Risk Assessment for Cloud
Overview
Risk assessment identifies, analyzes, and evaluates cloud security risks, enabling informed risk treatment decisions.
Learning Objectives
- Conduct cloud risk assessments
- Identify cloud-specific threats
- Analyze risk likelihood and impact
- Evaluate risk treatment options
- Apply ISO 27017 risk management
ISO 27017 Risk Management
A.6.1.2 - Information Security Risk Assessment
Requirements:
- Establish and maintain risk assessment process
- Identify risks associated with loss of confidentiality, integrity, availability
- Assess risk likelihood and consequence
- Determine risk levels
- Review and update as needed
Cloud-Specific Risk Factors
Cloud Risk Dimensions
├─ Service Model Risk
│ ├─ IaaS: More customer responsibility
│ ├─ PaaS: Shared responsibility complexity
│ └─ SaaS: Less control, more trust
├─ Deployment Model Risk
│ ├─ Public: Multi-tenancy risks
│ ├─ Private: Higher cost, less shared risk
│ └─ Hybrid: Integration complexity
├─ Data Risk
│ ├─ Data location uncertainty
│ ├─ Data sovereignty
│ ├─ Multi-tenant isolation
│ └─ Data remanence
├─ Provider Risk
│ ├─ Provider viability
│ ├─ Lock-in
│ ├─ Provider security posture
│ └─ Subprocessor risk
└─ Compliance Risk
├─ Shared compliance responsibility
├─ Audit complexity
├─ Regulatory changes
└─ Evidence collection
Risk Assessment Process
Step-by-Step Methodology
1. Asset Identification
├─ Identify cloud services
├─ Classify data in cloud
├─ Map data flows
└─ Identify dependencies
2. Threat Identification
├─ External threats (hackers, etc.)
├─ Internal threats (insiders)
├─ Environmental threats
└─ Cloud-specific threats
3. Vulnerability Identification
├─ Configuration weaknesses
├─ Access control gaps
├─ Encryption gaps
└─ Monitoring gaps
4. Likelihood Assessment
├─ Threat capability
├─ Vulnerability exploitability
├─ Existing controls
└─ Attack history
5. Impact Assessment
├─ Confidentiality impact
├─ Integrity impact
├─ Availability impact
└─ Business impact
6. Risk Calculation
├─ Risk = Likelihood × Impact
├─ Risk level determination
├─ Risk prioritization
└─ Risk mapping
7. Risk Treatment
├─ Mitigate (implement controls)
├─ Transfer (insurance, contracts)
├─ Accept (document acceptance)
└─ Avoid (don't use service)
Cloud Threat Landscape
Common Cloud Threats
| Threat | Description | Likelihood | Impact |
|---|
| Data Breach | Unauthorized access to data | High | Critical |
| Account Hijacking | Compromised credentials | High | High |
| Insider Threat | Malicious insider | Medium | High |
| Insecure APIs | Vulnerable APIs exploited | High | High |
| DDoS | Service disruption | Medium | Medium |
| Misconfiguration | Security setting errors | High | High |
| Malware | Malicious software | Medium | Medium |
| Data Loss | Accidental deletion/corruption | Low | Critical |
| Provider Failure | Provider goes out of business | Low | Critical |
Threat-Vulnerability-Risk Mapping
Example: Data Breach Risk
Threat: External Attacker
├─ Motivation: Financial gain
├─ Capability: High
└─ Access: Internet
Vulnerabilities:
├─ No MFA (High severity)
├─ Weak passwords (Medium severity)
├─ No encryption at rest (High severity)
├─ Overly permissive access (Medium severity)
└─ No monitoring (Medium severity)
Existing Controls:
├─ Password policy (Partial)
├─ Firewall (Adequate)
└─ Antivirus (Adequate)
Likelihood Calculation:
├─ Threat capability: High
├─ Vulnerability severity: High
