Cloud Risk: The Blind Spot in Cyber Risk Management

Posted by Mark Greisiger

A Q&A with Taiye Lambo of CloudeAssurance – an eFortresses Company
With the cloud becoming a daily reality for most businesses, security risks are greater than ever before. Yet many companies are not even aware of their vulnerability, says Taiye Lambo of CloudeAssurance. I asked him what they could be doing to bolster data safety and securely within the cloud.

If your cloud service provider is the victim of a targeted breach, then your sensitive data is at risk of being compromised and your business severely impacted.

Can you please describe how cloud risk can threaten an organization?
First, I want to say that I think the cloud is great. When we look back, we will see that it was the biggest business development on a global scale, the most revolutionary business model since the internet was invented. That being said, you wouldn’t jump out of a plane without a parachute, and you wouldn’t want to jump into the cloud without one, either. You want to jump into cloud usage as safely and securely as possible. There are four major risks relating to the cloud:

  1. Multi-tenancy. If you are putting data on Amazon or Microsoft’s cloud services, you are most likely sharing that infrastructure with many other customers and they could very easily be your competitors. If they get breached, your data could be at risk as well.
  2. Supply chain. You may be buying cloud services from one provider, but they might be outsourced to another. Let’s say that hypothetically, Netflix uses Amazon. If Amazon decides to use Rackspace, a Rackspace security breach or outage could seriously impact Netflix customers.
  3. Business continuity. If the cloud provider’s service goes down, which we have seen happen often in the past few years, or announces they are closing shop, you may have nowhere to put your data and with no backups, you may lose business.
  4. Data loss. This is what all organizations try to avoid. If your cloud service provider is the victim of a targeted breach, then your sensitive data is at risk of being compromised and your business severely impacted.

Do you feel many companies that leverage the cloud actually understand the security readiness posture of providers they are using?
Good question. Unfortunately, no. What you don’t know in this situation can definitely hurt you, and unfortunately there is a strong lack of understanding as it relates to the cloud. In my past six speaking engagements, as much as 80 percent of respondents said they didn’t know how they are currently assessing their cloud risk. 45 to 100 percent of respondents also indicated that they didn’t know if they were using any tools to assess their cloud risks.

What are the most common technical weak spots affecting cloud operations from a security vantage point?
These are the top five of the top 10 weaknesses identified in the CloudeAssurance Top 10 Cloud Service Providers benchmark study we did for Q4, 2013.

  1. Security architecture and user ID access management. Cloud companies are often not enforcing strong passwords or effectively managing the way users set up accounts.
  2. Compliance. Cloud providers are not bringing in third party auditors the way they should be. They might say they are, but it’s a matter of trust unless they can show documentation and share it with their customers, which they often do not permit.
  3. Data governance. They don’t have strong mechanisms and processes in place to prevent data leakage and exposure, such as data loss prevention solutions (DLPs).
  4. Physical security. In some cloud provider facilities, servers are not adequately secured nor are they giving customers choice about where their data is physically and geographically stored.
  5. Encryption. Many of the top cloud providers are not encrypting customer data at rest—they might encrypt data in transit but they are leaving the data unencrypted at rest, and/or they are not managing their encryption keys appropriately.

What are some things a corporate risk manager can do to mitigate this risk?
I would say the first step would be to have a comprehensive risk-based, process-based information security program in place, one that meets international standards and emphasizes asset management and data classification. Know what you own and what your critical assets are. Classify them not only from a monetary value, but also for criticality and access control purposes.

  1. Have a formal selection and approval process for any externally managed or hosted cloud services. Do your due diligence and ask questions about security, assurance and access control.
  2. User education and training is also very important. You’re only as secure as your weakest link. Provide continuous education and training within your organization to stay on top of new and emerging cloud related risks.
  3. Lastly, I would recommend automating risk management processes. We launched the CloudeAssurance platform to provide an automated platform for customers to assess, score, rate, trend and benchmark cloud providers and obtain an objective apples to apples comparison of cloud services using a security score similar in theory to a credit score. Automated processes can also be used in other areas such as patch management, vulnerability management and password management.

In summary…
Mr. Lambo expertly outlines some of the key issues on the minds of both corporate risk managers and their cyber liability insurance carriers. While larger cloud providers can arguably secure their network and data better than small- or medium-size providers, that alone won’t alleviate the many concerns that exist within the cyber liability insurance community. Unfortunately, there are additional cloud-based risk issues that will likely play out over the next few years:

  • Aggregation risk: Insurers are increasingly concerned that many insured clients within their portfolio are using the same dominant cloud providers, which could trigger a catastrophic ‘cyber hurricane’ situation (e.g., many claims) should a major cloud experience a major security breach or outage.  With cloud breaches on the rise globally, this is of serious concern.
  • (Lack of) Forensics: Cloud providers might not allow their clients to forensically investigate a data breach inside the cloud environment, which in turn could negatively impact the client’s ability to submit a claim for a loss to their insurance carrier.
  • Contractual risk: Most cloud service level agreements are one-sided in favor of the cloud provider and typically won’t accept risk (i.e., they won’t defend or indemnify their clients), even if the cloud provider suffers a major security breach due to their own gross negligence. There remains a tremendous amount of uncertainty surrounding cloud service level agreements, and how to successfully negotiate them fairly.