Managing Cloud Risks
The adoption of cloud-based applications has skyrocketed in the past few years. Today, cloud use for business computing is no longer the exception, but rather the norm. In working with customers to identify their cloud use, Cisco has discovered that large customers now use on average 730 individual cloud services and capabilities including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS).
With such a variety of applications and information being hosted in various clouds, the issues of security and business risk are a primary focus for companies. But how do we protect company assets and reduce risk without overly restricting the business? Balancing what the company needs versus what users want is a constant challenge in the evolving world of data security and data storage. Cisco IT administers a global program called Cloud & Application Service Provider Remediation (CASPR) to ensure that our data and brand are secure in the cloud, and has oversight for monitoring and managing more than 2000 cloud services used by Cisco employees.
“The point of CASPR is to protect and reduce our exposure to risks in the areas of compliance, financial viability, resiliency, and business criticality,” explains Ken Hankoff, CASPR program manager at Cisco. “Cisco IT is responsible for administering CASPR, and we leverage stakeholders that have an interest in making sure Cisco’s data and brand are secure. For example, Cisco InfoSec is a key stakeholder because InfoSec’s priority is to protect Cisco’s data and brand.”
Discovery, Awareness, and Business Risk
Many companies don’t have a clear understanding of just how much they’re consuming in the cloud. It’s not until they complete a cloud assessment using services and software such as Cisco® Cloud Consumption Services that they become aware of what cloud service providers they are using.
“If you only use the term ‘cloud service provider,’ most people think, ‘Well, we host everything ourselves; we don’t use cloud service providers.’ The reality is that you might not be hosting everything and your company is using all sorts of vendors that are cloud-based,” says Hankoff.
Rating Vendors to Manage Cloud Risks and IT Resources
With hundreds of providers to manage, being able to determine which cloud services and vendors are the riskiest is crucial. Internally, Cisco IT uses Cloud Consumption Services to give us visibility into our network traffic and help recognize which new services are being used by employees. We use a combination of machine learning, software tools, and professional services to identify risk. The final product of these tools and analyses is a primary repository of the cloud services in operation in our environment. The repository combines entries from Cisco’s rich security knowledge base and the Cloud Security Alliance (CSA), an industry standard alliance that provides attribute scoring of a number of cloud services. Using this process, we are able to identify what the business risk is of using a particular new service.
“For every service, there are 65 attributes being examined, ranging from financial viability to compliance,” says Robert Dimicco, senior director of Cisco Cloud Consumption Services, “and not every one of these attributes is applicable. The Cloud Consumption Services software is going to look at all 65 and creates a comprehensive risk score for Cisco IT.”
Based on the risk score, we use an assessment categorization matrix that rates the confidentiality of information against the business criticality of that information. Using a mechanism and a series of questions that determine business criticality and data classification, we’re able to come up with a number for each application and see where it would fall on the matrix. For example, restricted data with high business criticality will require the highest degree of assessment, while data that is public with low- to mid-level business criticality will require less rigor during the assessment process.
We are currently refining assessment categories to improve efficiency, and save time and resources. The aim is to focus resources on very high data classifications and business critical items where the risk of exposure is higher than low data classifications with little business criticality. “We’re always trying to streamline, make it repeatable, and make it simple,” says Hankoff.
Some of the areas we cover include architectural alignment, financial viability (scores help us determine if we are exceeding thresholds or potential vulnerability), resiliency, and compliance. See Figure 1.
Figure 1. CASPR Program Key Areas of Assessment
Balancing Speed and Efficiency with Managing Risk
Understanding how employees use cloud services and applications enables the business to reduce risk and exposure. The nature of using cloud services is dynamic. It’s dynamic because it’s user-centric and user needs vary. Over the course of a month, the services being consumed change and new services are constantly being launched. Cisco realized the importance of an automated software capability that monitors cloud services from popular social media sites to specific business applications (such as Salesforce, human resource applications, and customer relationship management) that are being consumed from the cloud.
“Once you find out what you’re consuming, you can start to look at it as any other asset in which you are investing time, money, and human resources,” explains Dimicco. “It’s your own traffic that is compelling. It is unique to your company, and that helps your company figure out where it’s vulnerable and where the risk to exposure is.”
Data sovereignty laws and regulations differ from country to country. In the United States, for example, storing company data on a third-party cloud service can lessen a company’s full property rights to that data. Having a strong legal presence during the process of getting terms and conditions finalized in contractual agreements with cloud service providers is critical to the company. One of the most challenging aspects of cloud services is determining what the business risk is for an organization when critical documents or software code no longer reside in their premises but reside in a storage provider’s cloud. It is vital for a company to understand risk that their data is exposed to and how to mitigate that risk through controls, policies, behaviors, and ongoing analysis.
“Now, more than ever, it’s important to make sure you’re in compliance,” says Dimicco. “The key is to do the things you need so that your employees still have the access they require, while effectively balancing cost and risk.”
Ways to Reduce Business Risk
There are numerous ways an organization can reduce business risk.
● Discover what cloud service providers you are using to reduce costs, consolidate vendors, and migrate from high-risk vendors.
● Establish cloud governance and risk classification process to help focus resources on very high data classifications and business-critical items where the risk of exposure is high.
● Define cloud use policies to reduce risk. Risk can be mitigated with data policies and employee training and behaviors. For example, when Cisco realized employees were using cloud services to store data, we enacted a company-wide policy that the preferred company storage is Box.com and encouraged employees to adopt this service. Users are not prevented from using other services; however, we use Box.com because we have integrated the service into Cisco, and Box.com has reduced the business risk of Cisco employees and contractors using the service.
For More Information
The hidden costs of cloud are 4 to 8 times higher than billed costs. To learn more, visit How Much Are You Spending on the Cloud?
To learn more about how Cisco can help you manage cloud risk, visit Cisco Cloud Consumption Services.
To learn more about CSA, visit Cloud Security Alliance.
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.