Netskope is recognized as a Leader again in the Gartner® Magic Quadrant™ for SASE Platforms. Get the Report

close
magnifying glass
Get Started
magnifying glass
chevron
Support Language
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
chevron Get the white paper
Experience Netskope
Get Hands-on With the Netskope Platform
Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
chevron Experience Netskope
A Leader in SSE. Now a Leader in Single-Vendor SASE.
Netskope is recognized as a Leader Furthest in Vision for both SSE and SASE Platforms
2X a Leader in the Gartner® Magic Quadrant for SASE Platforms
One unified platform built for your journey
chevron Get the report
Securing Generative AI for Dummies
Securing Generative AI for Dummies
Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
chevron Get the eBook
Modern data loss prevention (DLP) for Dummies eBook
Modern Data Loss Prevention (DLP) for Dummies
Get tips and tricks for transitioning to a cloud-delivered DLP.
chevron Get the eBook
Modern SD-WAN for SASE Dummies Book
Modern SD-WAN for SASE Dummies
Stop playing catch up with your networking architecture
chevron Get the eBook
Understanding where the risk lies
Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
chevron Watch the demo
The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
Netskope One Private Access is the only solution that allows you to retire your VPN for good.
chevron Get the eBook
Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
chevron Read the case study
Netskope GovCloud
Netskope achieves FedRAMP High Authorization
Choose Netskope GovCloud to accelerate your agency’s transformation.
chevron Learn about Netskope GovCloud
Netskope Technical Support
Netskope Technical Support
Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
chevron Technical Support
Netskope video
Netskope Training
Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.
chevron Explore Netskope Training
""
Achieve Business Value with Netskope One SSE
Netskope One Security Service Edge (SSE) enables enterprises to achieve considerable business value by consolidating business critical security services within the Netskope One platform
chevron Get the study
Let's do great things together
""
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
chevron Netskope Partners

How to Measure Cloud Risk

Aug 09 2022
By Neil Thacker

How to measure risk

Ask any security professional how to effectively measure risk and many will give a simple answer…

Risk = Likelihood x Impact

Perhaps some professionals will take it a step further and include a variable to include a weighting on the asset value (that is calculated separately to impact value)…

Risk = Likelihood x Impact x Asset Value

A few might go further and cite FAIR, a well established framework on quantitative risk management, that expands to include many additional variables.

Diagram of FAIR quantitative risk framework
Source: https://www.fairinstitute.org/what-is-fair

Masters of risk will perhaps even talk about running risk model calculations and risk simulations using empirical data to further understand risk and create more accurate predictions of risk.

However, while any form of risk identification, assessment, and acceptance mitigation / transfer is better than none, still too few organisations have applied this concept to assessing cloud risk. So what is the reasoning for this—is it that cloud risk management is the cloud service providers (CSP) job?…is it that assessing cloud risk is not important?…or is it that assessing cloud risk is too complex? The answer to the above questions typically is No, No, and Perhaps.

How to measure cloud risk

Assessing cloud risk starts by identifying the cloud services your organisation currently uses. With 79% of employees in organisations actively using cloud apps to upload, share, or store data, and the average organisation using more than 1,500 distinct cloud apps each month the need to identify the cloud app and the type of data being processed or stored is key to understanding the risk.

The following six risk variables are common in assessing cloud risks and should form part of the cloud risk management process:

Vendor/Third-party Risk

Identify the vendor and understand their service agreement, terms, and conditions, as well as your organisation’s association and reliance on them and their providers.

Data Risk

Identify the category of data being uploaded, shared, or stored. If the data is personal data, financial data, or intellectual property, ensure that the appropriate controls are in place to protect the data and limit exposure to avoid both data loss risk and regulatory risk. Managing a clear inventory of which vendor is processing what data is critical (and is a regulatory requirement for many types of data).

Technology Risk

Understand the technology, the architecture, and the shared responsibility model. Identify who is responsible for addressing certain risks, such as ensuring correct implementation and configuration of the technology to ensure the service is secure.

Operational Risk

Manage operational risk across the supply chain. In the event of a security incident or an outage, ensure operational risk is managed and communicated. Ensure the provider has a robust incident response programme and can effectively contact their customers in the event of a security incident or a service outage.

Financial Risk

Identify any new financial risks that may affect the operation or even termination of a cloud service the organisation relies on. Cloud service providers can vary wildly in terms of their financial stability. 

Geolocation Risk

Identify where the service is operating from and if the organisation is meeting its regulatory and compliance requirements. In addition, with ongoing geopolitical conflict and tensions, these might bring new risks over time. It is critical to understand if you need to move or relocate data to other locations.

Start with WHY, know HOW, then WHAT

In summary, using cloud services will necessarily add additional risk measurements to your risk management programme. With the advancement of many cloud services and the ability to appropriately manage these risks, cloud service providers are making it possible for organisations to effectively tailor and manage these cloud risks. Whatever your level of maturity in risk management, use the approach of Simon Sinek: start with asking WHY measuring cloud risk is important, then HOW to measure for your organisation, and finally WHAT to measure…

< Full Skope
Next Story >
< Back
Next >
author image
Neil Thacker
Neil Thacker is a veteran information security professional and a data protection and privacy expert well-versed in the European Union GDPR.
Neil Thacker is a veteran information security professional and a data protection and privacy expert well-versed in the European Union GDPR.
Read More
More Articles by Neil Thacker
Read full Bio
More articles

Related Articles

card shape
Full Skope

The Crucial Conversations CIOs and CEOs Need to Have Right Now

By Mike Anderson
chevron Read the blog
card shape
Full Skope

Why CIOs and CISOs Must Be Business Leaders First

By Joe Topinka
chevron Read the blog
card shape
Full Skope

Strategies to Transform Cybersecurity into a Business Enabler

By Nicolás Rodriguez Tolmo
chevron Read the blog
Show More
Connect with Netskope

Subscribe to the Netskope Blog

Sign up to receive a roundup of the latest Netskope content delivered directly in your inbox every month.
Subscribe now