Cloud Risk

Management
The Cloud Migration

• There is a growing interest of organizations of

various sizes to move their IT operations and
business to the Cloud services.
• There is a wave of migration and deployment
requirements that may be required for such
organizations.
• Cloud computing is picking up traction with
businesses, but before you jump into the cloud, you
should know the unique security risks it entails.
Risks of Migrating to Cloud

• Gartner has identified seven critical risks that Cloud should raise with
vendors before selecting a cloud vendor. The seven risks are:-

• Privileged User access

• Regulatory compliance
• Data location
• Data Segregation
• Recovery
• Investigative Support
• Long term viability
Privileged User Access

• Sensitive data processed outside the enterprise brings with it an

inherent level of risk, because outsourced services bypass the
"physical, logical and personnel controls" IT shops exert over in-
house programs.
• Get as much information as you can about the people who manage
your data. 
• Ask providers to supply specific information on the hiring and
oversight of privileged administrators, and the controls over their
access
Regulatory Compliance

• Customers are ultimately responsible for the security and integrity of

their own data, even when it is held by a service provider.
• Traditional service providers are subjected to external audits and
security certifications.
• Cloud computing providers who refuse to undergo this scrutiny are
"signaling that customers can only use them for the most trivial
functions
Data Location.

• When you use the cloud, you probably won't know exactly where
your data is hosted.
• In fact, you might not even know what country it will be stored in.
• Ask providers if they will commit to storing and processing data in
specific jurisdictions, and whether they will make a contractual
commitment to obey local privacy requirements on behalf of their
customers
Data Segregation

• Data in the cloud is typically in a shared environment alongside data

from other customers. 
• Encryption is effective but isn't a cure-all.
• Find out what is done to segregate data at rest.
• The cloud provider should provide evidence that encryption schemes
were designed and tested by experienced specialists.
• Encryption accidents can make data totally unusable, and even
normal encryption can complicate availability.
Recovery

• Even if you don't know where your data is, a cloud provider should
tell you what will happen to your data and service in case of
a disaster.
• Any offering that does not replicate the data and application
infrastructure across multiple sites is vulnerable to a total failure.
• Ask your provider if it has the ability to do a complete restoration,
and how long it will take.
Investigative Support

• Investigating inappropriate or illegal activity may be impossible in

cloud computing.
• Cloud services are especially difficult to investigate, because logging
and data for multiple customers may be co-located and may also be
spread across an ever-changing set of hosts and data centers.
• If you cannot get a contractual commitment to support specific forms
of investigation, along with evidence that the vendor has already
successfully supported such activities, then your only safe
assumption is that investigation and discovery requests will be
impossible."
Long term viability

• Ideally, your cloud computing provider will never go broke or

get acquired and swallowed up by a larger company.
• But you must be sure your data will remain available even after such
an event.
• Ask potential providers how you would get your data back and if it
would be in a format that you could import into a replacement
application
 Veracode - Findings
• More than half of all software failed to meet an acceptable level of
security – 57 percent of all applications were found to have
unacceptable application security quality.
• 3rd party code is the culprit behind Operation which makes up nearly
30 percent of all applications in an enterprise
• Third-party suppliers failed to achieve acceptable security
standards 81 percent of the time.
• Cloud/web applications show low levels of acceptable security.
• Analysis shows that software quality of applications from banking,
insurance and financial services industries is not commensurate with
the security requirements expected for business critical applications.
• Cross-site scripting remains prevalent, accounting for 51 percent of
all vulnerabilities uncovered in the testing process; .NET applications
exhibited abnormally high cross-site scripting vulnerabilities. 
Top Security Risks to Assess