├─ Control effectiveness: Low
└─ Likelihood: HIGH
Impact Assessment:
├─ Data classification: Restricted (PII)
├─ Volume: 1M customer records
├─ Regulatory: GDPR applies
├─ Financial: €20M potential fine
├─ Reputational: Severe
└─ Impact: CRITICAL
Risk Level: CRITICAL (High × Critical)
Treatment: MITIGATE
├─ Implement MFA (Priority 1)
├─ Enable encryption (Priority 1)
├─ Implement least privilege (Priority 2)
├─ Deploy monitoring/SIEM (Priority 2)
└─ Regular access reviews (Priority 3)
Residual Risk: MEDIUM (after mitigation)
Risk Assessment Matrix
Likelihood Scale
| Level | Description | Frequency |
|---|
| 5 - Very High | Almost certain to occur | > 1/month |
| 4 - High | Likely to occur | 1/quarter |
| 3 - Medium | Possible | 1/year |
| 2 - Low | Unlikely | 1/5 years |
| 1 - Very Low | Rare | < 1/5 years |
Impact Scale
| Level | Financial | Operational | Reputational | Compliance |
|---|
| 5 - Critical | > $10M | Business failure | Severe, lasting | Major fines, prosecution |
| 4 - High | $1M-$10M | Major disruption | Significant | Regulatory sanctions |
| 3 - Medium | $100K-$1M | Moderate disruption | Moderate | Warning letters |
| 2 - Low | $10K-$100K | Minor disruption | Minor | None |
| 1 - Very Low | < $10K | Negligible | Negligible | None |
Risk Heat Map
Impact →
│ 1 │ 2 │ 3 │ 4 │ 5 │
─────┼─────┼─────┼─────┼─────┼─────┤
L 5 │ M │ H │ H │ C │ C │
i ────┼─────┼─────┼─────┼─────┼─────┤
k 4 │ L │ M │ H │ H │ C │
e ────┼─────┼─────┼─────┼─────┼─────┤
l 3 │ L │ M │ M │ H │ H │
i ────┼─────┼─────┼─────┼─────┼─────┤
h 2 │ L │ L │ M │ M │ H │
o ────┼─────┼─────┼─────┼─────┼─────┤
o 1 │ L │ L │ L │ M │ M │
d ────┴─────┴─────┴─────┴─────┴─────┘
L = Low (Acceptable)
M = Medium (Review)
H = High (Mitigate)
C = Critical (Immediate action)
Cloud-Specific Risk Scenarios
Scenario 1: Multi-Tenant Data Bleed
Risk: Multi-Tenant Data Bleed
Description:
Vulnerability in CSP multi-tenant isolation allows
Tenant A to access Tenant B's data
Threat: Malicious tenant, CSP vulnerability
Vulnerability: Insufficient isolation controls
Asset: Customer PII in shared database
Likelihood: Low (2)
├─ CSP has strong isolation
├─ Regular security testing
└─ No history of issues
Impact: Critical (5)
├─ 500K customer records exposed
├─ GDPR violation (€20M fine)
├─ Severe reputational damage
└─ Loss of customer trust
Risk: HIGH (2 × 5 = 10)
Treatment: MITIGATE + TRANSFER
├─ Verify CSP isolation testing
├─ Require insurance from CSP
├─ Implement application-level encryption
├─ Monitor for anomalous access
└─ Include breach notification in contract
Residual Risk: MEDIUM
Scenario 2: Cloud Provider Failure
Risk: Cloud Provider Business Failure
Description:
Cloud provider goes out of business,
services terminated with short notice
Threat: Provider financial instability
Vulnerability: Single provider dependency
Asset: Critical business applications
Likelihood: Low (2)
├─ Provider is major, stable company
├─ Strong financials
└─ Large customer base
Impact: Critical (5)
├─ Business operations disrupted
├─ Lost revenue: $1M/week
├─ Data may be inaccessible
└─ Emergency migration costly
Risk: HIGH (2 × 5 = 10)
Treatment: MITIGATE + ACCEPT (partial)
├─ Regular data exports
├─ Multi-cloud strategy for critical apps
├─ Disaster recovery with alternate provider
├─ Financial monitoring of provider
└─ Contractual data return guarantees
Residual Risk: MEDIUM
Accepted Risk: Provider failure (documented)
