Is Cloud Computing a Risk?

Managing cloud computing risk scenarios with CRQ methods

Simple yes or no questions are asked in a game of Guess Who. But if you want to get to the heart of your organization’s concerns about cloud computing, the key is to ask meaningful, open-ended questions that consider your digital assets, threats to your assets, vulnerabilities, and the impact they could have on your business. CRQ using the FAIR standard is a valuable tool for analyzing ‘what could possibly go wrong’ concerns about cloud computing. CRQ risk scenarios provide actionable information. It is a quantitative method that speaks to C-level decision-makers in financial terms.

‍

What are the risk scenarios associated with delivering IT services using a cloud-based model?

According the 2023 Thales Data Threat report, ransomware and human error are the main causes of cloud data breaches. IT and security professionals identified digital assets in the cloud as the biggest targets for cyberattacks. SaaS apps and cloud storage were the biggest targets followed by cloud infrastructure (IaaS). As businesses increase their dependence on PaaS and SaaS tools, the traditional ways of thinking about business risk need to evolve.

Let’s start with a definition of cloud computing. A simple but useful definition is a ‘method of delivering IT services over the Internet’. Before you can look at the risk scenarios associated with how you deliver IT services using a cloud-based model, you need to define what digital assets need to be protected.

‍

What is a digital asset?

According to Open FAIR, when talking about information risk, an asset is data, devices, or any other component that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. A digital asset can be data stored in a digital format. It could be unstructured or structured. Unstructured data include text-heavy and multimedia files, like marketing materials and internal communication. Structured data includes invoicing information, databases, product lists and serial numbers typically processed by an application.

‍

Unstructured data is a significant digital asset for businesses of all sizes. Businesses use file-sharing SaaS platforms like SharePoint or Dropbox for digital asset management. These document libraries can hold sensitive information like intellectual property (IP) or personally identifiable information (PII). And when sensitive information is not secured, it can be compromised.

‍

In recent years, working from home has become the norm and employees are using multiple devices to create and access files and to communicate with co-workers and external stakeholders. Document sharing with co-workers or sending email links to external stakeholders is commonplace, so is using multiple devices to access company data stored on platforms like SharePoint. The amount of PII and IP that is created and shared on these platforms is massive. For an individual organization, what role do these digital assets play in your operations, investments, and business decisions?

Other types of digital assets are applications (and their components) which are used to directly generate revenue, indirectly enable employees to work or in a manufacturing environment create the product.

‍