• 1.  Risk Assessment from a Cloud Service provider

perspective
• 2.  Risk Assessment  from a Systems & Software 
perspective
Risk Assessment - Cloud Service provider
perspective
• Loss of Governance in using a specific Cloud service - a lot of the control
to the Cloud service provider (CSP) on a number of aspects and issues.
Such Higher dependencies may affect security.
• Isolation Failure - This risk is attributed to the failure of mechanisms
separating storage, memory, routing and the reputation between
different tenants .
• Compliance Risks - Industry standard or regulatory requirements based
certifications may be put at risk by migration to the cloud:  if the CSP
cannot provide evidence of their own compliance or  if the CSP does not
permit audit by a cloud customer. 
• Management Interfaces in Public Clouds - Public cloud providers expose
access and management interfaces of customers through the Internet
and mediate access to a number of other resources and this poses an
increased risk, when combined with remote access and web browser
vulnerabilities and if a compromise is made
Risk Assessment - Cloud Service provider
perspective
• Data Protection – Cloud computing poses several data protection risks for
cloud customers and providers. In some cases, it may be difficult for a
customer  to effectively check the data handling practices of the cloud
provider .  On the other hand, some cloud providers provide information
on their data handling practices. Some also offer certification summaries
on their data processing and data security activities and related  data
controls they have in place.
• Intercepting Data in Traffic - Cloud computing models typically have more
data in transit between cloud infrastructure and remote systems, etc.
Most use of the Public or even some private Clouds doesn’t have secure
VPN-like connection environment. Sniffing, spoofing, man-in–the-middle
attacks, side channel kind of cyber attacks should be considered as
possible threat sources. Moreover, in some cases a  Cloud provider does
not offer a confidentiality or non-disclosure clause or these clauses are
not sufficient to guarantee respect for the protection of the customer’s
secret information and ‘know-how’ that will circulate in the ‘cloud’.
Risk Assessment - Cloud Service provider
perspective
• Insecure/Incomplete Data deletion - When a request to delete a
cloud resource is made, as with most OS, it may not result in true
wiping of the data. Adequate or timely data deletion may also be
impossible (or undesirable from a customer perspective), either
because extra copies of data are stored but are not available, or
because the disk to be destroyed also stores data from other clients.
In the case of multiple tenancies and the reuse of hardware
resources on the cloud, this represents a higher risk  than with
dedicated Computing systems.
Risk Assessment – System & Software
perspective
• Once you have selected a cloud service provider to
deploy your Software products or
Applications , you have the onus of making sure that
risks associated with your IT deployment and then
the intended operations on  the cloud poses a lower
or no risks to your business. 
Risk Assessment – System & Software
perspective
• Make the Cloud deployment configuration secure – The Cloud
Services Provider (CSP) should provide you with all the information
and processes on leveraging the Cloud’s security features and best
practices. For ex , Amazon provides exhaustive information in its
document Amazon AWS – Overview of Security Processes . 
• Plan to isolate your  deployment(s) on the Cloud - Plan your system
for maximum security when deploying applications to the cloud ,
especially when you are deploying internet-facing applications. You
can deploy a Virtual server bound to a public IP access that allows
you to have one of the interfaces on a standard firewall
appliance. Your other Software application interface can be placed on
the network for your servers in the cloud.  This allows you to define
rules, services, and polices for how public internet access is granted
to resources in the cloud. 
Risk Assessment – System & Software
perspective

• Scan your Application code for Vulnerabilities – It is strongly

suggests the need for assessing the risks of the application
components and fix the application layer issues before they are
deployed on the cloud. Veracode offers static and dynamic
scanning for software application components (binaries).
• Conduct Vulnerability Scanning at the System & Web Application
level - To detect the Security vulnerabilities , configure your cloud in
the intended environment and use suitable VA test tools such as from
Vendors like Qualys or Mcafee to find the gaps and take suitable
remediation such as updating patches, making changes to your web
server configuration or changing firewall rules etc. 
Risk Assessment – System & Software
perspective

