How to Perform Cost Effective Cloud Risk Assessments
Since the inception of cloud computing, there have been concerns in the industry around the security, privacy and compliance of cloud infrastructure. These reservations indicate a set of relatively unique risks compared to traditional on-prem architecture.
Risk assessments for the cloud are likely to have their own features, yet the guiding literature predominantly focuses on generalized risk assessments (for example, the NIST 800-30 Guide for Conducting Risk Assessments).
In theory, FedRAMP, in conjunction with NIST 800-53 and the Risk Management Framework (RMF), provides a detailed model for cloud deployments and risk assessment. Collectively, though, it tends to target the largest organizations – usually in the public sector. This model is far too complex and costly to serve as a practical reference for cloud implementations for most companies.
Fortunately, a wide range of mid-size private-sector companies can develop and conduct practical and cost-effective NIST CSF-based cloud risk assessments following the tenets of existing NIST publications.
Cloud-Specific Threats and Vulnerabilities
NIST lists six cloud-specific vulnerabilities for the public cloud:
- network dependency
- hidden workload locations
- limited visibility and control
- illusion of unlimited resource availability
- restrictive default service level agreements (SLAs)
NIST also advises including seven “technology areas” in cloud-focused controls assessments:
- logical isolation techniques employed in the multi-tenant software architecture of the cloud
- facilities for backup and recovery of data and for sanitization of data
- capabilities and processes for electronic discovery
- mechanisms used to control access to data, to protect data while at rest, in transit and in use, and to expunge data when no longer needed
- facilities available for cryptography and cryptographic key management
- mechanisms for secure authentication, authorization and other identity and access management functions and
- facilities for incident response and disaster recovery
Current NIST Publications on Cloud Computing and Risk Management
There is no single NIST publication dedicated specifically to the topic of cloud risk assessments. The current collection of NIST publications deals extensively, but in a fragmented way, with the topics of cloud computing and risk management. NIST 800-144 recognizes the potential for integration, suggesting the publications in the table below are “complementary”:
NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, 2011.
The “Maximum Flexibility” of NIST-Based Risk Assessments
NIST 800-30 says the objective of a cybersecurity risk assessment is to provide information to organizational stakeholders to improve their ability to make risk-based decisions.
NIST has intentionally built “maximum flexibility” into its guidance on how risk assessments are performed and does not prescribe the depth or breadth for a risk assessment nor specify methods, tools, techniques or reporting formats.
The choices for the risk assessment approach (quantitative, qualitative) and the risk analysis approach (threat-oriented, asset/impact-oriented, vulnerability-oriented) are determined by each enterprise. There are also no restrictions around the scoping levels (Tiers 1 through 3) or time intervals (as-needed, annually) for conducting risk assessments.
During the pre-assessment phase, this high level of flexibility should be extended to cloud risk assessments and any given assessment may accordingly include or exclude any or all of a particular cloud service provider (CSP) environment.
For an enterprise using the public cloud, the timing for risk assessments depends as much on significant changes on the CSP side as it does for on-prem changes. In a public multi-cloud deployment, an enterprise may opt to assess different CSPs using alternative approaches.
NIST flexibility asserts the option to conduct targeted risk assessments, and given the varying levels of visibility into the changes within each CSP, alternative risk assessment methods and timing may be compulsory in multi-cloud scenarios.
The purpose of the cloud risk assessment in all cases guides the decisions on what controls are to be included and when the assessment is to be performed.
The most common approach to risk assessments for a mid-size Fortune 1000 organization is a focused scope on what NIST refers to as the Tier 3 Information System Level, where Tier 3 represents the set of existing controls.
DRAFT NIST Special Publication 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, 2021.
For risk assessments, it’s typical to perform a security control assessment (i.e., a gap analysis aligned to NIST CSF) and then use these results as input to the risk assessment. A controls review may find the lack of a control or the inability of a control to function effectively, which in turn signals a potential vulnerability.
Finally, the control assessment results are reviewed together with the likely threats and estimated impact resulting in specific risks to the enterprise information systems. The activities performed during each phase of the risk assessment lifecycle are shown here:
During post-assessment, NIST 800-53A indicates the results of the controls assessment may be used to:
- Identify security- and privacy-related weaknesses and deficiencies in the system and in the environment in which the system operates
- Prioritize risk mitigation decisions and associated risk mitigation activities
- Confirm that identified security- and privacy-related weaknesses and deficiencies in the system and in the environment of operation have been addressed
- Support monitoring activities and information security and privacy situational awareness
- Facilitate all types of system authorization decisions
- Inform budgetary decisions and the capital investment process
Practical Considerations of a Cloud Risk Assessment
Cloud computing and CSP deployments may be relatively new but the outsourcing of technology to external providers has been a long-standing business model. NIST 800-53A alludes to the cloud in pointing to:
The growing use of external service providers and new relationships being forged with those providers present new and difficult challenges for organizations, especially in the area of information system security.
