Why is risk not directly assessed when organizations consider moving systems or data to the cloud?
Partial assessments and subjective fears
We often see control assessments of cloud vendors or the cloud architecture being the primary work effort. The problem with those control assessments is that they are often and incorrectly labeled as risk assessments.
Another common problem we encounter is that there always seems to be someone who has a subjective fear of anything being hosted in a cloud computing environment.
Moving to risk-informed decision making
Quantitative risk assessments provide a more comprehensive and objective perspective for making such decisions.
A recent RiskLens engagement is a good example of that. We worked with a hospital that analyzed the risk associated with their current Microsoft Exchange environment, that is hosted internally. We then analyzed the risk associated with migrating Exchange to the cloud. In this comparative assessment that leveraged the quantitative FAIR risk model, we considered risk factors that were previously overlooked by the customer. To the customer's surprise, loss exposure (aka risk) increased related to certain events but decreased substantially overall.
Another quantitative risk analysis conducted with a learning organization compared the relative efficacy of alternative security architectures, when moving systems and data to the cloud, in terms of possible risk reduction. In that instance, the business decision wasn't a simple yes or no. With increased security controls came performance and reporting limitations. Understanding risk in financial terms allows the organization to choose the most appropriate architecture that balances risk and usability. You can read more about this case study here.
Assessing risk for your next cloud project
The next time your organization considers moving or standing up new systems in the cloud, ensure a comprehensive quantitative risk assessment is part of the decision-making.