Risk can be referred to as a statistical concept associated with uncertain outcomes of business activities in the future. According to the TechTarget, risk management is defined as the process of identifying, assessing and controlling threats to an organization’s capital and earnings.
Major sources of such threats can include but are not limited to strategic failures, market disruptions, accidents, legal liabilities, natural disasters, financial uncertainty, data-related risks, and Information Technology (IT) security threats.
However, the subject of risk management in cloud computing is an IT security threat concern. More often than not, the need to identify and mitigate threats to digital assets take the lead priority in most digitized organizations.
The other definitions of risk management are as follows:
- The process of identifying, quantifying, and managing the risks that an organization faces
- The process of evaluating the chance of loss or harm and then taking steps to combat the potential risk
- The process of identifying any potential threats that may occur during the investment process and doing anything possible to mitigate or eliminate those dangers
- The practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce/curb the risk
- The identification , analysis, assessment, control and avoidance, minimization or elimination of unacceptable risks
All these definitions have several key attributes in common which unify the concept of risk management. These include a process of identifying, analyzing/quantifying/evaluating/assessing, and managing/combating /mitigating/eliminating/reducing/curbing/minimizing of risk.
Security and privacy risks are the major challenges of the cloud platform due to sensitivity of some stored information. Basic trade-offs to be considered before adopting cloud services for organizational use include the cloud model, the type of data involved, type of cloud service considered, the cost savings, the system’s criticality/impact level, the service type, and any associated regulatory requirements.
These trade-offs are required to measure the degree of risk involved in using a cloud service. Most often, the integrity, confidentiality and availability of the stored data in the cloud are threatened, compromised and exploited by malicious entities due to its vulnerabilities.
Risk management is a very crucial activity that must be wholly integrated into every process of an organization. It should be implemented at three major classical risk related levels of an organization:
- The organization level (tier 1)
- The mission and business process level (tier 2)
- The information system level (tier 3)
Risk management is a routinely executed practice with an associated set of organized activities to identify and mitigate risks in order to intensify tactical and strategic security.
This includes the implementation of risk assessment, risk mitigation strategy and risk control procedures for onward observation and continuous management of the security level of the information system throughout the system development life cycle (SDLC).
In a cloud ecosystem, acceptable risk is evaluated by cloud actors relative to the level of their risk tolerance to the cloud ecosystem overall risk.
High-level risk elements of the cloud security ecosystem are as follows:
- Each cloud actor must be assigned risk management responsibilities which can further be extended to their senior executives, leaders and representatives.
- Establish and disseminate tolerance for risk in the entire cloud ecosystem via SLA.
- Each cloud actor is required to continuously inspect, identify and understand security risks arising from the use of any cloud-based service.
- Prompt information sharing and accountability are required by the cloud actors on security issues, risk management plans and solutions.