Light Dark
August 22, 2017 By Brian Evans 4 min read
Cloud Security
Risk Management

According to a recent Forrester report, enterprise cloud computing adoption accelerated in 2016 and will do so again in 2017. Software-as-a-service (SaaS) remains the largest portion of the public cloud market, with global spending expected to reach $105 billion in 2017 and $155 billion by 2020. Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) will experience the fastest growth rate, fueled by the global expansion and success of the leading megacloud vendors.

Still, security remains the top enterprise concern for both public and private clouds. That’s why your company should have a formal cloud vendor risk management program in place. A cloud vendor risk management program is intended to handle information security in a consistent manner, regardless of how varied or unique the cloud computing environment may be. The use of standard methods helps ensure that security decisions and actions are based reliable, consistent information.

Managing Cloud Vendor Risks

The objective of a cloud vendor risk management program is to provide a tailored set of security controls and requirements within a cloud computing environment. It focuses on the processes necessary to effectively address information security controls, requirements and considerations through a phased life cycle approach.

All IT assets require some form of protection. The appropriate level of security should be commensurate with the value of the asset, including the value of the information the asset contains, the magnitude of harm that would result from a loss of confidentiality, integrity or availability, and the impact such a loss could inflict. These factors represent important drivers for securely managing cloud computing operations.

Five Phases of Enterprise Cloud Computing Risk Management

The program can be organized into five phases. Each phase outlines steps to validate and incorporate security into enterprise cloud computing operations as part of an end-to-end life cycle approach to risk management.

1. Initiation Phase

During the initiation phase, your company identifies the need for cloud computing services and documents its purpose. This involves the participation of key stakeholders from business units such as legal, compliance, vendor management, IT and finance. During the development of the business case and cost benefit analysis, the information security team provides a voice in the critical decision-making process of moving to the cloud.

Security planning begins in the initiation phase with the identification of key security roles. Security requirements are evaluated for any confidential information intended to be processed, transmitted, stored or maintained within the cloud environment.

All stakeholders should have a common understanding of these security considerations. This should consist of a preliminary risk assessment of the basic security needs and requirements, which must consider applicable laws, regulations, organizational policies and controls to identify threats to the cloud environment. It also identifies the information classification to assist in making the appropriate selection of security controls. As part of your initial due diligence, your company should have a list of vetted cloud vendors.

2. Solution Development Phase

In the solution development phase, the cloud vendor solution is designed, purchased, programmed, developed or otherwise constructed. This ensures that security controls, requirements and all necessary components are considered when incorporating security into the life cycle.

A key activity in this phase is conducting a formal risk assessment and using the results to identify the baseline security controls and requirements. This includes requesting from the cloud vendor such items as its security policy, infrastructure geographic locations, technical security measures and other control documentation. The cloud vendor must meet or exceed the organization’s defined information security requirements. Additionally, the information security and vendor management teams must collaborate to define and incorporate baseline security requirements into contracts and agreements.

3. Implementation Phase

During the implementation phase, IT assets and services are integrated or implemented within the cloud vendor environment. Security controls are established and verified in accordance with organizational policy and expectations, cloud vendor instructions and available implementation guidance.

Prior to the migration, certain sensitive assets should be encrypted. In the event of a failed migration, establish a disaster recovery plan with back-out procedures. Finally, agreed-upon security controls should be fully documented to include the results of verification and validation reviews and tests.

4. Operations and Maintenance Phase

The operations and maintenance phase ensures that controls are effective in their application through periodic monitoring, testing and evaluation. It is critical to consider the potential security impacts of changes in the cloud environment. Cloud vendors should provide external assessment reports, such as the American Institute of Certified Public Accountants’ system and organization controls (SOC) reports, if they preclude their customers to directly conduct security assessments.

Your company should continuously monitor performance of the IT assets and services to ensure that they are consistent with pre-established security controls and requirements, and incorporate any needed modifications.

5. Termination and Disposal Phase

The termination and disposal phase ensures that your company’s information, IT assets, and hardware and software components within the cloud environment are moved, archived, sanitized or destroyed according to organizational policy. Termination and disposal requirements should be explicitly written in the cloud vendor’s contract. This phase ensures orderly termination and decommissioning so that your information is effectively migrated to another IT asset or archived in accordance with applicable regulations and policies.

Reimagining — Not Reinventing — Cloud Security

Cloud computing creates risks and may require a reimagining, but not a reinvention, of security programs and architectures. Your company should increase its skills and training to negotiate, monitor and enforce agreements with cloud vendors. It should also adapt technical security architectures for more open networks, rethink security zones for the cloud and conduct ongoing security assessments.

Although cloud computing may be perceived as less secure, this is more of a trust issue and is not based on any reasonable analysis of actual security capabilities. Fear of cloud security is largely unfounded, given vendors’ dedicated attention to managing reputational risk.

To date, there have been few security breaches in the public cloud, and most incidents involve on-premises data center environments. Cloud vendors typically offer more effective security than a lot of companies can afford. The majority of cloud vendors invest significantly in security technology and personnel, realizing that their business would be at risk otherwise.

Still, assuming cloud vendors are completely secure is not a good strategy, because bad things can still happen. Your company needs to combine a comprehensive approach with a structured methodology to manage enterprise cloud computing risks.

Read the white paper: Address six essential concerns of cloud security to build your business

 |  |  |  |  |  |  |  |  |  |  | 
Brian Evans
Cloud Security and Compliance Leader, IBM Cloud

More from Cloud Security
January 22, 2025

2024 Cloud Threat Landscape Report: How does cloud security fail?

4 min read - Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force…

January 8, 2025

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature