Study: Look to the cloud for better risk management
A new study based on a survey of risk measurement and risk governance indicates that the public cloud is the way forward for companies that want to reduce their risk.
Or, if moving to the cloud isn’t an option, those organizations should adopt cloud-driven modernization techniques in their on-premises IT systems, says the Risk Measurement and Risk Governance joint research project by Google Cloud and the Cloud Security Alliance (CSA), a nonprofit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
In this study, which follows a 2021 report, CSA sought to assess public cloud maturity and risk management within the enterprise and provide a deeper understanding of public cloud adoption and risk management practices. Inside the company.
In that sense, the two-phase project involved 20 executive interviews and a survey that garnered more than 600 responses last year.
CSA suggested that improving risk situations may be part of the growing movement toward “digital transformations,” which the organization says involves the adoption of technologies that improve customer and operational experiences.
“With an eye to improving overall business risk management, the cloud is increasingly seen as a means of strengthening an enterprise’s risk posture, a move that is often accompanied by an enhanced approach to application security, data and infrastructure,” the CSA said in a June 22 press release. “Consequently, enterprise risk assessment processes must adapt the cloud model and take into account the implications of shared responsibility, in which both the cloud service provider and the customers own the provision of cloud services. The joint assessment of cloud and business risks provides a better understanding of the IT impact on an enterprise’s overall risk maturity, including the adoption of a shared destiny partnership between CSPs and customers.”
The report is based on four key findings:
As organizations embrace the cloud, they face the challenge of assessing risk
“There is no consistency in data classification in the use of cloud platforms and services: only 21 percent of users use the cloud service’s data classification, and only 65 percent of those users align with internal data classification schemes,” the CSA said.
Cloud migration can unify data collection methods (collecting, tracking, and organizing cloud assets), which is now mostly done with internal data classification schemes and manual digital asset management, resulting in less consistency in how organizations classify data across cloud platforms and services, the report said. “Only 21 percent of users use native or automated cloud data classification tools and only 65 percent of those users align with internal data classification schemes,” the CSA said. “Companies interviewed also shared a lack of consistency in how cloud services are identified and classified. This lack of data and cloud governance practices adds to the inconsistency in digital asset management.”
Cloud Risk Assessment Faces Challenges With Growing Cloud Adoption By Enterprises
“With cloud adoption numbers rising, more than half (52 percent) of organizations reported that they did not assess the risk of their cloud services being used post-acquisition as features changed. product or business environments,” the CSA said.
Digital transformations to modernize businesses involve increasing the production of cloud workloads and increasing the use of clouds, the report said. “This is evident with cloud service usage figures in addition to 58 percent of companies responding to the survey primarily using multiple providers of cloud infrastructure as a service (IaaS),” the CSA said. “With cloud adoption numbers rising, respondents shared that services are often evaluated only at acquisition and not re-evaluated as product features or business environments change. More than half (52 percent) of organizations reported that they do not assess the risk of their cloud services being used post-acquisition.”
Tools to quantify and measure risk need improvement
“When evaluating effective cloud risk management practices, 70% of organizations reported less effective processes for assigning risk to cloud assets. Only 4% reported having highly effective practices. These processes are affected by the tools and methods used to measure the risk of cloud platforms and products,” the CSA said.
Monitoring, measuring and reporting risk is difficult
“Thirty percent of enterprises reported that risk rating systems are used as a directional guide to risk improvement for certain cloud solutions rather than measurements that can be relied upon to compare all services in the cloud.” cloud,” the CSA said.
The following chart reflects responses to questions about organizations’ methods of quantifying risk and their satisfaction in order to better understand how organizations calculate risk. The CSA found it interesting that 10 percent of respondents reported that their organization did not even quantify risk.
Among the many tools used to monitor, measure and report risk in the cloud, the metrics to measure risk do not always differentiate between cloud-native, third-party or open source risks, the study found. “The exception is open source frameworks and tools that share a defined set of criteria, which may be why open source tools were reported to be more effective,” the CSA said.
The last word
“This study shares a better understanding of public cloud adoption and risk management practices within the enterprise,” the report says. “It also discusses the challenges of managing and measuring risk in the cloud with some techniques that work well and others that need improvement and replacement. Patterns of more stringent risk management processes and altered risk tolerance were discovered when using the cloud. As in many fields, there is still work to be done as organizations mature their ability to manage cloud and multi-cloud security and risk mitigation.
“We see through this study that these issues are ameliorated in the cloud compared to today’s legacy and on-premises IT environments. The analysis shows that while constant improvements are needed, a strategy to reduce risk by modernizing IT in the cloud or in the cloud – on-premises-like infrastructure remains an organization’s best path to viable risk management Risk management practices impact many areas of the business Modernizing Approach It will help both enterprises and providers improve cloud adoption. The cloud is becoming less of a risk to manage and more of a means of managing these risks.”