Prioritizing Cloud Security Controls Using FAIR

Cloud Computing SecurityCompanies have gradually been moving to the cloud for years, but still need a model for prioritizing security initiatives for their cloud migration. Feedback from our clients is that organizations spread across multiple geographies, markets and business functions operate in silos and over the course of time develop multiple sets of key risks and initiatives to address security for their move to cloud.

Alternatively, some clients don’t want to move to cloud because they’re concerned about security risk of putting data into cloud. We hear that particularly in financial services and regulated sectors. The reality is that clients could have more exposure from legacy systems than you do in the cloud. 


Sambit Misra - IBM


Sambit Misra is Global Product Manager at IBM Security, a sponsor of the FAIR Institute. Learn about IBM Security Risk Quantification Services.


Having said that, securing the migration to cloud involves building a comprehensive cloud security strategy. Implementation of that strategy usually means transformation of the organization’s security program to enable business innovation at cloud speed, on top of managing regulatory compliance and business requirements.

The regulatory expectations are related to data classification, encryption and residency, confidentiality, integrity and availability including auditability, managing incidents and business continuity. While business requirements include complete flexibility to cover multiple business locations, controls meeting recognized standards, sustainability to ensure that future regulatory and security requirements or changes to cloud service provider specifications and standards are easily and efficiently addressed. 

Using Risk Quantification for Business Alignment

Cloud Computing Security Box 1Business leaders and their security teams need to be on the same page when it comes to security risk in order to effectively protect their people, data and valuable resources. We need security teams to be able to present a prioritized list of security initiatives based on magnitude of risk reduction, ROI and alignment to business objectives. Risk quantification with FAIR™ provides that clarity. Risk quantification can help quantify the risk that exists within legacy systems and compare that with quantified risk in cloud.

Categorizing those into security domains – network security controls, security and compliance posture management, identity and access controls, workloads and app security controls, data security controls, audit and monitoring controls, including personnel and physical security is an approach to assess risk and identify a set of initiatives.

Learn cyber risk quantification with online training through the FAIR Institute

One example we would like to discuss here is the risk of PI/SPI data breach on cloud – which may translate from misconfiguration of a cloud resources. We use the FAIR model to define the scenario: 

  • Asset: PI/SPI data on cloud
  • Threat: External Actors
  • Effect: Loss of confidentiality
  • Risk: Financial Loss 

Assessment of this risk can be done via knowing:

  • Type of Access controls
  • # of external attacks in past
  • #s of buckets
  • Type of data
  • # of workstation compromises
  • #s of confidential records -- Is data encrypted?

Quantification of the risk is accomplished via assessing the primary and secondary loss: 

Primary Loss

  • $ Remediation Cost
  • $ Management Cost
  • $$ Organization Cost 

Secondary Loss

  • $$$ Reputational Loss
  • $ Credit Monitoring Cost
  • $$Customer Service Cost 

Mapping a Secure Journey to Cloud

Cloud Computing Security Box 2A risk quantification assessment based approach could help organizations distinguish which workloads to move to the cloud and how, while also recommending proper security controls to put in place based on a cost-benefit impact analysis.

In brief, the approach we recommend:

  • Perform cloud security assessment built on industry frameworks to define baseline security maturity. Assess against transparent metrics for security maturity assessment
  • Assessment reveals multiple areas of risks that should be remedied to pursue a successful cloud adoption strategy
  • Build the foundational blocks for securely onboarding to cloud via identifying the set of projects and CISO action plan based on the priority to improve control in key risk areas
  • Identify the business unit’s risk areas and the set of security initiatives identified across identity and access management, governance, metrics, culture, and app, network and system security, SOC and data security
  • First level prioritization by the organization’s ability to achieve and business Impact.
  • Augment the decision making for security initiative prioritization
  • Run FAIR analysis for probable losses and factor in recommended controls; rank the initiatives by ROI%
  • Establish the risk communication, integrate findings and security recommendations to build the cloud security prioritization roadmap 

Organizations should proactively operate under the assumption of potential compromise, taking a risk based approach to security. By defining what poses risk to their business and quantifying the impact, from third-party tools or applications to access controls, organizations are able to understand which risks they need to prioritize mitigating. In other words, assessing security risks, contextualizing them and calculating their business impact with FAIR can help enable organizations to enforce their risk based approach and strengthen their cybersecurity resiliency as work models adapt to a rapidly evolving business landscape.

Learn more about IBM Security Risk Quantification Services

About the FAIR Institute:

FAIR (Factor Analysis of Information Risk) cyber risk quantification has emerged as the premier Value at Risk (VaR) standard for cybersecurity and technology risk. The FAIR Institute is a non-profit, professional organization dedicated to advancing the discipline of measuring and managing information risk. It provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk in business terms. Become a FAIR Institute member.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37