Research Insights: CSA Report on Cloud Risk Assessment

In response to a new report by Alliance that found that less than 50 percent of organizations regularly assess their cloud risk status, experts at RiskLens and Cerberus Sentinel offer the following comments.

Nick Sanna, CEO, RiskLens

“Organizations will often run control or vulnerability assessments of cloud vendors or the cloud architecture and think they’ve conducted a risk assessment – they haven’t. True risk assessments measure not only possible deficiencies in cloud technical controls, but also the possible frequency and probable impact of cybersecurity events associated with these vulnerabilities. Most vulnerability or control assessments lack this business context, but true cyber risk quantification tools, as well as models like FAIR, help provide this context, help with prioritization, and give a true view of cloud risk and its impact to the business.”

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel

“There can be a tendency in technology that anything that is radically different from the status quo is treated differently than existing operations and “cloud” versus “on prem” definitely fits that bill.  In some cases that can result in failure to map existing security review and monitoring processes that exist with legacy on premise assets to their new cloud counterparts.  The two biggest contributing factors are ignorance of the functionalities of the cloud platforms and responsibility assignment.  We are a few years past the tsunami rush of organizations migrating to the cloud where footguns like storage buckets defaulting to public access routinely exposed vast amounts of private data, but that issue along with unsecured databases still reliably occur.  To their credit, most cloud providers have adopted more secure defaults, but the onus is still on the organizations hosting on them to ensure they fully understand the security capabilities and best practices to protect themselves and their customers.  IT also doesn’t help that every cloud vendor seems to use their own unique terminology for resources that don’t cleanly or easily map to other vendors.  This can lead to confusion as well as disparity in the overall security if an organization is using multiple providers.  Responsibility assignment is the other major area where organizations fall down in ensuring cloud platforms are secure.  If the cloud migration is handled by a new team, or initially treated as just a test, organizations can often miss assigning responsibility for security and monitoring the new environment.  This can lead to significant security issues once the cloud environment goes live or fully scales out.”