9 hours 59 minutes
In this video, we will discuss advantages and disadvantages of risk management in the cloud,
and we'll walk through a supplier assessment process.
The cloud model brings a variety of pros and cons included in that our trade offs when we look at enterprise risk management.
So let's start this tradeoff discussion by looking at the things you have less of
you have less physical control over the assets and the management procedures used by the cloud provider. And while you have less control, you also have less cost because you're reducing the need for you to internally manage a variety of things in particular those things that the cloud provider themselves is assuming the risk for.
It's worth reiterating that you're not outsourcing accountability, but you are outsourcing the management of a variety of risks that that cloud provider is assuming on your behalf based on the shared responsibility model.
What are the things you get more of when you have cloud?
At least from a risk perspective, you have more reliance on contracts, audits and assessments. You also need to spend more time proactively managing the relationship with the cloud provider, making sure they here to contracts and things that may extend beyond the initial contract signing.
Keep in mind, cloud providers are constantly evolving their products, giving new services and taking actions needed to remain competitive.
And these ongoing innovations air great. And that's why you can really take advantage of the cloud at the same time, you relying on managing the relationship with the cloud provider to make sure that those new things are covered by existing agreements and assessments.
To that end, with all these innovations and new things, you're gonna be relying Mawr on third party audits to provide you with that visibility
into the cloud providers operations, specifically when you want to make sure the cloud provider remains complaint. Despite this ongoing change, and even as the compliance requirements themselves change
with the groundwork established on cloud risk management, let's take a look at an example supplier assessment process.
First and foremost, you're gonna look at that cloud provider, and you're gonna ask them to give you certain documentation.
This is a great situation to apply the cake. If you don't know exactly what documentation you want,
then you're going to take a look at the security program in the documentation that they provide in response.
At that point, you know, incorporate the CCM. You're going to review legal, regulatory, contractual and jurisdictional requirements for both the provider and yourself.
We will be diving deeper into these elements in the next section.
This is a great opportunity to use the CCM identifying the different regulations that you care about and you want. And here, too, and then assessing based on the cloud providers responses previously. How well does this plot cloud provider meet those needs and adhere to those different regulations
continuing on? You'll take a look at the contract ID service
based on the particular information assets that you're going to be hosting with the cloud provider. How critical of a role in your business is this cloud provider, and then, depending on that criticality, you may even need to evaluate the overall provider in the sense of how is their financial stability.
What is their reputation within the industry?
create and destroy a lot of services? Quickly do the offer new functionality and then decommission? It may be your business can't handle that.
Other questions include who do they rely on for outsourcing if they outsource any of the activities and tasks. And are those outsourced companies acceptable for your business? And is that a risk you're willing to take
later? In this course, we're going to cover the an Nisa document. It has a whole section called Cloud Computing Risk Assessment that dives deeper into the supplier assessment process that we just reviewed. So to summarize this video, we talked about trade offs of risk management in the cloud, and we reviewed the process to assess cloud providers.