Alternatively, some clients don’t want to move to cloud because they’re concerned about security risk of putting data into cloud. We hear that particularly in financial services and regulated sectors. The reality is that clients could have more exposure from legacy systems than you do in the cloud.
Sambit Misra is Global Product Manager at IBM Security, a sponsor of the FAIR Institute. Learn about IBM Security Risk Quantification Services.
Having said that, securing the migration to cloud involves building a comprehensive cloud security strategy. Implementation of that strategy usually means transformation of the organization’s security program to enable business innovation at cloud speed, on top of managing regulatory compliance and business requirements.
The regulatory expectations are related to data classification, encryption and residency, confidentiality, integrity and availability including auditability, managing incidents and business continuity. While business requirements include complete flexibility to cover multiple business locations, controls meeting recognized standards, sustainability to ensure that future regulatory and security requirements or changes to cloud service provider specifications and standards are easily and efficiently addressed.
Categorizing those into security domains – network security controls, security and compliance posture management, identity and access controls, workloads and app security controls, data security controls, audit and monitoring controls, including personnel and physical security is an approach to assess risk and identify a set of initiatives.
Learn cyber risk quantification with online training through the FAIR InstituteOne example we would like to discuss here is the risk of PI/SPI data breach on cloud – which may translate from misconfiguration of a cloud resources. We use the FAIR model to define the scenario:
Assessment of this risk can be done via knowing:
Quantification of the risk is accomplished via assessing the primary and secondary loss:
Primary Loss
Secondary Loss
In brief, the approach we recommend:
Organizations should proactively operate under the assumption of potential compromise, taking a risk based approach to security. By defining what poses risk to their business and quantifying the impact, from third-party tools or applications to access controls, organizations are able to understand which risks they need to prioritize mitigating. In other words, assessing security risks, contextualizing them and calculating their business impact with FAIR can help enable organizations to enforce their risk based approach and strengthen their cybersecurity resiliency as work models adapt to a rapidly evolving business landscape.
Learn more about IBM Security Risk Quantification Services
About the FAIR Institute:
FAIR™ (Factor Analysis of Information Risk) cyber risk quantification has emerged as the premier Value at Risk (VaR) standard for cybersecurity and technology risk. The FAIR Institute is a non-profit, professional organization dedicated to advancing the discipline of measuring and managing information risk. It provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk in business terms. Become a FAIR Institute member.