• Risk Assessment – System & Software perspective – a sophisticated

Penetration test actually simulates the techniques used by hackers
looking for finding vulnerabilities or loopholes and taking advantage
of any such condition to target and attack. a sophisticated
Penetration test actually simulates the techniques used by hackers
looking for finding vulnerabilities or loopholes and taking advantage
of any such condition to target and attack.
Penetration tests are not conducted frequently.
Vulnerability testing needs to be done on regular basis.
If there is a major upgrade in deployment then only the PT needs to be
done.
Companies like Veracode offers manual penetration testing while
companies like iViz offers sophisticated on demand penetration testing.
Cloud Octagon Model
• The Cloud Octagon Model was developed to support your
organizations risk assessment methodology.
• The model provides practical guidance and structure to all involved
risk parties in order to keep up with rapid changes in privacy and data
protection laws and regulations and changes in technology and
its security implications.
• Reduce Risk
• Improve effectiveness of risk team
• Improve manageability of solution
• Improve security
• The octagon model can be supplementary to an organization’s
existing risk assessment methodology. By applying it, risk
assessments will be completer and more accurate.
Cloud Octagon Model
The cloud octagon can be used to determine the cloud context and the risk
associated to that context .
Cloud Octagon Model
• Step-1
• Classification of data aided in ensuring the following controls were in
place:
• Encryption of critical data in transit
• Agreements on key ownership and management
• Logical access control to restrict access to data
• Identity and access management governance
• Ownership of data

• Step-2
• Evaluating the cloud service model, cloud deployment model and the
presence of subservice providers aided in ensuring the following controls
were in place:
• Obtaining assurance throughout the chain of providers
• Awareness of shared responsibilities between three different parties
• Awareness of and mitigation in place for malicious insiders
• Evaluation of the lock-in risk
• Due diligence
Cloud Octagon Model

• Step-3
• Making procurement part of the risk assessment
methodology for cloud ensured
• Right to audit for the bank and the regulator
• Permission to conduct penetration testing
• Early risk identification and mitigation

• Step-4
• Consideration of diverse geographical locations in the risk assessment
methodology ensures that
• Data cannot be transferred to another country without consent
• Data in motion shall be protected
• Compliance to laws and regulations in multiple countries
Cloud Octagon Model
• Step-5
• The start-up company was subjected to a full risk assessment in
order to determine whether there was a gap between the
requirements set by the bank (and its regulators) and the
procedures and standards of the start-up and its subservice
provider. Doing so resulted in the following:
• Agreements of roles and responsibilities
between the bank and start-up were described in the contract
• Agreements on IT operating procedures including but not limited to access control,
change management, patch management, logging and monitoring, incident response,
back-up and Disaster Recovery and data deletion upon contract termination
• Implementing/applying the aspects of the octagon model allows
identification of the context or profile of a cloud change. And since projects
do not usually know from the beginning exactly which providers and services
they are going to use, this process can be repeated in multiple workshops
during the cloud journey.
Cloud Control Matrix(CCM)

• The Cloud Security Alliance Cloud Controls Matrix (CCM) is

specifically designed to provide fundamental security principles to
guide cloud vendors and to assist prospective cloud customers in
assessing the overall security risk of a cloud provider.
• The CSA CCM provides a controls framework that gives detailed
understanding of security concepts and principles that are aligned to
the Cloud Security Alliance guidance in thirteen domains.
• The foundations of the Cloud Security Alliance Controls Matrix rest
on its customized relationship to other industry-accepted security
standards, regulations, and controls frameworks such as the ISO
27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP,
and will augment or provide internal control direction for service
organization control reports attestations provided by cloud providers.
Octagon Model and CCM

• By using the octagon model in combination with CCM, you can do

more with the information provided by CSA.
• Doing so makes the risk assessment more complete.
• In addition, linking controls from CCM to octagon topics like
procurement or data classification makes risk assessment more
accurate.
• Other instruments from CSA that can be used for risk assessment
include the following:
• The Consensus Assessments Initiative Questionnaire (CAIQ)
Based upon the CCM, the CAIQ provides a set of Yes/No/NA questions that a
cloud consumer and cloud auditor may wish to ask of a cloud provider to
ascertain compliance to the CCM and CSA best practices.