Putting Cloud Security Risks in Their Proper Perspective
This is part 2 of a 4-part series called Breaking the Barrier to SaaS Implementation. This blog series explores best practices in vetting SaaS vendors to ensure data protection and streamlined workflows throughout product design, manufacturing, and lifecycle support.
It is a proven fact that no organization no matter the industry can ever be completely, 100 percent risk-free from a potential security breach. Every organization has methods to identify, classify, and manage the risks they face, whether those processes are immature and ad-hoc or highly mature and systematic. It’s actually human nature to perform risk management on an almost continuous basis. We do this automatically in our daily lives to avoid or manage everything from minor issues to situations that could impact our very survival. For example, remembering to put gas in your car when it’s getting low or deciding whether to wear a helmet when riding a motorcycle.
Unfortunately, it is also human nature to consider different types of risks, well, differently. Bruce Schneier, a very well-known author and technologist in the security community, has written extensively on our propensity to fear hyped yet uncommon risks such as snakes or an airplane crash. When it comes to the security of cloud technologies, many organizations approach risk the same way.
In this blog, I will help you discover how to put security risks—in particular, cloud security risks— in their proper perspectives. Whether you’re a decision-maker or an influencer, you can begin to arm yourself to have rational and business-focused discussions on the use of cloud technologies in your organization.
CLOUD SECURITY AND HUMAN NATURE
For the past few years, I have had many discussions (often with my security peers) where the use of cloud technologies is disparaged almost automatically. Whether it’s concerns over loss of control, misconceptions about the comparative strength of internal security programs verses that of reputable cloud providers, or excuses born of compliance requirements, the default position for too many organizations is that cloud technologies are insecure. As I indicated in my last blog, I believe this to be patently false, but simply saying so is insufficient to sway most opinions. While the concerns I mentioned above tend to come up in conversation, the underlying, mostly hidden aversion to the cloud is how we are wired as humans to assess risk.
As I’d like to keep this to a fairly short blog article versus an in-depth psychological paper, I am going to focus on only two aspects of real versus perceived risk that I believe create a circular loop, if you will, that makes it difficult to move from a position of cloud security alarm to cloud security confidence:
- We have trouble understanding risk for anything that isn’t similar to what we are used to.
- We underestimate the risks we take ourselves and overestimate the risks that are forced upon us. (For a lengthier discourse on these factors, see Schneier’s blog post or his book Beyond Fear. You can also reference any number of studies (here is one in particular that I like).
A CHALLENGE TO TRADITIONAL SECURITY MODELS
Security leaders have spent their careers developing, selling, supporting, and defending security efforts, initiatives, strategies, and programs. They have stood in front of peers, executives, and boards of directors to justify the things they are doing. Part of what they have “sold” is control, and as a result of control, confidence. In many ways, a model or system has been built, communicated, understood, and accepted.
Cloud technologies break the model and—as a result—that confidence. There is one key question at play: does both your security/IT/compliance team and the business decision-makers in your organization understand and accept the viability of cloud technologies? Sometimes you have both, sometimes you have one or the other, and sometimes you have neither. In cases where all parties don’t “get there” immediately, or at least open themselves to the opportunity, the two risk factors I mentioned above intrude.
Since cloud computing goes against much of what security and IT teams have built, understood, and communicated in the past, companies don’t understand the true risks presented by these technologies. They overestimate the risk or dismiss it out of hand. And, if the use of cloud is thrust upon a company(say, by decision-makers looking for ways to increase speed to market, performance, and efficiency), IT and security teams tend to overestimate the risks because it wasn’t their idea, or it’s a risk that in some (or many) ways they are forced to accept or deal with. In this case, IT and security leaders may be faced with selling or supporting the use of cloud to the same Board of Directors they’ve been educating for the past three or four years.
In simple terms: it’s not easy. The two risk factors make it difficult to open the door to spending the time and effort necessary to understand the real risks of cloud computing, compare it against the current risks that exist in the organization, and help decision-makers with valid business decisions.
6 STEPS TO TRULY UNDERSTANDING CLOUD RISKS
So, how do we get past the dilemma? I have always said that the heart of risk management is understanding the risks you are managing. And what does it mean to understand the risks? It means understanding the
- Data your organization will be using in the cloud system. This includes understanding the value or classification of the data to the organization.
- Inherent risks presented by the cloud system to that data, the organization, and other stakeholders. Your level of effort here depends on the data classification.
- Controls and product features provided by the cloud system.
- Controls your organization can employ to supplement the cloud system’s security. We are used to certain capabilities—a certain model of how we protect systems and data. How do you replicate or approximate that model in the cloud? Using cloud technologies doesn’t mean everything you’re used to goes away. It just means it might look different.
- Current residual risks to the data to be used in the cloud system and compare it against the risks associated with cloud usage. Many times, cloud technologies are avoided because of identified or perceived risks when even higher risks to that data already exist from other systems or use cases in the organization’s environment.
- Business value provided by the cloud system. What does it do for the organization? Is the business value to the organization high enough that the residual risks are worth accepting? Thinking about risks in this way results in business decisions rather than security decisions.
By going through these steps, your company can start to have factual discussions about the risks of cloud technologies, allowing you to get past irrational, human thinking about risks you don’t understand. Ultimately, of course, your goal should be to use solid, factual information to make good business decisions.
As part of this process, organizations need to closely evaluate the security measures a potential cloud provider takes in building and maintaining their solutions. Luckily, there are ways to make the vetting process easier which I will discuss in my next blog.