The cloud-specific threats and vulnerabilities (as outlined above) direct the initial scope of every cloud risk assessment.
Perhaps the most pressing issue with a cloud risk assessment is the limited visibility of the enterprise into the cloud environment, making it challenging (if not impossible) to identify the system controls to include in the Tier 3 risk assessment. NIST supports this view, stating that organizational emphasis is typically placed on the server side whereas the client side tends to be overlooked.
As a reference point, the shared responsibility model (SRM) provides general guidance on technology layers controlled by the enterprise versus the cloud provider, but the model is only a template and cannot be relied upon for each individualized CSP implementation.
The controls associated with the technologies at any given layer in practice are more varied and more complex than outlined in the SRM. For this reason, the enterprise is dependent upon the CSP to provide granular control information. The diagrams below show the SRM across IaaS/PaaS/SaaS and also by AWS Service Types:
(1) Cloud Security Alliance. Security Guidance for Critical Areas of Focus in Cloud Computing 4.0, 2021.
(2) Ruback, Harvey and Tom Richards. AWS for Industries: Applying the AWS Shared Responsibility Model to Your GxP Solution, 2021.
Armed with architectural details from the CSP (such as the attack surface of virtualized resources and applications), the cloud design specifications can be mapped to an existing framework, such as NIST CSF, using the “informative references” from NIST 800-53.
Unfortunately, the practical outcome may be more ambiguous because, for each portion of the technical system, the CSP may: 1) provide this information in sufficient detail 2) provide a proxy for this information in the form of auditor attestations, or 3) provide insufficient system detail and/or no attestation by default.
NIST CSF may currently be viewed as a de facto standard (especially for prem-based assessments) across the compliance landscape, but the CSF does not provide an enterprise-ready cloud-focused tool like the Cloud Security Alliance’s (CSA) groundbreaking Cloud Controls Matrix (CCM). Like the CSA CCM, AWS sets an industry-leading precedent from the CSP side by providing clients with the AWS Services and Customer Responsibility Matrix for Alignment to the CSF to simplify and expedite the controls assessment review. The snapshot below shows the relevant headings in the AWS template:
AWS. AWS Services and Customer Responsibility Matrix for Alignment to the CSF, 2021.
The input from a cloud-centric gap tracker is converted into risk (via the standard risk assessment process activities) and ultimately the results of the risk assessment will identify areas for potential mitigation and tailoring of the current control set.
In every case, the leadership at each enterprise organization is accountable for the risk-based decisions springing from the due diligence process associated with cloud computing. The effective management of risk includes the decisions regarding the initial scope of the assessment as well as the communication and use of the assessment results.
NIST publications frequently mention the need for “cost-effective” risk management but don’t elaborate on how to achieve financial objectives or call out cost itself as representing a significant risk category for cloud computing. The prioritization of potential risk responses is one of the methods for controlling cost through the phased distribution of resources and budget.
While cost has often been viewed as a key driver for migration to the cloud, it has become apparent with a wide variety of cloud deployments and pricing models that a cost-effective strategy is not an inherent or straightforward outcome.
Stakeholders must devote a similar level of rigor to the evaluation of their CSP’s financial options as to the governance around technologies and regulation. For this reason, cloud risk assessments should provide expert-level analysis and dialogue with clients and ultimately elevate key priorities to achieve cost-effective, timely resource distribution. These findings and priorities are a springboard for investment discussions at the board level and with outside consulting firms and cybersecurity providers.
NIST is a government entity with its top priorities more focused on the public sector and its cloud efforts aimed more intensively at FedRAMP than on less laborious activities for private-sector companies. For NIST, the public cloud implies the use of an “external service provider” and the new paradigm is viewed within older models of vendor risk management and outsourced services. These are feasible explanations why NIST has published extensively on the topics of cloud computing and risk management but has not developed a more explicit, integrated and progressive approach to cloud risk assessments targeting the mid-size enterprise.
NIST states the CSF is adaptable to the global needs of the private sector. Cloud risk assessments customized to the requirements of mid-size companies are also within the flexible guidelines laid out by NIST. With the ubiquity of cloud computing as well as its special risks and challenges, the use of the CSA CCM and AWS matrices is a multi-framework approach to cloud risk assessments offering a solution at the Tier 3 level for the Fortune 1000. NIST guidelines provide a valid way to customize a practical and cost-effective CSF-based model for cloud risk assessments.