Cloud Risk Assessment

06.05.2015 15:30-16:30 Moderator:

Assessing and Mitigating Cloud Risks

The modern reality is that even the most technology conservative companies are thinking to shift some of their valuable assets to the cloud. However, since anyone with a credit card can purchase cloud services with a single click, the governance and control of organisations are frequently being circumvented. This can create various challenges for organisations that wish to adopt the cloud securely and reliably.

This session will lead you through various approaches on how to assess and mitigate risks for onboarding cloud solutions.

Key Takeaways:

1. understanding of information risks related to cloud usage.
2. understanding of the concept of dynamic selection of controls, based on data profile, to mitigate cloud risks.
3. application of the proposed framework in daily practice (e.g. by turning it into a software tool that allows quick and easy control selection for employees responsible)

Dynamic Control Selection Framework for Onboarding Cloud Solutions

This talk will propose a data-driven selection of organisational, technical, contractual and assurance requirements, so secure usage of cloud solutions within the enterprise can be guaranteed. The importance of data oriented control selection will be outlined and key control domains will be introduced.

Dynamic Certification of Cloud Ecosystems

Cloud ecosystems are dynamic and flexible enablers for innovative business models. Some business models, especially for the European cloud market, however, still face challenges in security, privacy, and trust.

A common approach among cloud providers addressing these challenges is proving one's reliability and trustworthyness by audit certificates. Basically, audit certificates are based on national and/or international as well as business and/or governmental compliance rules. The most prominent certifications in cloud computing are the "Open Certification Framework (OCF)" of Cloud Security Alliance, EuroCloud's "Star Audit", and "Certified Cloud Service" provided by TÜV Rheinland as well as more general certifications following ISO 27001, BSI Grundschutz, ENISA, and NIST.

This session will discuss the state of the art of auditing and certifying cloud ecosystems and how current certification catalogues and schemes have to be enhanced to meet future requirements - requirements such as dynamic certification, on-demand-audits, and automatic monitoring and evaluations.

Cloud Risk Assessment – An "Action-Oriented” Approach to Merge Engineering, Economic and Legal Analyses.

When moving to the use of cloud services it is most important to take a risk based approach.  However the process involved is often manual and time consuming; a tool is needed to enable a more rapid and consistent assessment of the risks involved.  This session describes why a risk based approach to the use of cloud services is needed.  It introduces the KuppingerCole Cloud Rapid Risk Assessment Tool developed by KuppingerCole to help organizations assess the risks around their use of cloud services together in a rapid and repeatable manner.

After attending this session you will be able to:

• Describe why a risk based approach is needed.
• Describe the KuppingerCole Cloud Rapid Risk Assessment Tool
• Describe the benefits from the use of this tool.