Cloud-Based Risk Management

Introduction

Cloud computing has offered firms a new paradigm that has been massively adopted due to benefits such as economies of scale, low upfront effort, and the ability to scale operations (Buyya et al., 2018). However, cloud-based models do not afford benefits without risk. There are various baseline security requirements organizations should consider implementing as they design and implement cloud-based information systems. This paper will examine those baseline security requirements in the context of enterprise risk management (ERM) frameworks. ERMOCTAVE, an approach to ERM based on the OCTAVE framework (Mackita et al., 2019), will specifically be examined in the context of these requirements.

Baseline Security Requirements in ERMOCTAVE

ERMOCTAVE combines two approaches to risk management: ERM and OCTAVE (Mackita et al., 2019). ERM (Enterprise Risk Management) is one of the most prevalent frameworks for managing risk at an organizational level (rather than a siloed approach to risk management) (Anton & Nucu, 2020). OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a common framework for managing risk related to information systems (Mackita et al., 2019). Combining the two approaches allows organizations to have a robust approach to information security that is incorporated into strategic-level risk management (Mackita et al., 2019).

ERMOCTAVE is made up of the three distinct phases (Mackita et al., 2019). Each of the phases merges concepts from traditional OCTAVE and ERM frameworks (Mackita et al., 2019). ERM has steps called “objective setting” and “internal environment” (Mackita et al., 2019, Section 3). These steps are combined with the practice of building threat profiles based on organizational assets from OCTAVE to form Phase 1 of ERMOCTAVE (Mackita et al., 2019). Phase 2 takes the concepts of assessing risk and identifying events from ERM and combines them with the concept of identifying infrastructure vulnerability from OCTAVE (Mackita et al., 2019). Finally, Phase 3 takes concepts related to response, control, communication, and monitoring from ERM and the concept of developing mitigation and protection plans from OCTAVE (Mackita et al., 2019).

Phase 1 of ERMOCTAVE is broken into eight sub-processes (Mackita et al., 2019). These sub-processes highlight the following baseline security requirements for companies leveraging cloud computing: objective setting, asset identification, identification of security practices, identification of critical assets, descriptions of security requirements for those critical assets, identification of current vulnerabilities, and the creation of threat profiles (Mackita et al., 2019).

In a case study performed by Mackita et al. (2019), the critical assets identified were placed into four categories: information, systems, hardware, and external. Information assets included specific tables in the firm's database (Mackita et al., 2019). Systems assets included software applications that were operationally critical (Mackita et al., 2019). Hardware assets included the on-premise servers maintained by the organization (Mackita et al., 2019). External assets included third-party dependencies that had high levels of influence on operations (Mackita et al., 2019).

Phase 2 of ERMOCATVE is broken into three sub-processes (Mackita et al., 2019). These sub-processes highlight the following baseline security requirements: identification of events that could potentially affect the assets identified in Phase 1, review of each of the vulnerabilities identified, and a high-level risk assessment (Mackita et al., 2019). In their case study, Mackita et al. (2019) identified the following events for their organization: DDoS attacks (or more benign situations that have the same effect), hardware malfunctions, unauthorized access to information systems, disruptions to network services, and disruptions to partner services. Mackita et al. (2019) then identified the following vulnerabilities: SLA coverage, authentication redundancy, and a lack of data backups. Finally, Mackita et al. (2019) identified the potential risks related to their identified vulnerabilities.

Phase 3 of ERMOCATVE is broken into 6 sub-processes (Mackita et al., 2019). These sub-processes highlight the following baseline security requirements: identification of risk to critical assets, creation of risk evaluation criteria, evaluation of risks, creation of risk response and protection strategies, creation of risk mitigation plans, implementation of controls, implementation of continuous monitoring (Mackita et al., 2019). In Phase 3, Mackita et al. (2019) linked the risks identified in Phase 2 to critical assets identified in Phase 1 and used those risks to fulfill the remaining sub-processes in Phase 3 of ERMOCTAVE.

While the ERMOCTAVE framework aids organizations with baseline security requirements, the specific security requirements will vary depending on the needs of the firm. More specific requirements could include requirements related to Identity and Access Management (IAM), data security, network security, security monitoring and logging, compliance and governance, incident response and recovery, configuration management, vendor and third-party risk management, security training and awareness, or audit and assurance.

Other Considerations

Each of these topics could be studied more deeply and likely should be studied in the context of the specific organization in question. Topics such as IAM requirements can vary based on organizational needs. In their case study, for example, Mackita et al. (2019) identified social identity providers as external critical assets. They also identified authentication as a current security practice as well as a vulnerability in their case study (Mackita et al., 2019). Many resources exist to develop processes, such as IAM. One such resource is a maturity model developed by Schrimpf et al. (2021) to evaluate the IAM processes of four firms in the German financial industry.

Data security requirements could include requirements related to data encryption, classification, and the handling of data. Network security requirements could include requirements related to network segmentation, firewalls, and zero-trust cloud architecture. Compliance and governance requirements could vary heavily depending on regulatory requirements in the relevant industry as well as the jurisdictions in which the organization operates. Monitoring and logging requirements could depend on the audit trails that are required by the organization as well as the level of documentation required for other mitigation strategies, controls, etc.

Conclusion

As is evident, the specific security requirements that organizations choose to serve as their baseline may vary depending on organizational needs, the industry in which an organization is operating, and the jurisdiction in question. Despite this, frameworks such as ERMOCTAVE serve as a guideline for firms to develop their cloud-based risk management practices at both an operational and a strategic level.

References

Anton, S. G., & Nucu, A. E. A. (2020). Enterprise Risk Management: A Literature Review and Agenda for Future Research. Journal of Risk and Financial Management, 13(11), 281. https://doi.org/10.3390/jrfm13110281

Buyya, R., Srirama, S. N., Casale, G., Calheiros, R., Simmhan, Y., Varghese, B., Gelenbe, E., Javadi, B., Vaquero, L. M., Netto, M. a. S., Toosi, A. N., Rodriguez, M. A., Llorente, I. M., De Capitani Di Vimercati, S., Samarati, P., Milojicic, D., Varela, C., Bahsoon, R., De Assuncao, M. D., . . . Shen, H. (2018). A manifesto for future generation cloud computing. ACM Computing Surveys, 51(5), 1–38. https://doi.org/10.1145/3241737

Mackita, M., Soo-Young, S., & Tae-Young, C. (2019). ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing. Future Internet, 11(9), 195. https://doi.org/10.3390/fi11090195

Schrimpf, A., Drechsler, A., & Dagianis, K. (2021). Assessing Identity and Access Management Process Maturity: First Insights from the German Financial Sector. Information Systems Management, 38(2), 94–115. https://doi.org/10.1080/10580530.2020.1738601