Cloud risk management

 risk-based approach of managing information systems is a holistic activity that should be fully integrated into every aspect of the organization, from planning and system development lifecycle processes to security controls allocation and continuous monitoring. The selection and specification of security controls support effectiveness, efficiency, and constraints via appropriate laws, directives, policies, standards, and regulations.

The NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems provides a disciplined and structured process that integrates information security and risk management activities into the development lifecycle by identifying the following six steps:

• Step 1 – Use an impact analysis to categorize the system and the information it processes, stores, and transmits.

• Step 2 – Select the set of initial or baseline security controls for the system based on the security categorization. Tailor and supplement the set of baseline security controls according to the organizational assessment of the risk and the conditions of the operational environment. Develop a strategy for continuous monitoring to achieve security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.

• Step 3 – Implement the security controls and describe how the security controls are employed within the system and its environment of operation.

• Step 4 – Assess the security controls using the appropriate procedures as documented in the assessment plan. This assessment determines whether the security controls have been implemented correctly and will effectively produce the intended outcome.

• Step 5 – Authorize information system operation if the estimated risk resulting from the operation is acceptable. The assessment considers risk to organizational assets and operations (including mission, functions, image, or reputation), individuals, and other organizations.

• Step 6 – Monitor the security controls on an ongoing basis. Monitoring includes assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated officials.

While the risk management framework is adaptable to most scenarios, it defaults to the traditional IT environment and requires customization to successfully address the unique characteristics of cloud-based services and solutions. The CRMF closely follows the original RMF approach.  Table E.1  shows the aforementioned six steps listed in the right column, with each step grouped into one of the three main activities in the left column that collectively comprise the risk management process:

Table E.1 The six steps are mapped to each of the three activities comprising the CRMF.

Adopting the approach outlined by these steps enables organizations to systematically identify their common, hybrid, and system-specific security controls and other security requirements for procurement officials, cloud providers, cloud carriers and cloud brokers alike.

The CRMF can be used to address the security risks associated with cloud-based systems by incorporating possible outcomes into the cloud provider’s contractual terms. Performance aspects of these terms and conditions also need to be represented in the SLA, which is an intrinsic part of the service agreement between the cloud consumer and cloud provider. Contractual terms should, for example, include guarantees concerning the cloud consumer’s timely access to cloud audit logs and the details pertaining to the continuous monitoring of the logs.

If permitted by the adopted deployment model, the organization should implement both the cloud consumer’s set of identified security controls and the specifically tailored supplemental security controls. Cloud consumers are advised to request that cloud providers (and cloud brokers) provide sufficient evidence to demonstrate that the security controls being used to protect their IT assets have been correctly implemented.