Risk Treatment Planning
Risk Treatment Options
Treatment Decision Matrix
For each risk:
Critical Risks (immediate action):
├─ Mitigate: Implement controls
├─ Timeline: < 30 days
├─ Budget: Approved immediately
└─ Responsibility: Assigned
High Risks (urgent):
├─ Mitigate: Implement controls
├─ Timeline: < 90 days
├─ Budget: Request approval
└─ Responsibility: Assigned
Medium Risks (planned):
├─ Mitigate: Plan implementation
├─ Transfer: Consider insurance/contracts
├─ Timeline: < 6 months
└─ Budget: Include in planning
Low Risks (monitor):
├─ Accept: Document acceptance
├─ Monitor: Regular review
├─ Timeline: Opportunistic
└─ Budget: None allocated
Risk Treatment Plan Example
Risk: No Multi-Factor Authentication
Risk Level: CRITICAL
Treatment: MITIGATE
Action Plan:
1. Select MFA solution (Week 1)
├─ Evaluate options (TOTP, hardware, FIDO2)
├─ Pilot with IT team
└─ Select vendor
2. Pilot deployment (Week 2-3)
├─ Deploy to IT and security teams
├─ Test integration
└─ Refine procedures
3. Phased rollout (Week 4-8)
├─ Week 4: Privileged users
├─ Week 5-6: All employees
├─ Week 7-8: Partners/contractors
└─ Communication and training
4. Enforcement (Week 9)
├─ MFA required for all access
├─ Exceptions process (minimal)
└─ Monitor compliance
5. Ongoing (Week 10+)
├─ User support
├─ Regular reviews
└─ Continuous improvement
Budget: $20,000
Timeline: 2 months
Owner: IAM Team Lead
Residual Risk: LOW
Risk Register
Template
Risk Register Entry
Risk ID: CLOUD-001
Risk Title: No Encryption for Sensitive Data
Date Identified: 2024-01-15
Status: OPEN
Description:
Customer PII stored in cloud without encryption,
violating data protection policy and GDPR
Asset: Customer database (500K records)
Threat: External attacker, insider threat
Vulnerability: No encryption at rest configured
Likelihood: High (4)
Impact: Critical (5)
Inherent Risk: CRITICAL (4 × 5 = 20)
Existing Controls:
├─ Access control (Adequate)
├─ Network security (Adequate)
└─ Logging (Partial)
Current Risk: CRITICAL
Treatment: MITIGATE
Actions:
├─ Enable AES-256 encryption (Priority 1)
├─ Implement customer-managed keys (Priority 2)
├─ Encrypt backups (Priority 1)
└─ Update procedures (Priority 3)
Timeline: 30 days
Budget: $10,000
Owner: Cloud Administrator
Residual Risk: MEDIUM (2 × 3 = 6)
Acceptance: N/A (will be mitigated)
Review Date: 2024-02-15
Last Updated: 2024-01-15
Continuous Risk Monitoring
Risk Monitoring Process
Daily:
├─ Security event monitoring
├─ Alert review
└─ Incident tracking
Weekly:
├─ Vulnerability scan review
├─ Access review (privileged)
└─ Configuration compliance
Monthly:
├─ Risk metrics review
├─ New risk identification
├─ Treatment progress
└─ Management reporting
Quarterly:
├─ Full risk reassessment
├─ Risk register update
├─ Treatment plan adjustment
└─ Risk committee meeting
Annually:
├─ Comprehensive risk assessment
├─ Methodology review
├─ Risk appetite review
└─ Board reporting
Key Takeaways
- Risk assessment is fundamental to ISO 27017
- Cloud introduces unique risks requiring specific assessment
- Risk = Likelihood × Impact
- Risk treatment options: Mitigate, Transfer, Accept, Avoid
- Continuous monitoring detects emerging risks
- Risk register tracks all identified risks
Self-Assessment
- What are the steps in risk assessment?
- How is risk calculated?
- What are the four risk treatment options?
- What cloud-specific risks exist?
- How often should risk assessments be conducted?