How do you assess the security risks of cloud-based system deployment?

2 Security frameworks

Security frameworks are collections of guidelines, methodologies, and tools that help organizations design, implement, and maintain a secure system or process. These frameworks are often based on security standards and provide more specific and practical guidance. The NIST CSF is a voluntary framework developed by the National Institute of Standards and Technology which helps organizations manage and improve their cybersecurity posture. The CIS Controls is a prioritized set of 20 actions developed by the Center for Internet Security which helps prevent, detect, and respond to the most common and impactful cyber threats. The SANS Top 20 is a list of 20 critical security controls developed by the SANS Institute which helps prioritize and implement the most effective security measures.

3 Security assessment

Security assessment is the process of evaluating the security posture of a system or a process, based on a set of criteria and metrics. It helps identify the strengths and weaknesses, the gaps and risks, as well as opportunities for improvement. Common security assessment methods for cloud-based system deployment include security audits, security testing, and security reviews. Security audits are formal and independent examinations conducted by external auditors or certifiers, based on a specific security standard or framework. Security testing is a technical and operational test conducted by internal or external security experts, based on a specific security requirement or objective. Finally, security reviews are informal and collaborative evaluations conducted by internal or external security peers, based on a general security principle or best practice.

4 Security mitigation

Security mitigation is the process of reducing or eliminating the impact and likelihood of a security threat or vulnerability, which helps improve the security resilience and performance of a system or a process. Common security mitigation strategies for cloud-based system deployment include security hardening, such as applying security configurations and patches to a system or component to minimize its attack surface and exposure, disabling unnecessary services and features, enforcing strong passwords and encryption, and updating software and firmware. Security monitoring involves collecting, analyzing, and reporting security data and events from a system or process to detect and respond to potential incidents and anomalies by using security tools and systems like firewalls, antivirus, intrusion detection/prevention, and log management. Lastly, security backup and recovery entails creating and restoring copies of data and applications from a system or process to ensure their availability and integrity in case of a disaster or compromise. This includes using backup tools and services such as cloud storage, snapshots, and replication.

5 Security improvement

Security improvement is the process of continuously learning and adapting from security assessment and mitigation results to improve the security posture and maturity of a system or process. It helps achieve security goals, align with standards, and frameworks. Common security improvement practices for cloud-based system deployment include security training and awareness, security feedback and evaluation, and a security improvement plan. Security training involves educating stakeholders and users on security policies, procedures, and controls. Security feedback measures satisfaction and performance of stakeholders and users on the same. Lastly, a security improvement plan outlines the actions needed to improve the security posture and maturity of a system or process - such as risk management, gap analysis, and change management.