Much of the risk in the cloud can be seen as data driven. When an enterprise shifts to cloud, often times they don't have a set governance model around data classification models. Based on the application (consider slack versus email) they may be more willing to accept that they can't control content through slack, and will only focus more on user email ingoing and outgoing. Slack could still be a risk, but the business knows that more sensitive material is probably being distributed via email, so their focus shifts towards that asset first. This would require firewall configurations and whitelisting, as well as logging for emails that may contain sensitive material or PII.
It is important to understand a business impact assessment (BIA) in this scenario. Every piece of technology (both cloud and on-prem) should be taken into account and given a rating of most critical to least critical. A business will probably have a lower risk tolerance for the more critical infrastructure.
Another example is government regulations in respect to regional location for a business. It may be acceptable enough for a business who solely uses basic cloud services (small business) to not have to worry about the risk with compliance regulations due to the attestation reports and controls that the cloud provider offers. This is where the shared responsibility model plays a critical role.
Hope some of this helps. If you have further questions let me know.
------------------------------
Sean Heide
Research Analyst
CSA
------------------------------
Original Message:
Sent: Dec 11, 2020 11:13:18 AM
From: Jenna Morrison
Subject: Risk Tolerance: Acceptable Risks
Hello!
In 2.1.2 of the Security Guidance V4 of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets?
Thanks :)
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------