MarketBite

In keeping with this theme,  cloud computing risk assessments involve these 10 categories:

1.      Effectiveness of controls

Evaluate if the current controls provide adequate protections for the data or service the company is considering hosting in the cloud.  For example, is the separation of duties for cloud provider employees appropriate and does it limit the number with access to confidential data?

2.      Auditing and oversight

Evaluate the cloud provider’s current auditing  and how oversight of administrative changes is accomplished.  For example, ask for a change-control log where changes were tested and approved by appropriate management personnel.

3.      Technical security architecture

Evaluate current technical architecture including firewalls, VPNs, patching, intrusion prevention and network segregation.  This evaluation could also include programming languages and Web application frameworks.  Can the environment match business security requirements?

4.      Data integrity

Investigate how the cloud computing vendor keeps each customer’s data separate while utilizing the same hardware.  Does this separation match business security or compliance requirements?

5.      Data encryption

Investigate how the cloud computing provider implements encryption for both data-in-transit as well as data-at-rest.  Most providers will utilize encryption for data-in-transit, but may not have a capability for encrypting data-at-rest.  Do the provider’s encryption practices match business security or compliance requirements?

6.      Operations security

Review the disaster recovery and business continuity plans for the cloud service provider.  Do they provide adequate protection for business needs?  How often are the plans tested?  Does the data center provide enough redundancy for business needs?

7.      Standardized procedures

Evaluate the standard procedures that the cloud services provider utilizes in its operations.  An example would be the offsite tape backup procedure or the background pre-employment screening procedure.  Another important procedure to document is how the interests of the customer will be represented during a legal investigation or subpoena request.

8.      Business stability

Evaluate the current financial condition and history of the cloud computing provider.  It might be necessary to utilize other company resources to assist in this evaluation.  It’s easy to find information on publicly traded companies, but private companies may require more investigation.

9.      Intellectual property

Investigate potential issues with the cloud computing provider hosting business data.  This will include ownership, return and deletion of the data after the contract expires.

10.  Contractual language

Review the proposed contract with legal representation.  All of the controls documented in the previous nine audit categories listed above should match the contractual language in order to be meaningful.  Require that any deviation from these agreed-upon information security protections be communicated with the business and specify penalties associated with non-compliance.

The relevance can be recorded on the same 1-5 scale with five being the most important or relevant to the cloud computing solution being provided. A weighted score for each category can then be calculated by multiplying the relevance score by the risk score. An average of all of the category scores can then be generated to represent a single value that can be easily communicated to management.

The following table demonstrates what the final results of this process would look like for a typical business critical application: