Originally published by New Context.
Any enterprise or company that considers all the talk about cybersecurity to be overblown need only look to the recent SolarWinds breach for validation that cloud security risks are all too real. SolarWinds provides a wide range of services, including network, database, and application and server management to a large number of public and private organizations globally. The company also manages third-party service providers, which is a critical aspect of a cloud security architecture for controlling external accessibility.
In the SolarWinds case, the supply chain was compromised allowing backdoor access to customer resources. However, there are other sources—both external and internal—that threaten the security of your operations and data storage. For these reasons and more, assessing cybersecurity risks should be an ongoing activity for your organization. To be effective, a cybersecurity risk assessment must include certain major steps, which we define in this article.
Important Cybersecurity Risk Assessment Steps
The answer to the question of whether a cybersecurity risk assessment is necessary is an emphatic yes! A more pertinent question is: What are the objectives of the exercise?
Key questions to ask about your cybersecurity risk assessment objectives are:
- What are the most important internal and external cyber security threats that our organization faces?
- How vulnerable are our assets to attack and compromise?
- What level of risk is acceptable?
- What level of cost is acceptable for risk mitigation?
- How can we minimize susceptibility to new and changing threats?
By structuring your assessment to provide answers to the questions above, you will be in a better position to devise a strategy that can maximize your organization’s cloud security posture. To begin implementing this strategy, follow the 7 steps below for your cloud security assessment.
Step #1: Define and Prioritize Assets
The first step in assessing your organization’s security is to define what assets need to be protected. Typically, this will include: all proprietary data and information; any employee, client, customer, or other personal identifiable information (PII) for which you are responsible; and software and hardware. If your organization is accountable for additional regulations, such as HIPAA, you’ll want to ensure the data and systems relevant to those compliance requirements receive focused attention.
Once you’ve accounted for all valuable assets, it’s good practice to prioritize them along two dimensions: value to the company, and value to a potential attacker. Any scaling system can work, conducting the exercise itself is the most important step. One of the easiest and most effective scales is a simple ordered list, from most to least. The ordering forces a choice, which requires a truth assessment of each asset.
Step #2: Determine Your Threats
The effectiveness of your assessment is dependent upon your cyber threat intelligence. That is not only knowing the sources and types of threats that exist in the cyberspace environment, but specifically which threats are you most likely to encounter. This intelligence is critical to the development of an effective data security strategy.
There are external sources that can help build a threat profile, but the most important source is the collective wisdom within your organization. IT operations and Engineer staff usually have a pretty good sense of weak spots and valuable targets, i.e. the places where attacks are most likely to occur. Collect that unvarnished feedback, and proceed accordingly.
Step #3: Determine Your Vulnerabilities
Knowing your threats is only useful if you also assign a level of vulnerability to them. Assessing vulnerabilities requires that you have a sense of what assets are exposed and to what degree.
As with threat determination, start with information your organization already knows intimately, in this case the flow of information in and around the company’s daily processes. Where does data normally come in and go out? Who are the intended recipients? How open or exposed are the connection points between systems or services? Are there any optional audiences that look at certain data “sometimes?” Basic self-awareness paints a vivid picture in short order.
Step #4: Determine the Level of Risk Acceptability
Obviously, constructing a security apparatus that is impenetrable is desirable. However, any security expert will tell you that “complete” security is a fallacy: it is impossible to secure any system with 100% certainty if that system is accessible by employees, clients, customers, and/or other users. Instead, you should determine the level of risk that your organization’s operations could absorb or recover from in the event of a breach.
You may want to adapt what is colloquially called the detrimental effects of a breach, the “blast radius.” The size of the radius is an informal measure of negative outcomes. An event with a small blast radius might cause minimal and recoverable damage, while a larger radius might have significant monetary impact, and a really big radius could destroy the company’s overall viability. Assign a blast radius to known potential threats and vulnerabilities, then work backwards, mitigating the cybersecurity risk with the largest radius first.
Step #5: Evaluate and Define Your Control Strategy
Controls are the processes, tools, and algorithms that your security management utilizes to protect against and respond to unauthorized access attempts. This may include compliance automation tools, secrets management tools, API management security, and other means of risk mitigation. Many companies start by defining policies and procedures that would be enforced by security management tooling. These policies reflect how to perform the tasks necessary to conduct business in as secure a fashion as possible. There is often a fair bit of trial-and-error in striking the right balance between enforcement and effectiveness: policies should maintain security whilst not impeding normal workflows. Once the policies are well established, tooling enters the picture to automate enforcement, reducing manual time-consuming efforts.
Step #6: Valuate Your Risk Management Plan
An important facet of any cloud architecture is or should be cost optimization. And this includes performing cost-benefit analyses of security costs. To do so, however, requires that you assign value to cybersecurity risks and the controls needed to mitigate their occurrence. Steps 1-5 above should be planned in a financial bubble, without regard to the costs associated with implementation. Budgeting colors the picture once the initial cybersecurity assessment is complete. In this fashion, tactical implications are clearly understood first, and then distinctly weighed against implementation and mitigation costs. Every company and situation is different; let your company’s unique metrics, insight, and budget guide decision-making.
Step #7: Monitor and Update Your Plan as Necessary
The most important thing to understand about cybersecurity risk mitigation is that it is dynamic. The types and sources of threats are always evolving and expanding; therefore, you must be vigilant and continually monitor and update your risk management strategy. The cybersecurity assessment outlined above is agile in nature: it can and should be conducted repeatedly each time new factors enter the picture.
The steps listed above should be included in any cybersecurity assessment. Yet, the success of your assessment rests most firmly upon your choice of how it is implemented.
Implementing Your Cybersecurity Risk Assessment
Performing cybersecurity assessments is not optional for any organization that wants to operate safely in the cloud. However, many organizations are not well-equipped to do so themselves. Internal assessments often fail to objectively analyze data risks and resource vulnerabilities. Additionally, remaining current on the threats that exist and the best methods and tools to address them requires dedication and expertise that is typically possessed only by professionals capable of effectively instituting and deploying DevSecOps essentials.