I am doing industry analysis on Public Cloud Risk Management and looking for the related information, for example, what are the key unique risks related to public cloud computing and how public cloud risks fit into overall enterprise risk management framework, (e,g, risk categories or subcategories to be used for managing public cloud risks)?

CloudSecurity & GRC
529 viewscircle icon8 Comments
Sort by:
Head of Information/Cyber Securitya year ago

 I would like to recommend leveraging the guidelines outlined in the NIST Special Publication 800-144.

NIST SP 800-144 provides comprehensive recommendations and best practices tailored for securing data and systems in public cloud environments. It covers essential topics such as risk management frameworks, security controls, data protection strategies, and compliance considerations specific to cloud computing.

You can access the full document directly via this link:

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-144.pdf

Implementing these guidelines will help us align our cloud security strategy with industry standards and regulatory requirements, ensuring robust protection of our data assets while maximizing the benefits of cloud adoption.

1 Reply
no titlea year ago

Thanks, Viral

CISO in Manufacturinga year ago

You can also have a look at OWASP Cloud Architecture Security Cheat Sheet (https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.html#cloud-architecture-security-cheat-sheet) or CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices (https://www.cisa.gov/news-events/alerts/2024/03/07/cisa-and-nsa-release-cybersecurity-information-sheets-cloud-security-best-practices)

1 Reply
no titlea year ago

Thank you, Alexander

VP of ITa year ago

1. There is no ownership of the environment.
2. There is no physical separation of the hardware.
3. Physical security control is not visible.
4. Insider threats.
5. Data privacy and compliance.
6. Data loss and recovery (we faced this in our previous experience).

1 Reply
no titlea year ago

Thank you, @<mention id="657552a7ffbf5c0001de4c21" displayname="Yaagoub Alnujaidi"></mention>, for your insight. We did include the above in our consideration and now we are thinking to map the above to risk taxonomy, for example, isolation failure for #2 and insider risk for #3 etc. And eventually we also like to map all the cloud risk taxonomies to some enterprise risk categories, for example, technology risk, operational risk, data risk, or cyber security risk. Any insight from this perspective?

VP of ITa year ago

There is wealth of information on this subject at Saudi Arabia National Cybersecurity Agency (NCA) but in Arabic that you might need to translate to English

https://nca.gov.sa/ar/regulatory-documents/controls-list/179/

1 Reply
no titlea year ago

Thanks

Content you might like

Subject: Inquiry Request: Validating and Applying a Tiered Hardening Compliance Framework (70/85/95%) for a Colombian FPI's IPO

Dear Community,

My name is Viviana from a Insurance Company in Colombia. We are at a crucial point in our preparation for an Initial Public Offering (IPO) on the NYSE and are seeking your expert guidance to refine our hardening strategy for operating systems and databases.

Context and Objective:

We are an established Colombian health and insurance company with an 80+ year history. Our objective is to list on the NYSE as a Foreign Private Issuer (FPI), making us subject to regulations from the SFC (Superintendencia Financiera de Colombia) and Law 1581 (Data Protection) in Colombia, as well as the disclosure requirements of the SEC in the United States. A key challenge is our significant technical debt, with critical legacy systems supporting core business functions.

Proposed Internal Framework:

Our technical team has proposed adopting a common industry framework to measure hardening compliance based on the CIS Benchmarks. We wish to validate the application of this framework:

* Tier 1 (70-80%): Considered an acceptable baseline or for initial phases.
* Tier 2 (85-90%): The recommended target for production systems handling sensitive data.
* Tier 3 (95-100%): The ideal goal for mission-critical environments and high maturity.

Strategic Questions for an Inquiry Session:

1. Regarding Framework Application and Regulatory Compliance:

a. Given our complex environment mixing modern and legacy systems, we face an internal debate: Could an across-the-board compliance level of 80% be considered sufficient for initial regulatory purposes with the SFC and SIC (Superintendencia de Industria y Comercio), or would this be immediately interpreted as a material weakness during the IPO due diligence process?

b. On the opposite end, for our most critical systems handling sensitive data, do you believe the Tier 3 target (95-100%) should be considered a **mandatory requirement** to demonstrate due diligence to investors and regulators?

c. And for the intermediate case of a critical legacy system that cannot meet the Tier 2 target (85-90%), is the strategy of **documenting compensating controls** (e.g., micro-segmentation, PAM) to cover the gaps an accepted and defensible approach in the view of an auditor?

2. Regarding Defensibility and Communication:

a. When making disclosures in the SEC Form 20-F, is it advisable to use these percentages? Or is it wiser to describe the risk management program qualitatively, explaining how configuration weaknesses are identified, prioritized, and mitigated?

b. For the **SFC in Colombia**, which references frameworks like ISO 27001, is demonstrating compliance via this percentage-based model sufficient, or would they expect a more formal integration into an Information Security Management System (ISMS)?

3. Regarding Risks and Best Practices:

a. What is the most common mistake companies make when using these types of compliance percentage models?

b. What alternative or complementary metrics do you suggest to demonstrate the effectiveness of a hardening program beyond a simple percentage score?

We look forward to leveraging your expert perspective to ensure our strategy is not only technically sound but also strategically intelligent and defensible for the demanding IPO process.

Thank you for your time.

Sincerely,
Viviana Acevedo

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Read More Comments

Which vendor solutions are being considered to "read, identify and redact information" in unstructured data sets? I'm specifically looking at solutions that can mask / redact or hide content within documents, that allow documents to be consumed but certain piece of information to be hidden.

Which authentication flow is the most secure?

Username, Password, Biometrics18%

Username, Biometrics, Password31%

Biometrics, Password, Username36%

All are equally secure.13%

Other (comment below)

View Results

The Transportation Security Administration (TSA) has announced a second security directive, requiring pipeline owners to implement new safeguards against ransomware attacks. Which will be the most critical to implement in the given 90-day timeline?

Specific ransomware mitigation measures17%

Developing/implementing cybersecurity contingency and recovery plans66%

Conducting a cybersecurity architecture design review16%

Other (please share below)

View Results