News

Study: Look to Cloud for Better Risk Management

• By David Ramel
• 06/24/2022

A new survey-based study on measuring risk and risk governance indicates the public cloud is the way to go for enterprises wanting to reduce their riskiness.

Or, if moving to the cloud isn't an option, those organizations should adopt cloud-driven modernization techniques in their on-premises IT systems, says the Measuring Risk and Risk Governance joint research project from Google Cloud and the Cloud Security Alliance (CSA), a not-for-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

In this study, which follows a 2021 report, CSA sought to assess the maturity of public cloud and risk management within the enterprise and provide a deeper understanding of public cloud adoption and risk management practices within the enterprise.

In that vein, the two-phased project involved 20 executive interviews and a survey that garnered more than 600 responses last year.

CSA suggested improving risk situations can be part of the growing movement toward "digital transformations," which the organization said involves adopting technologies that enhance operational and customer experiences.

"With an eye toward improving overall business risk management, the cloud is increasingly seen as a means to strengthen an enterprise's risk posture, a move that is often accompanied by an upgraded approach to application, data, and infrastructure security," said the CSA in a June 22 news release. "Accordingly, enterprise risk assessment processes must adapt the cloud model and take into consideration the implications of shared responsibility, where both the cloud service provider and customers have ownership in the delivery of services. Evaluating cloud and business risk together provides a better understanding of IT's impact on an enterprise's overall risk maturity, including adopting a shared fate partnership between CSP and customers."

The report is built around four key findings:

As Organizations Adopt Cloud, They Are Challenged to Evaluate Risk
"There is no consistency of data classification across the use of cloud platforms and services -- only 21 percent of users are utilizing cloud service data classification, and only 65 percent of those users are aligning with internal data classification schemes," the CSA said.

Migrating to the cloud can unify data collection methods -- collecting, tracking and organizing cloud assets -- which is now primarily done with internal data classification schemes and manual digital asset management, which results in less consistency in how organizations classify data across cloud platforms and services, the report indicated. "Only 21 percent of users are utilizing native or automated cloud data classification tools and only 65 percent of those users are aligning with internal data classification schemes," the CSA said. "Enterprises interviewed also shared a lack of consistency on how cloud services are being identified and categorized. This lack of data and cloud governance practices adds to the inconsistency in digital asset management."

Cloud Risk Evaluation Faces Challenges with Growing Business Adoption of Cloud
"With cloud adoption numbers increasing, more than half (52 percent) of organizations reported that they did not evaluate the risk of their cloud services being used after procurement as product features or business environments changed," the CSA said.

Digital transformations to modernize enterprises involve increasing workload production in the cloud and growing use of clouds, the report indicated. "This is evident with the cloud service usage numbers in addition to the 58 percent of survey respondent companies primarily using multiple cloud infrastructure as a service (IaaS) providers," the CSA said. "With cloud adoption numbers increasing, respondents shared that services are often evaluated at procurement only and not re-evaluated as product features or business environments change. More than half (52 percent) of organizations reported not evaluating the risk of their cloud services being used after procurement."

Tools for Quantifying and Measuring Risk Need to Improve
"When evaluating effective risk management practices for the cloud, 70 percent of organizations reported less effective processes for assigning risk to cloud assets. Only 4 percent reported having highly effective practices. These processes are impacted by the tools and methods used to measure risk for cloud platforms and products," the CSA said.

Monitoring, Measuring and Reporting Risk Is Difficult
"Thirty percent of enterprises reported that risk scoring systems are used as a directional guide to risk improvement for certain cloud solutions as opposed to measurements that can be relied on for comparison across all cloud services," the CSA said.

The following graphic reflects answers to questions about organizations' methods for and satisfaction with quantifying risk that were asked in order to better understand how organizations are calculating risk. The CSA found it interesting that 10 percent of respondents reported that their organization did not even quantify risk.

Among the many tools used to monitor, measure and report risk in the cloud, metrics for measuring risk don't always differentiate among cloud-native, third party or open source risks, the study indicated. "The exception is open source frameworks and tools that share a defined set of criteria which may be why open source tooling was reported as more effective," the CSA said.

The Final Word
"This study shares a better understanding of public cloud adoption and risk management practices within the enterprise," the report said. "It also analyzes the challenges of managing and measuring risk in the cloud with some techniques working well and others in need of improvement and replacement. Patterns of stricter risk management processes and altered risk tolerance when using the cloud were uncovered. As in many fields, there is still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigations.

"It is observed through this study that these issues are improved in the cloud when compared to current on-premise and legacy IT environments. The analysis shows that while constant improvements are needed, a strategy to reduce risk by IT modernization into the cloud or cloud-like on-premise infrastructure remains an organization's best path to viable risk management. Risk management practices impact many areas in the enterprise. Modernizing the approach will help both businesses and providers improve the adoption of the cloud. Cloud is becoming less of a risk to manage and more of a means to managing these risks."