Study: Turning to the cloud for better risk management
A new study based on a survey of risk measurement and risk governance indicates that the public cloud is the way forward for companies that want to reduce their risks.
Or, if moving to the cloud isn’t an option, these organizations should adopt cloud-based modernization techniques in their on-premises IT systems, according to Google Cloud and the Joint Research Project Measuring Risk and Risk Governance. Cloud Security Alliance (CSA), a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
In this study, which follows a 2021 report, CSA sought to assess public cloud maturity and risk management within the enterprise and provide a deeper understanding of public cloud adoption and risk management practices within the company.
In that vein, the two-phase project involved 20 interviews with executives and a survey that garnered more than 600 responses last year.
CSA suggested that improving risky situations can be part of the growing movement toward “digital transformations,” which the organization says involves adopting technologies that improve operational and customer experiences.
“In an effort to improve overall enterprise risk management, the cloud is increasingly seen as a way to strengthen a company’s risk posture, a development that is often accompanied by an approach enhanced application, data and infrastructure security,” the CSA said in a June 22 press release. “As a result, enterprise risk assessment processes must adapt the cloud model and consider the implications of shared responsibility, where both the cloud service provider and the customers own the delivery of the services. joint cloud and business risk assessment provides insight into the IT impact on an enterprise’s overall risk maturity, including adopting a shared-destiny partnership between the CSP and customers.”
The report is structured around four key findings:
As Organizations Adopt the Cloud, They Are Asked to Assess the Risks
“There is no consistency in the classification of data in the use of platforms and cloud services: only 21% of users use the data classification of cloud services, and only 65% of these users align with internal data classification schemes,” the CSA said.
Cloud migration can unify data collection methods (collecting, tracking, and organizing cloud assets), which is now mostly done with internal data classification schemes and manual digital asset management, resulting in less consistency in how organizations classify data across cloud platforms and services, the report says. “Only 21% of users use cloud-native or automated data classification tools and only 65% of those users align with internal data classification schemes,” CSA said. “Companies surveyed also shared a lack of consistency in how cloud services are identified and categorized. This lack of data and cloud governance practices adds to the inconsistency of digital asset management.”
Cloud Risk Assessment Faces Challenges With Growing Enterprise Cloud Adoption
“As the number of cloud adoptions increases, more than half (52%) of organizations said they did not assess the risk of using their cloud services after purchase because product functionality or business environments have changed,” the CSA said.
Digital transformations to modernize businesses involve increased cloud workload production and growing use of clouds, the report says. “This is evident with the cloud service usage figures in addition to the 58% of companies surveyed who primarily use multiple cloud infrastructure as a service (IaaS) providers,” CSA said. “As the number of cloud adoptions increases, respondents shared that services are often only evaluated during provisioning and not re-evaluated as product features or business environments change. More than half (52%) of organizations said they do not assess the risk of using their cloud services after provisioning.”
Risk quantification and measurement tools need to be improved
“When evaluating effective cloud risk management practices, 70% of organizations reported less effective processes for attributing risk to cloud assets. Only 4% reported having highly effective practices. These processes are impacted by the tools and methods used to measure risk to cloud platforms and products,” the CSA said.
Monitoring, measuring and communicating risk is difficult
“Thirty percent of companies indicated that risk rating systems are used as a directional guide for improving risk for certain cloud solutions, as opposed to metrics that can be relied upon to compare all cloud services,” said said the CSA.
The following graph reflects responses to questions about methods and organizations’ satisfaction with quantifying risk that were posed to better understand how organizations calculate risk. CSA found it interesting that 10% of respondents said their organization didn’t even quantify risk.
Among the many tools used to monitor, measure, and report risk in the cloud, risk measurement metrics don’t always distinguish between cloud-native, third-party, or open-source risk, the study found. “The exception is for open source frameworks and tools that share a defined set of criteria, which may explain why open source tools have been reported as more effective,” CSA said.
The last word
“This study shares a better understanding of public cloud adoption and risk management practices within the enterprise,” the report said. “It also analyzes the challenges of managing and measuring risk in the cloud with some techniques working well and others needing improvement and replacement. Stricter risk management process models and risk tolerance impaired when using the cloud have been discovered.As in many areas, there is still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigation.
“It is observed through this study that these issues are improved in the cloud compared to current on-premises and legacy IT environments. The analysis shows that while constant improvements are needed, a strategy to reduce risk through IT modernization in cloud or on-premises type infrastructure remains the best route for an organization to manage viable risk.Risk management practices impact many areas of the business.Modernizing the approach will help both businesses and providers to improve cloud adoption. The cloud presents less and less of a risk to manage and more of a way to manage those risks.”
David Ramel is an editor and writer for Converge360.