Cloud Computing Risk Factors

Risk factors are internal or external threats to the security posture of an organization that can pose a risk to the organization if not monitored or handled properly.

Risk FactorDescription

1. Vulnerabilities

Vulnerabilities can be exploited by attackers and result in lack of data integrity and/or loss, theft, destruction.

Minimize risk by: Patching to mitigate vulnerabilities, vulnerability and virus scanning, monitoring aging infrastructure.

2. Threats

Properly identifying the threat landscape is critical to determining risk. This accounts for cyber threats, insider threats, brand reputation threats, domain-based threats, and third-party threats.

Minimize risk: For insider threats, invoke separation of duties so that one employee does not have privileges over too many business processes; keep employees happy with good benefits, decent pay, reasonable working hours, and training for the position and organizational security.

Brand threats: If an incident were to occur, customers could be vulnerable, business could be lost, profits could decrease. Therefore, there should be a plan in place for incidents or disasters.

3. Policy and Plans

Proper policies must be in place to account for these threats and hold personnel accountable for taking the necessary steps and precautions. Disaster recovery plans should be in place for a disaster, as well as other plans for incidents such as an incident response plan.

Minimize risk by: Getting managerial and executive buy-in, routinely testing plans, and updating policies.

4. Endpoints

Endpoints that store the data pose a great risk to the company if the device is stolen or lost.

Minimize risk by: Encrypting hard drives and having software to remotely wipe devices, tracking the devices, managing and accounting for hardware, and properly destroying hardware at end of life.

5. Data

Having too much data and not analyzing it properly for risk can be a danger to the business. Also, if anything happens to the data, specifically personally identifiable information or protected health information, there can be legal, state, local, or federal ramifications.

Minimize risk by: Following proper protocols for the data stored on the network, managing endpoints and inventory appropriately, minimizing vulnerabilities.

6. Regulatory

Not being in compliance with regulations pertinent to the industry that you operate in. 

Minimize risk by: Having a regulatory compliance program defined, with appropriate policies, procedures, and well-defined roles and responsibilities for staff. 

An organization can perform a cloud computing risk assessment to determine the cloud computing risks. Once these risks have been identified, an organization must determine how to handle the risks (risk avoidance, acceptance, mitigation, control, monitoring, and transfer).