Topics
Cloud Security

Acquisition Review of Security Risks

A Risk Assessment is part of the acquisition decision process for cloud computing during the move from a conventional IT environment to a cloud service provider. This assessment involves a review of each the four areas of concern, and a decision on how these security requirements need to be satisfied in a cloud implementation. These then become factors in selecting a cloud service provider.

Access Control

Access Control is the most basic security requirement and this is even more critical in a public cloud environment, where hosted systems and services are broadly available outside of a user's physical environment. During this review decisions are made on the approach to strong authentication and shared identity management. These will be considerations during the selection of a cloud service provider.

Integrity

The Integrity of hosted information is a shared responsibility of the customer and the cloud provider. During this review, decisions are made on the best combination of technical and operational methods of achieving this need. These will be considerations during the selection of a cloud service provider.

Availability

Availability is often easier in a cloud environment where the service provider's infrastructure may satisfy needs that would have to be separately acquired and provisioned in a conventional IT environment. During this review, decisions are made and documented on the preferred options for satisfying these needs. These will be considerations during the selection of a cloud service provider.

Compliance

Compliance with an organization's can be easily overlooked, but can result in downstream issues if these apply. A common mistake is to assume that they are not applicable in a cloud environment, but this is not always the case. If the IT systems are used to support US Government programs, cloud systems may have to be accredited or certified; an example of this is the FedRAMP program. If the systems are used to process healthcare information, HIPAA requirements may apply. If they are used to process customer credit card information, PCI compliance may apply. These will be considerations during the selection of a cloud service provider.

More information on the acquisition of cloud services is available here in the Cloud Computing topic.

Continue to Government Initiatives.