Cisco IT Insights

Managing Cloud Security & Risk Exposure

What
Managing Cloud Risks
The adoption of cloud-based applications has skyrocketed in the past few years. Today, cloud use for business computing is no
longer the exception, but rather the norm. In working with customers to identify their cloud use, Cisco has discovered that large
customers now use on average 730 individual cloud services and capabilities including software as a service (SaaS), infrastructure
as a service (IaaS), and platform as a service (PaaS).
With such a variety of applications and information being hosted in various clouds, the issues of security and business risk are a
primary focus for companies. But how do we protect company assets and reduce risk without overly restricting the business?
Balancing what the company needs versus what users want is a constant challenge in the evolving world of data security and data
storage. Cisco IT administers a global program called Cloud & Application Service Provider Remediation (CASPR) to ensure that
our data and brand are secure in the cloud, and has oversight for monitoring and managing more than 2000 cloud services used
by Cisco employees.
The point of CASPR is to protect and reduce our exposure to risks in the areas of compliance, financial viability, resiliency, and
business criticality, explains Ken Hankoff, CASPR program manager at Cisco. Cisco IT is responsible for administering CASPR,
and we leverage stakeholders that have an interest in making sure Ciscos data and brand are secure. For example, Cisco InfoSec
is a key stakeholder because InfoSecs priority is to protect Ciscos data and brand.

Discovery, Awareness, and Business Risk

Many companies dont have a clear understanding of just how much theyre consuming in the cloud. Its not until they complete a
cloud assessment using services and software such as Cisco Cloud Consumption Services that they become aware of what
cloud service providers they are using.
If you only use the term cloud service provider, most people think, Well, we host everything ourselves; we dont use cloud
service providers. The reality is that you might not be hosting everything and your company is using all sorts of vendors that are
cloud-based, says Hankoff.

Rating Vendors to Manage Cloud Risks and IT Resources

With hundreds of providers to manage, being able to determine which cloud services and vendors are the riskiest is crucial.
Internally, Cisco IT uses Cloud Consumption Services to give us visibility into our network traffic and help recognize which new
services are being used by employees. We use a combination of machine learning, software tools, and professional services to
identify risk. The final product of these tools and analyses is a master repository of the cloud services in operation in our
environment. The repository combines entries from Ciscos rich security knowledge base and the Cloud Security Alliance (CSA),
an industry standard alliance that provides attribute scoring of a number of cloud services. Using this process, we are able to
identify what the business risk is of using a particular new service.
For every service, there are 65 attributes being examined, ranging from financial viability to compliance, says Robert Dimicco,
senior director of Cisco Cloud Consumption Services, and not every one of these attributes is applicable. The Cloud Consumption
Services software is going to look at all 65 and creates a comprehensive risk score for Cisco IT.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

July 2015

Page 1 of 4

Based on the risk score, we use an assessment categorization matrix that rates the confidentiality of information against the
business criticality of that information. Using a mechanism and a series of questions that determine business criticality and data
classification, were able to come up with a number for each application and see where it would fall on the matrix. For example,
restricted data with high business criticality will require the highest degree of assessment, while data that is public with low- to midlevel business criticality will require less rigor during the assessment process.
We are currently refining assessment categories to improve efficiency, and save time and resources. The aim is to focus resources
on very high data classifications and business critical items where the risk of exposure is higher than low data classifications with
little business criticality. Were always trying to streamline, make it repeatable, and make it simple, says Hankoff.
Some of the areas we cover include architectural alignment, financial viability (scores help us determine if we are exceeding
thresholds or potential vulnerability), resiliency, and compliance. See Figure 1.
Figure 1.

CASPR Program Key Areas of Assessment

Why
Balancing Speed and Efficiency with Managing Risk
Understanding how employees use cloud services and applications enables the business to reduce risk and exposure. The nature
of using cloud services is dynamic. Its dynamic because its user-centric and user needs vary. Over the course of a month, the
services being consumed change and new services are constantly being launched. Cisco realized the importance of an automated
software capability that monitors cloud services from popular social media sites to specific business applications (such as
Salesforce, human resource applications, and customer relationship management) that are being consumed from the cloud.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

July 2015

Page 2 of 4

Once you find out what youre consuming, you can start to look at it as any other asset in which you are investing time, money,
and human resources, explains Dimicco. Its your own traffic that is compelling. It is unique to your company, and that helps your
company figure out where its vulnerable and where the risk to exposure is.

Remaining Compliant
Data sovereignty laws and regulations differ from country to country. In the United States, for example, storing company data on a
third-party cloud service can lessen a companys full property rights to that data. Having a strong legal presence during the process
of getting terms and conditions finalized in contractual agreements with cloud service providers is critical to the company. One of
the most challenging aspects of cloud services is determining what the business risk is for an organization when critical documents
or software code no longer reside in their premises but reside in a storage providers cloud. It is vital for a company to understand
risk that their data is exposed to and how to mitigate that risk through controls, policies, behaviors, and ongoing analysis.
Now, more than ever, its important to make sure youre in compliance, says Dimicco. The key is to do the things you need so
that your employees still have the access they require, while effectively balancing cost and risk.

Ways to Reduce Business Risk

There are numerous ways an organization can reduce business risk.

Discover what cloud service providers you are using to reduce costs, consolidate vendors, and migrate from high-risk
vendors.

Establish cloud governance and risk classification process to help focus resources on very high data classifications
and business-critical items where the risk of exposure is high.

Define cloud use policies to reduce risk. Risk can be mitigated with data policies and employee training and behaviors.
For example, when Cisco realized employees were using cloud services to store data, we enacted a company-wide policy
that the preferred company storage is Box.com and encouraged employees to adopt this service. Users are not prevented
from using other services; however, we use Box.com because we have integrated the service into Cisco, and Box.com has
reduced the business risk of Cisco employees and contractors using the service.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

July 2015

Page 3 of 4

For More Information

The hidden costs of cloud are 4 to 8 times higher than billed costs. To learn more, visit How Much Are You Spending on the
Cloud?
To learn more about how Cisco can help you manage cloud risk, visit Cisco Cloud Consumption Services.
To learn more about CSA, visit Cloud Security Alliance.
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.

Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

July 2015

Page 4 of 4