Professional Documents
Culture Documents
Readiness
Assessment
Guide
Is your company doing everything it should
to protect its cloud assets?
As cloud service adoption expands, all organizations should pay What does a sound cloud security program look like? While
particular attention to their cloud security program. In its 2022 a single correct answer doesn’t exist, we created this cloud
Cost of a Data Breach Report, IBM Security found that 45% security readiness guide to help you formulate a plan that is
of all breaches over the previous year occurred in the cloud. aligned with the NIST CSF framework. This guide can help
Concerningly, the report found that 43% of organizations had you gauge your organization’s readiness to Identify, Protect,
either not started or were in the early stages of implementing Detect, Respond, and Recover from cloud security incidents.
cloud security capabilities. Continue reading if you’re ready to assess your security gaps
and gain insights for bolstering your cloud security posture.
Cloud services operate under a shared security model where the
cloud provider assumes some level of responsibility for security.
It’s critical to understand exactly how the responsibilities are
allocated and what is required by your organization for each of
your cloud security services.
Risk management is a corporate function in which information security The other risk management strategies of accept, remediate, or avoid are
participates. Risks include loss of customers, failure to grow at a projected more manageable within an organization. Most organizations are willing to
rate, as well as various loss events where information security controls can accept more risk than most security leaders want to accept, because they
offer some protections. Those protections allow the organization to take need to focus on growing the business, not on avoiding consequences that
more risks when an organization is well run, though that may frustrate some are below their tolerance for risk. Security leadership should ensure that the
security leaders who see their role as that of risk reduction. organization understands how decisions place the impact or probability of
an event higher than the stated tolerance level and then work to ensure the
While classic security texts speak of the ability to transfer risk to another risks are properly managed.
organization, this risk management strategy never works as well in practice
as it does in theory. The only means to transfer risk is through insurance This is harder when components of your application and/or infrastructure are
and those insurance companies that offer cyber insurance will gladly deny outsourced to cloud providers, where part of the responsibility of securing
coverage of an event if there is evidence that controls have not been effectively the organization’s assets resides with the service provider.
maintained. For example, the insurance provider may decide (whether you
agree or not) that a failure to patch fast enough represents grounds to deny
coverage in the event of a data breach or ransomware incident.
Most good cloud service providers will use threat intelligence to enrich their
part of the security event analysis, ensuring that they can respond quickly and
effectively to attacks designed to compromise their ability to execute on their
responsibilities for your organization’s security.
MDR systems have the added benefit of human analysts to monitor the system
for malware that the automated response misses partially or fully, so human
agents can step in and complete the response. These human agents can
also roll back the activities of the MDR system if the machine learning or user
behavior analytics mistakenly categorized unusual activities as malicious.
Regardless of how good the organization’s controls and tools may be, A good incident response plan will have guidance on how to triage an event
there will always be something that requires a human response. Having to determine if it is an incident; how to analyze an event to determine what
a prewritten plan for how to respond that is drilled by the response team happened, when, and how; provide a mechanism for fast response to a
allows your organization to effectively respond to any event that becomes variety of event types; and include prewritten communication templates to
an incident. ensure fast and effective communication.
The cloud service provider should know whom from your organization
to contact in the event of a security incident and make you aware of any You should also have a
predeveloped communication mechanisms, such as a portal for managing
incidents and outages. prewritten communication to
the press in case you need to
respond to public disclosure of
a data breach or ransomware
attack.