Risk Management in the Cloud Adoption Journey

By Dr. Patrick  Appiah-Kubi, Program Director & Associate Professor, Cloud Computing, Cybersecurity  & Networking, University of Maryland Global Campus

Cloud computing is booming, and companies are taking advantage of the opportunity to migrate to the cloud. Companies that have migrated to the cloud have seen increased productivity, innovation, agility, and resiliency. It’s almost impossible to find a company that doesn’t rely at least partially on the cloud for service delivery these days. According to hostingtribunal.com[1], 80% of organizations are expected to migrate to the cloud by 2025, and the global cloud computing market is expected to be over $1Billion by 2026. A survey conducted by flexera.com[2], indicates that companies continue to embrace multi-cloud and hybrid cloud strategies and this trend is expected to increase in the wake of the COVID-19 pandemic. The survey data showed that 90% of organizations expect cloud usage to exceed previous plans due to COVID-19.

In the wake of the COVID-19 pandemic, virtually all organizations and government agencies were forced to work remotely. Most of these companies were ill-prepared for the remote work situations and as such, had not implemented a cloud adoption strategy for a smooth transition to remote working. Some had to come up with makeshift strategies to keep their organizations afloat.  Others had to go out of business completely or shut down temporarily because they had no way of transitioning to remote working. Most of these makeshift strategies, because of their swift and ill-planned implementation, came with their own risk. All these factors have been an eye opener for organizations and the realization of the need for cloud-based services. As such, companies expect to increase their cloud usage and cloud spending over the next few years.

The transition to the cloud requires strategic planning and proper risk management strategies. Risk management can be a holistic activity that is fully integrated into every aspect of an organization. Companies are faced with different types of risks such as program management, investment, budget, legal liability, safety, inventory, security etc. The specific risk associated with the cloud is a business case, data ownership, data security, sovereignty, and assurance. These risk factors can impact an organization’s successful implementation of a cloud solution. Therefore, it is imperative for organizations to consider risk as a major factor for the success of the organization, especially when migrating to the cloud. Cloud-based information systems are exposed to diverse threats that can impede the success of an organization, if not well planned and managed.

Managing risk in a cloud deployment requires a holistic process that will affect every aspect of the deployment process. This process starts from planning, designing and through all the system development life cycle, right to security controls, monitoring and maintenance. A detailed view of a typical cloud risk management framework should include, strategy and business case, business requirements, compliance, legal contract terms and SLAs, asset and data governance, information and data management, continuity and resiliency, technology and service provider governance, service orchestration and interoperability and IT operations management.

NIST[3] defines a more refined and standardized risk management framework (NIST SP 800-37 Rev. 1) that provides guidance and best practices for organizations to follow in managing risk in the cloud. The framework provides a six-step approach as follows, categorize, select, implement, assess, authorize, and monitor. Successful implementation of such a framework should be a shared responsibility among all cloud deployment actors. Table 1 below details the steps in implementing an effective risk management strategy for cloud deployment.

Risk assessment (analyze cloud environment to identify potential vulnerabilities and shortcomings)  Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on a system impact analysis. Identify operational, performance, security, and privacy requirements.

Step 2: Select, based on the security categorization, the initial set of security controls for the information system (referred to as baseline security controls). Then, tailor and supplement the baseline security controls set based on the organizational assessment of risk and the conditions of the operational environment. Develop a strategy for the continuous monitoring of security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.
Risk treatment (design mitigation policies and plans)  Step 3: Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

Step 4: Assess the security controls using appropriate assessment procedures as documented in the assessment plan. The assessment determines if the controls are implemented correctly and if they are effective in producing the desired outcome.

Step 5: Authorize information system operation based on the determined risk resulting from the operation of the information system and the decision that this risk is acceptable. The assessment is performed considering the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations
Risk control (risk monitoring surveying, reviewing events, identifying policy adjustments)Step 6: Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated organizational officials.
Table 1: Risk management activities and risk management framework steps.
(NIST SP 800-37 Rev1)3

NIST further defines additional risk management processes for cloud consumers and cloud providers. Cloud providers develop the cloud architectures and build cloud services that incorporate core functionalities, operations, security, and privacy controls. Cloud consumers must have the flexibility to select their security and privacy options and must have a high degree of control over their data and resources. The federal government established the federal risk and authorization management program (FedRAMP)[1] as a cost-effective and risk-based approach for the adoption of cloud services by federal agencies. FedRAMP authorizes government agencies to take advantage of cloud services with security and protection at the highest priority.

In conclusion, companies should do the due diligence before migrating to the cloud. Utilizing the cloud assumes a certain degree of risk that can be detrimental to the organization if not managed properly. Organizations should develop well-planned and well vetted cloud deployment strategies that strategically align with the risk management frameworks to ensure data and information systems security and control at all levels.

Current trends in Cloud computing have focused on security and risk management in the cloud. This was necessitated by the forced remote working situation organizations encountered because of the Covid-19 pandemic. Key trends that are surfacing in the industry and research areas are Zero-Trust Network Access (ZTNA), Serverless Computing and Confidential Computing. ZTNA is a technology that provides secure remote access to applications and services based on a defined access control policy. ZTNA access defaults to deny and only grants access to services the user has been explicitly granted permission. Serverless computing is a computing method of providing backend services on an as-used basis. In serverless computing, users can write and deploy code without worrying about the underlying infrastructure. Confidential computing is a cloud computing technology that isolates sensitive data in a protected CPU enclave during processing. By this method, the data has been processed, and the techniques used to process the data are only accessible to authorized programming codes that are trusted. The data and techniques used to process the data are invisible and unknowable to anything or anyone, including the cloud provider.

[1] https://hostingtribunal.com/blog/cloud-computing-trends/#gref
[2] https://www.flexera.com/blog/cloud/cloud-computing-trends-2021-state-of-the-cloud-report/
[3] https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919234
[4] https://www.fedramp.gov/program-basics/