operation needs to be quantified and reflected in the corporate risk register.
IX. Cloud assessment document. Develop a cloud computing security assessment document based on the ASD document “Cloud Computing Security Considerations” and apply appropriate risk ratings. This assessment document can be completed by potential cloud providers early in a project lifecycle to avoid any unnecessary waste of time or resources on a solution which is not going to match the company’s risk profile.
Business Development Manager, Government & Commercial