Managing cloud computing risk scenarios with CRQ methods
Simple yes or no questions are asked in a game of Guess Who. But if you want to get to the heart of your organization’s concerns about cloud computing, the key is to ask meaningful, open-ended questions that consider your digital assets, threats to your assets, vulnerabilities, and the impact they could have on your business. CRQ using the FAIR standard is a valuable tool for analysing ‘what could possibly go wrong’ concerns about cloud computing. [TC1] CRQ risk scenarios provide actionable information. It is a quantitative method that speaks to C-level decision-makers in financial terms.
What are the risk scenarios associated with delivering IT services using a cloud-based model?
According the 2023 Thales Data Threat report, ransomware and human error are the main causes of cloud data breaches. IT and security professionals identified digital assets in the cloud as the biggest targets for cyberattacks. SaaS apps and cloud storage were the biggest targets followed by cloud infrastructure (IaaS). As businesses increase their dependence on PaaS and SaaS tools, the traditional ways of thinking about business risk need to evolve.
Let’s start with a definition of cloud computing. A simple but useful definition is a ‘method of delivering IT services over the Internet’. Before you can look at the risk scenarios associated with how you deliver IT services using a cloud-based model, you need to define what digital assets need to be protected.
What is a digital asset?
According to Open FAIR, when talking about information risk, an asset is data, devices, or any other component that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. A digital asset can be data stored in a digital format. It could be unstructured or structured. Unstructured data include text-heavy and multimedia files, like marketing materials and internal communication. Structured data includes invoicing information, databases, product lists and serial numbers typically processed by an application.
Unstructured data is a significant digital asset for businesses of all sizes. Businesses use file-sharing SaaS platforms like SharePoint or Dropbox for digital asset management. These document libraries can hold sensitive information like intellectual property (IP) or personally identifiable information (PII). And when sensitive information is not secured, it can be compromised.
In recent years, working from home has become the norm and employees are using multiple devices to create and access files and to communicate with co-workers and external stakeholders. Document sharing with co-workers or sending email links to external stakeholders is commonplace, so is using multiple devices to access company data stored on platforms like SharePoint. The amount of PII and IP that is created and shared on these platforms is massive. For an individual organization, what role do these digital assets play in your operations, investments, and business decisions?
Other types of digital assets are applications (and their components) which are used to directly generate revenue, indirectly enable employees to work or in a manufacturing environment create the product.
Transform how you model, measure, and manage cyber risk.
Build a resilient, risk-based cybersecurity program with Cyber Risk Quantification
Building a risk universe
Now that we have discussed digital assets and provided a few examples, let’s look at how to build a risk scenario with your assets. These scenarios will be used to measure and communicate risk. When we talk about risks using the Open FAIR standard, “risk” is defined as ‘the probable frequency and probable magnitude of future loss’. A broad view of the digital assets in scope are used to define a universe of probable risk scenarios.
The following questions will help further develop the risk universe for cloud services:
Does your company have concerns about existing cloud-computing services? Or will this be the first time your company has moved critical services to the cloud?
What digital assets do you already have in the cloud? What digital assets are you going to put in the cloud or build using cloud services?
Some examples of cloud assets in scope could be:
- Unstructured IP data stored on a SharePoint Site.
- Unstructured IP data stored on a business-managed file sharing SaaS.
- Structured PII data hosted on a marketing platform.
- An internet facing eCommerce platform.
- Sensitive employee PII data stored in a HR SaaS platform.
- The Azure or AWS IaaS virtual data center core infrastructure components.
- A document repository containing commercially sensitive data used by the board to exchange information.
- External API’s
Now that we have this list of assets in scope, we can consider the threat actors and probable impact (or loss). In parallel, we should also consider the attack vectors and controls that are already in place. With these elements, we can build a risk universe to measure and communicate how to manage digital assets in the cloud. A simple way to understand a risk scenario is with the following equation:
Risk scenario = an asset in scope + a threat + an impact (or loss)
Here are some examples of risk scenarios concerning these assets:
- The risk of an external malicious threat actor breaching sensitive employee PII data from the HR SaaS platform via the use of stolen privileged access credentials.
- The risk of an external malicious threat actor breaching confidential unstructured data containing IP from a business-managed file sharing SaaS via the use of misconfigured internet facing API.
- The risk of a privileged insider accidentally breaching PII data from a marketing platform by misconfiguring a campaign.
With the scenarios defined, you can then define the decision at hand using the measurable results from the risk analysis.
Quantified cloud risk analysis supports business decisions
The starting point or first decision often consists of educating a stakeholder group about the high-level cyber risk scenarios using qualitative methods. The results are often presented using heat maps or with an ordinal scale by putting the variables into ordered categories ranging from low to high. These methods have their place in risk management. But if you also have quantitative data like monetary values for loss or ratio scales associated with the same risk scenarios, your data is more defensible.
With quantitative data you can:
- Rank and prioritise risk scenarios for remediation.
- Look at the cost-benefit associated with migrating to a cloud-based delivery system
- Present control enhancements for cloud services with ROI considerations
Managing cloud computing risk in financial terms
The adoption of cloud services often promises greater business agility and a faster time to market in what is an increasingly competitive environment. It is often unclear as to whether cloud will also increase or reduce cyber risk exposure.
With a CRQ approach, decision-makers can measure the impact of using cloud services in financial terms by taking into consideration both the benefits and potential risks.xf
Other decisions or use cases could be to analyse a certain control that is in place and if will it reduce or contain a given risk scenario. The board may also want to know if a cyber insurance policy will reduce risk exposure to a cloud risk scenario or the CEO and CFO may question whether the adoption of new policy which restricts the use of SaaS file sharing is a good business decision. The cost of a data breach can be estimated using CRQ methods.
How do you define a cloud risk scenario?
Define your asset in scope. Then describe a threat to that asset. And finally, what is the impact or loss as a result of a threat event.
What is a digital asset?
A digital asset is structured or unstructured data stored in a digital format, e.g., Word files, database files, multimedia files, etc.
What are the benefits of CRQ methods for managing cloud risk?
Cyber Risk Quantification (CRQ) methods consider measurable factors and use statistics and probabilities to estimate risk in quantitative (financial) terms so that decision-makers can understand the financial impact of cloud risk events.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.