Assessing The Security Risks Of Cloud Computing – This description of Cloud Security Risk Management is an UNCLASSIFIED version and is distributed by the Chief Security Officer, Communications Security Council (CSE). For more information or suggestions regarding the change, please contact the Canadian Center for Security (CCCS) Contact Centre:
Cloud computing has the potential to provide agile, flexible and cost-effective information system services. In a cloud computing model, organizations relinquish direct control over many aspects of security and privacy, thereby placing a level of trust in the cloud service provider (CSP). At the same time, organizations using cloud services remain responsible for the confidentiality, integrity, and availability of CSP-hosted information systems and related information.
Assessing The Security Risks Of Cloud Computing
As a result, organizations must expand their information systems security risk management practices to include cloud environments. The shared nature of using and deploying cloud environments makes it responsible for implementing, operating, and maintaining security controls. Organizations therefore need to understand cloud security to effectively address risks.
Comparative Study Of Information Security Risk Assessment Models For Cloud Computing Systems
To achieve the adoption of cloud computing, the Government of Canada has adopted a risk integration approach to build cloud-based services. ITSM.50.062 outlines this approach, which applies to all cloud-based services regardless of cloud service and deployment model.
The NIST Cloud Computing Reference Architecture (Special Publication 500-292) [9] provides definitions for different types of service models. Broadly speaking, a service model describes how a CSP provides services to consumers: applications, application platforms, or raw computing resources. In the case of cloud computing, cloud consumers have three different service models:
In the IaaS service model, the function provided to the consumer is to provide processing, storage, networking and other main computing resources, so that the consumer can deploy and run any software, including operations and applications.
In the PaaS service model, capacity is made available on cloud infrastructure to consumers who create or purchase applications built with provider-supported programming, libraries, services, and tools.
Cyber Risk Assessment: What Is It And How Do You Perform One?
In the SaaS model, the use of a service provider’s applications on a cloud infrastructure is offered to consumers. You can access these applications from various client devices through a thin client interface, such as a web browser (eg web-based email) or a programmatic interface (eg native application).
A deployment model describes the relationship between a cloud service provider and a cloud service consumer. NIST identifies four cloud deployment models:
In a private cloud, the cloud infrastructure is used exclusively by an organization that includes a wide variety of consumers (such as business entities).
In a community cloud, the cloud infrastructure is used exclusively for the exclusive use of consumers of shared organizations.
Security Risk Assessment Services
In a hybrid cloud, a cloud infrastructure consists of two or more distinct cloud infrastructure components (private, community, or public) that are limited by standardized or proprietary technologies for data and application portability.
To be successful, a cloud security risk management approach depends on the activities of various actors, some working independently of the organization. The actors are as follows:
Organizations need to understand the security policies, standards, and guidelines that meet cloud security requirements. Because cloud computing also presents additional privacy challenges for organizations using cloud services, organizations must understand their obligations under Canadian privacy laws [5]:
The approach presented in this document is to meet the current risk management and cloud security standards of the following organizations:
Cloud Computing Security Risk
As part of its risk management framework, an organization should define the security objectives necessary to protect its information and services.
The CCCS’s IT Security Risk Management: A Lifecycle Approach (ITSG-33) [8] guidelines propose a series of activities at both the departmental and information system levels.
The planning, management, assessment, and management of IT security-related risks facing the organization are integrated into the organization’s security program.
Integrated information systems development life cycle (SDLC). These activities include information system security engineering, threat and risk assessment, security assessment and authorization. As shown in Figure 1, a cloud security risk management approach supports activities at the information system level.
Government Of Canada Cloud Security Risk Management Approach And Procedures
Information security managers are responsible for integrating cloud environments into information systems security risk management practices. Security Assessment and Authorization Responsibility Business owners and consumer organizations look for cloud service capabilities.
Figure 1 shows a mapping of ITSG-33’s Appendix 2 information system level activities to cloud security risk management activities:
Figure 1 also shows a map of ITSG-33’s Annex 1 sub-level activities for the security control profile activity selection within the cloud security risk management approach.
