"Many organizations are stuck in either of two bad answers: either 'damn the torpedoes, we're going ahead with no idea what we're getting into,' or 'no way, no how,'"says Dr. Mike Lloyd, CTO of RedSeal Networks. "Both are clearly bad."
Ideally, organizations need to take a reasoned, risk-based approach that offers a more sane middle-ground to deciding on whether these outsourced services match with the organization's business and security priorities. The following ABCs--ordered chronologically in the decision-making process rather than alphabetically--should offer a good start to achieving the most repeatable approach to replacing gut instinct with empirical reasoning in these matters.
C. Classify: Classify Assets And IT Functions To Prioritize Risk
Before you analyze a vendor's vulnerabilities or calculate your cost savings from using a particular service, you first need to classify your assets and your IT functions. These classifications can be categorized by factors such as business criticality, competitive advantage offered by the asset, compliance mandates placed on protecting the asset and so on.
"This is critical for the organization to determine the importance, sensitivity, and value of the information," says Andrew Wild, chief security officer for Qualys. "Without understanding the value of the information that's under consideration for storage or processing by a cloud service, it isn't possible to complete a risk-based assessment of a cloud service."
According to Yehuda Cagen, as he helps customers for his firm XVAND grapple with risk decisions about moving assets into the cloud, he and his firm ask clients to categorize specific IT functions into two compartments: mission-critical and differentiators.
"Some companies have specialized processes and applications that help improve performance and create a competitive edge," says Cagen, director of client services for XVAND. "Other IT functions are critically important, but won't necessarily create a competitive advantage."
[ What are the hidden costs of compliance? See The Compliance Officer's Dirty Little Secret. ]
Generally, processes or functions in the differentiator categories stay in house. On the other end of the spectrum, functions that aren't critical and don't create a competitive edge likely won't trigger as many risks and are likely candidates for outsourcing.
That leaves non-differential but mission critical functions, which Cagen says should be considered for outsourcing to the vendor with the best track record for security.
"Vendors that can fill the gaps left by the in-house team can also be outsourced," Cagen says. "For example, network performance and security are mission-critical, but can be done more effectively by outsourcing it to a third-party, such as a private cloud provider--especially if this function is a "differentiator" for the provider."
B. Baseline: Establish A Baseline Level Of Acceptable Risk
The classification of assets and functions will help organizations make targeted baselines of acceptable risk, which is a key part of making a risk-based decision about third-party services, says Trey Keifer, president and CEO of WireHarbor Security, a security consulting firm.
"Having a program that identifies your baseline and really works with your management to define those acceptable levels of risk really helps you get to a point where you're not just reacting to what's going on, you're really taking a more methodical approach to how you look at risk in your organization and how your prioritize your tasks and your dollar resources to help mitigate those threats," says Kiefer, who prior to starting his own firm worked in the supplier risk assessment team for the world's largest insurance company.
According to him, this is why he's increasingly seeing enterprises establish supplier risk tolerance or supplier risk assessment teams. Such a team offers a formalized face to the process of determining outsourcing risks and an easier path towards engaging with management.
"You're talking with your management to say things like, 'Hey, what is an acceptable level of risk that you're willing to see? Are we willing to accept 3 percent of loss from every thousand transactions,'" he says.
This kind of engagement and formulization of risk appetite will give an acquisitions team the business context of the functionality they're looking to outsource so that it is easier to determine whether it is really OK for the business to accept the possibility of a potential worst-case scenario while outsourcing.
A. Assess: Empirical Risk Assessments Are Paramount
The classification of IT assets by potential risk and the establishment of baselines for acceptable risk should offer a lens by which an organization can then go out and evaluate a vendor. These evaluations should take into account both the potential upside of the deal and the technical assessment of the vendor's security controls as they relate to the organization's risk appetite.
At its root, this assessment should be based on the classic risk assessment formula of risk= outcome x probability, says Steve Santorelli, director of global outreach for the Internet security research group Team Cymru.
"If the cost savings of moving to the cloud outweigh the value of the risk from the formula above, then it makes sense," he says. "What people disagree on is how to evaluate the dollar value of the cost of a serious or long term security breach. The answer to that depends on the specific business."
Of course, the evaluation and the metrics involved are typically a little more complicated than that, but IT risk management has matured to the point where organizations willing to do their homework can find lots of established methods to measure risks against opportunities, says Kees Pouw, senior associate for security consultancy Litcom.
"The use of a structured information risk assessment following a defined methodology (i.e. RCMP-CSE HTRA, NIST) is the most effective and valuable instrument a company has available to determine the adequate use of cloud services," he says.
Performing an independent and objective risk and privacy assessment would eliminate any "gut-evaluation," providing organizations the required tool they need to make an informed decision about the use of cloud services.
One big wrinkle that seems to inevitably fold its way into this process is finding a reliable way to assess the technical controls SaaS and cloud service vendors have in place.
"What you need to do is agree with your cloud provider on standards for demonstration of due diligence and compliance," Llloyd says. "Of course, if you just ask, 'Are your services secure?' the answer will be 'Yes.' It certainly pays to look into more demanding, more authoritative tests."
However, some SaaS and cloud providers may reject the possibility of a customer coming in and performing penetration tests due to the expense, trouble, and potential privacy concerns for other service customers sharing their infrastructure. This may be a deal-breaker depending on the baseline of acceptable risk established for the function or asset to be handed over to the provider. But in some cases it may be possible to come to a compromise by utilizing audit reports from outside assessment services.
"Of the people that do a measurably good job in assessing the quality of security in a SaaS application, they're largely looking at internal and external auditing results surrounding compliance mandates--the things that make vendors squirm," says Daniel Rheault, marketing manager for SaaS firm Netage Solutions, who regularly experiences customer security when brokering deals and in a past life worked for a firm focused on security penetration testing.
Rheault suggests that organizations should start by asking their vendors whether they'll allow the customer to perform its own security assessment. If not, he suggests to ask if they'll supply unedited third-party audit results, whether the vendor has penetration tests done regularly and whether the vendor will provide the results of those pen tests.
Pouw also reminds organizations to look not just for clues about practices around confidentiality, but also about integrity and availability of services.
"Also it should be noted that information security involves the aspects of availability and integrity and not just confidentiality of the information," he says. "During a risk assessment it is often determined that availability is a more valuable aspect for which cloud services may in fact reduce risk compared to in-house services."
Putting The ABCs Together
As organizations start to formalize the team and the process, many executives within either camp--pro-outsourcing or con- --may be surprised at the results. For the former, some results may show that what seemed a slam-dunk decision to outsource prior to a thorough assessment actually would have been a disastrously risky move that put critical data at risk. And the latter group of naysayers might be taken aback to see that some service options actually reduce security risks rather than increase them.
"While there may be a perception that you're taking a greater risk by putting your data in the cloud the reality is that it may be the opposite case," says John Robosson, partner for Navint, a management and technology consulting firm. "Some of these SaaS providers are better capable of protecting and security data based on the fact that they've got standards in place and have built their business around security."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.