Crowe Horwath: How to conduct an assessment of your IT security risk

Cloud computing has grown in popularity because it can help boost productivity and reduce costs by allowing organizations and employees to work collaboratively over the Internet from the office and remote locations.

But that ease of access to your business applications and data brings increased risk.

“Cloud computing presents a number of risks, ranging from data leakage to cyberattacks on cloud computing vendors and their customers,” says Jim Stempak, a principal at Crowe Horwath LLP.

Smart Business spoke with Stempak about a methodology to periodically assess cloud computing IT security risks.

What risks are associated with cloud computing?

Whether you sign up for software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS) or some combination of service models, your organization is exposed to risk because security is applied differently than in traditional noncloud IT environments. Additionally, your vendor might not have security standards on par with your own.

Some areas of risk are:

  • Cloud governance risk. Cloud governance refers to controls and processes for cloud planning and strategy, vendor selection, contract negotiation, implementation, operation and possible termination of service. Some companies rush into cloud computing and don’t properly assess risks and implement controls to mitigate them.
  • Weak identity and access management controls. Moving to the cloud can drastically change how customers control access to accounts and computing resources, thus introducing new security risks.
  • Unsecured data connections. With the cloud, much of the data communication takes place outside of your IT environment. It’s important to understand where your data is and assess vendor protection of data in transport and storage.
  • Workforce security risk. Often employees use personal cloud storage services such as Dropbox, Evernote, Google Apps, SkyDrive and iCloud to transfer and store work-related files without authorization or oversight from IT management. A recent Nasuni Corp. survey of 1,300 corporate IT users found one in five respondents put work files in personal Dropbox accounts. Personal cloud storage services lack enterprise-class security protection, and, in turn, could put sensitive data at risk and increase the chance your organization is noncompliant with industry and government standards.

How should a company assess its cloud security risks?

Companies should review all layers of risk associated with the specific use of cloud services in their IT environment. Start with a review of common controls, including cloud governance, identity and access management, and transmission security. A corporate cloud security assessment typically focuses on controls affecting cloud governance, such as cloud planning and strategy, vendor selection, implementation, termination and transition of cloud services; identity and access management, such as account setup, level of access and single sign-on; and secure connectivity, such as encryption, backup plans, logging and monitoring.

You also need to conduct a workforce assessment to identify unauthorized use of personal cloud services, which includes:

  • Network scanning — special software applications scan networks for the most popular services for storing and transferring data in the cloud.
  • Passive monitoring — applications track network traffic to uncover connections with website addresses associated with personal cloud services.
  • Log analysis — servers have log files that capture useful data about network activity to help pinpoint cloud services traffic.
  • Workforce survey — ask if employees are using personal cloud services for work and why. This can help you understand cloud service needs and identify potential risks.

Cloud computing changes the way people work and is here to stay. Organizations need to completely understand how they are using cloud services — in both known and unknown ways — before valuable data winds up in the wrong hands.

Jim Stempak is a principal at Crowe Horwath LLP. Reach him at (214) 777-5203 or [email protected].

Insights Accounting is brought to you by Crowe Horwath LLP