Risk Management
What is Risk Management in Cloud Computing?
Before learning risk management, let us take a glance at cloud computing. Cloud computing is a
technology that allows its user to access resources such as storage, memory, network, and
computing; these resources are physically present at any geographical location, but can be
accessed over the internet from anywhere in the globe. This advancement in technology has
revolutionised the working of businesses and organisations. More and more organisations are
investing in cloud deployment infrastructure rather than on-premise infrastructure. This
mobilization of technology introduces new risks associated with cloud computing, which needs
to be treated with foresight. To manage these risks, risk management plans are implemented by
organisations. Risk management is the process of identifying, assessing, and controlling threats
to an organisation’s system security, capital and resources. Effective risk management means
attempting to control future outcomes proactively rather than reactively. In the context of cloud
computing, risk management plans are curated to deal with the risks or threats associated with
the cloud security. Every business and organization faces the risk of unexpected, harmful events
that can cost the organization capital or cause it to permanently close. Risk management allows
organizations to prevent and mitigate any threats, service disruptions, attacks or compromises by
quantifying the risks below the threshold of acceptable level of risks.
Process of Risk Management
Risk management is a cyclically executed process comprised of a set of activities for overseeing
and controlling risks. Risk management follows a series of 5 steps to manage risk, it drives
organisations to formulate a better strategy to tackle upcoming risks. These steps are referred to
as Risk Management Process and are as follows:
Identify the risk
Analyze the risk
Evaluate the risk
Treat the risk
Monitor or Review the risk
Now, let us briefly understand each step of the risk management process in cloud computing.
� 1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organisation's strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organisation should uncover, recognise and describe
risks that might affect the working environment. Some risks in cloud computing include
cloud vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is analyzed.
The likelihood and the consequences of the risks are determined. In cloud computing, the
likelihood is determined as the function of the threats to the system, the vulnerabilities,
and consequences of these vulnerabilities being exploited. In analysis phase, the
organisation develops an understanding of the nature of risk and its potential to affect
organisation goals and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact they
create on information security and the probability of actualizing. The organisation then
decides whether the risk is acceptable or it is serious enough to call for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or modified
to achieve an acceptable level. Risk mitigation strategies and preventive plans are set out
to minimise the probability of negative risks and enhance opportunities. The security
controls are implemented in the cloud system and are assessed by proper assessment
procedures to determine if security controls are effective to produce the desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud infrastructure on
a regular basis including assessing control effectiveness, documenting changes to the
system and the working environment. Part of the mitigation plan includes following up
on risks to continuously monitor and track new and existing risks
Types of Risks in Cloud Computing
This section involves the primary risks associated with cloud computing.
1. Data Breach - Data breach stands for unauthorized access to the confidential data of the
organisation by a third party such as hackers. In cloud computing, the data of the
organisation is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may
affect all of its customers.
2. Cloud Vendor Security Risk - Every organisation takes services offered by different
cloud vendors. The inefficiency of these cloud vendors to provide data security and risk
mitigation directly affects the organisation's business plan and growth. Also, migrating
from one vendor to another is difficult due to different interfaces and services provided
by these cloud vendors.
3. Availability - Any internet connection loss disrupts the cloud provider's services, making
the services inoperative. It can happen at both the user's and the cloud service provider's
� end. An effective risk management plan should focus on availability of services by
creating redunadancy in servers on cloud such that other servers can provide those
services if one fails.
Apart from these risks, cloud computing possesses various security risks bound under 2 main
categories.
Internal Security Risks
External Security Risks
Internal Security Risks
Internal security risks in cloud computing include the challenges that arise due to
mismanagement by the organisation or the cloud service provide. Some internal security
risks involve:
Misconfiguration of settings – Misconfiguration of cloud security settings, either by the
organisation workforce or by the cloud service provider, exposes the risk of a data
breach. Most small businesses cloud security and risk management are inadequate for
protecting their cloud infrastructure.
Malicious Insiders – A malicious insider is a person working in the organisation and
therefore already has authorized access to the confidential data and resources of the
organization. With cloud deployments, organisations lack control over the underlying
infrastructure; making it very hard to detect malicious insiders.
External Security Risks
External security risks are threats to an organisation arising from the improper handling
of the resources by its users and targeted attacks by hackers. Some of the external
security risks involve:
Unauthorized Access – The cloud-based deployment of the organisation’s infrastructure
is outside the network perimeter and directly accessible from the public internet.
Therefore, it is easier for the attacker to get unauthorized access to the server with the
compromised credentials.
Accounts Hijacking – The use of a weak or repetitive password allows attackers to gain
control over multiple accounts using a single stolen password. Moreover, organizations
using cloud infrastructure cannot often identify and respond to such threats.
�Insecure APIs – The Application Programming Interfaces(APIs) provided by the cloud
service provider to the user are well-documented for ease of use. A potential attacker
might use this documentation to attack the data and resources of the organisation.
