Risk Management Framework for Cloud Computing Security
Enterprise risk management (ERM), in general, applies to every aspect of the enterprise, regardless of size. Risks can be categorized as preventable, strategic, and external (Kaplan & Mikes, 2012) and must be identified, assessed, and managed. Preventable risks are internal, and every effort should be applied to eliminate or minimize the impact. Some examples of internal risks are operational, legal, and ethics, and can be monitored and controlled through rules-based policies. Strategic risk is not necessarily a negative thing. Some examples are strategies to maximize profits through the use of disruptive technology, investing in high-risk ventures, and diversification of product offerings. External risks are those that are unpreventable and beyond the company’s control. Events that fall into this category are natural disasters, cyber attacks, and economic changes.
“He who is not courageous enough to take risks will accomplish nothing in life.”
- Muhammad Ali
In the context of this blog, the five main types of risk are; strategic, operational, financial, compliance, and reputational. While the ultimate goal of risk management is to create and protect value, strategic risk management (SRM) is more focused on shareholder value (Frigo & Anderson, 2011). The process of strategic risk management is not much different from enterprise risk management in that the primary goal is to identify, assess, and prioritize risks to achieving company goals and strategic objectives.
Operational risk management (ORM) is the oversight of risks from failed processes, inadequate systems, human resource factors, and external events and cannot be completely eliminated. The outcome of disruption in operations can have both financial and reputation consequences (Naude & Chiweshe, 2017). Failures in operational processes can have an impact on the financial health of the firm.
Financial risk can influence a company’s value in multiple ways (Bartram, 2002). Market conditions, the financial health of customers, the capital structure of the organization, and cash flow volatility, all affect a firm’s value. A complete valuation of financial risk would have to include operational risk, credit risk, and business risk. Management of all other types of risk affects the financial health of the firm. Hedging the financial risk associated with other risk types can be difficult and takes careful planning (Christoffersen, 2003).
The failure to comply with the rapidly changing compliance landscape can undermine the financial well being of the firm, destroy public confidence in the company, and put the company’s leadership in legal jeopardy. A thorough compliance risk management system can add value to the company’s risk management strategy by identifying and tracking regulatory requirements on a local, state, national and international basis.
Risk of loss due to damages to a company’s reputation is a reputational risk. Consequences of an adverse event can include lost revenue, destruction of shareholder value, increased costs of capital, and increased costs of operations. Managing reputational risk will help keep the company out of the court of law and the court of public opinion (Kossovsky, 2014).
Web Server Functionality
On a high level, there are four basic functions of a web server. These basic public-facing functions are; hypertext transfer protocol (HTTP), file transfer protocol (FTP), email server, and database server. The secure version of HTTP is HTTPS, and the secure version of FTP is SFTP. All of these basic functions are to deliver content. The term web server can pertain to both the hardware and software that provide the content. Web servers are the backbone of the Internet. Without websites, the Internet explosion would not have happened. Websites are easy to create, and whether a company runs their web servers on premise or use cloud-based web hosting, web server protocols have vulnerabilities.
There are several cyber attacks against a website that are popular with hackers. One of the easiest is denial of service (DoS) and distributed denial of service (DDoS). Every website has a uniform resource locator (URL) address that corresponds to an Internet Protocol (IP) address. A DoS or DDoS attack can easily take a web server down and prevent legitimate traffic from getting through (Stewart, Mike, & Darril, 2013).
Closely related but acting at the application layer is HTTP DoS attack. The hacker scans all the pages on a web server and makes a note of how much time it takes for the web server to respond to the request. The hacker then selects the pages that require the most processing time and creates a script to send multiple HTTP requests to the server. The web server becomes overwhelmed and eventually stops responding to request (CEH v10, 2018).
Cross-site scripting (XSS) is a common vulnerability, and yet it is one of the easiest to mitigate. Caused by poor programming practices, XSS allows the hacker to inject client-side code, usually javascript, to exploit the browser session. There is one basic rule to implement during HTML coding. That rule is to deny all untrusted data except in allowed locations. Javascript is easy to detect and should never be accepted from an untrusted source.
SQL injection is another popular website attack that is caused by poorly designed code. Websites that use a backend SQL server are vulnerable to malicious SQL queries (CEH v10, 2018). There are different classes of SQL injection attacks. Most of these attacks can be mitigated by using middleware filters or code validation.
A man-in-the-middle attack refers to a hacker who is logically positioned between a client and a server. In the middle of what is presumed to be a two-way communication, the hacker uses a store and forward process and can record sensitive data including logon credentials. Man-in-the-middle attacks are difficult to detect because the communication traversing the network appears to be legitimate (Stewart et al., 2013).
Attacks on web servers are one example of an IT security risk that should not be ignored. In this last section of this article, an explanation of how COBIT 5 can be used as a framework for addressing web server security in the context of cloud-based services and Software as a Service (SaaS). While not a direct fit for SaaS, COBIT 5 is easily adapted to cloud-based infrastructure and platforms.
The prevalence of cloud-based computing (CC) has changed the level of complexity faced by information security professionals (Bounagui, Mezrioui, & Hafiddi, 2018). Managing risk in the CC environment is more challenging than legacy, on-premise computing models. The lack of control over software security, the inability to maintain complete control over personnel who have administrative authority over the server, and limited control over patching cycles are some of those challenges.
There are three processes in COBIT 5 that address information security and will be the focus of this part of the article. Those processes are APO13 (manage security), DSS04 (manage continuity) and DSS05 (manage security services) (COBIT 5, 2012).
The focus of information security is to maintain confidentiality, integrity, and availability (CIA) of data. Developing and implementing an information security management system (ISMS) is the focus of APO13. The purpose of the ISMS is to manage the resources, and the controls require to maintain CIA.
DSS04, managing continuity, focuses on establishing control over the business, to be activated in a crisis, to maintain continuity of processes and maintain business as usual. Maintaining CIA, whether in a crisis or not, is the focus of DSS05. There are areas that COBIT 5 does not address. It was never engineered to consider special security requirements and continuity concerns of a hybrid or public cloud structure. Thought needs to be given to establishing a custom framework that will blend favorable nuances from both COBIT 5 and other frameworks.
References
