How to Assess Risk in the Cloud

To properly assess risk in the cloud, organizations should apply any internal risk assessment processes to their cloud deployments.

Additionally, organizations should consider using a risk assessment framework, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). The CCM consists of 16 domains that describe cloud security principles and best practices to help organizations assess the overall security risk of a cloud provider. The 16 domains are as follows:

• Application and interface security
• Audit assurance and compliance
• Business continuity management and operational resilience
• Change control and configuration management
• Data security and information lifecycle management
• Data center security
• Encryption and key management
• Governance and risk management
• Human resources
• Identity and access management
• Infrastructure and virtualization security
• Interoperability and portability
• Mobile security
• Security incident management, e-discovery, and cloud forensics
• Supply chain management, transparency, and accountability
• Threat and vulnerability management

The CCM also maps individual cloud controls to relevant data protection/information security regulations and standards, such as the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC 2), Canada Personal Information Protection and Electronic Documents Act (PIPEDA), International Organization for Standardization (ISO) 27001/27002/27017/27018, U.S. Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and many more. The Consensus Assessments Initiative Questionnaire (CAIQ) is a questionnaire consisting of nearly 300 questions across all 16 of the CCM domains to help you assess the risk of your organization and your cloud providers. Go to https://cloudsecurityalliance.org to download a free copy of the questionnaire.