This cloud security risk management approach is derived from the following cloud computing and information systems security risk management standards, recommendations, and guidance:
Pdf) Traditional Security Risk Assessment Methods In Cloud Computing Environment: Usability Analysis
Organizations are ultimately responsible for security risks arising from the use of information system services provided by external providers, including cloud services provided by CSPs and cloud brokers. As a result, organizations must adopt a structured approach to risk management, including the integration of cloud services, to support their program goals and outcomes.
As shown in Figure 2, the cloud security risk management process consists of a series of procedures implemented by CSPs and consumer organizations, as explained below.
Figure 2 is a diagram showing a series of connected boxes and arrows that visually represent the cloud security risk management process.
Security classification is a fundamental activity in the cloud security risk management approach, as it provides the basis for determining the expected level of injury from threat compromises related to information systems. Through this process, the business activities supported by the cloud-based service are defined and classified, and the service inherits the security category as a result. Consumer organizations then select the appropriate security control profile based on the security category and their risk tolerance.
Guidance On Cloud Security Assessment And Authorization
Security control profiles are developed for cloud-based services. These profiles are taken from the basic profiles in Annex 4 of ITSG-33. The Cloud Control Profile identifies the recommended security controls that CSPs and consumer organizations should implement for the security project being evaluated. The selected cloud control profile is also the basis for evaluating security controls.
When deploying to cloud services, consumer organizations must determine the appropriate cloud service and deployment model for their IT services. This choice is driven by the nature of the service, how much control the consumer organization wants, and the consumer organization’s level of experience and maturity in managing and maintaining cloud-based information systems environments.
The consumer organization does not always have control over the design, installation, and evaluation of the CSP’s security controls. Alternative safety assessment methods should be used, which can be done by considering other reliable safety assessments. The results of this security assessment can be incorporated into the organization’s security assessment if deemed applicable and reliable.
In the context of a cloud security risk management approach, these trusted security assessments consist of third-party certifications that are more valuable than self-assessments. These certifications must be performed by an independent third party, which must be objective and apply professional standards to the evidence it examines and produces. However, third-party certificates rarely cover all security requirements in the security control profile selected. Additional security requirements and contract clauses may ensure that the CSP provides the necessary evidence to support security assessment activities.
Cloud Complexity Requires A Unified Approach To Assessing Risk
When implementing a cloud profile, consumer organizations and CSPs are responsible for implementing many of the recommended security controls. Additionally, there are certain security controls that must be implemented by CSPs and consumer organizations.
The nature of the security controls that a consumer organization must implement in a cloud-based service is determined by the service model that chooses the service. Figure 3 shows the division of responsibility for implementing security controls between the CSP and the consumer organization. Under the IaaS service model, consumer organizations implement more security controls than under the SaaS service model.
Consumer organizations are responsible for evaluating the security controls provided to them in the cloud control profile. As shown in Figure 3, the scope of the cloud control profile includes all CSP and consumer organization components used to deliver and consume cloud-based services. Consequently, consumer organizations need to understand the overall effectiveness of the security controls that CSPs have implemented in their organizations. Understanding the overall effectiveness of security controls is critical to identifying and managing residual risks to cloud-based services.
Figure 3 is a diagram representing the responsibilities of consumer organizations and cloud service providers in implementing security controls. The list of responsibilities is divided into three categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Risk Management In Technology
Under IaaS, the consumer organization is responsible for user access/identity, data, applications and platforms. CSP is responsible for resource reduction and control, hardware and facilities.
Below
Risks associated with cloud computing, security of cloud computing, what are the security risks of cloud computing, risks of cloud computing, security challenges of cloud computing, security of cloud computing pdf, security benefits of cloud computing, the security risks of cloud computing, security risks cloud computing, security risks of cloud computing, the risks of cloud computing, future of cloud computing security
