The definition of the cloud, for this book, is anything outside the network that's controlled by the company. Using our example, KC Enterprises reviews the cybersecurity risk for their cloud anytime data classification meets the criteria, and the data is not going to be located in a KC data center. Referencing back to the earlier analogy, when your computer (containing your hard drive with sensitive data) is at your own home, it's sufficiently secure in your locked‐up home. However, if you need to store it at your neighbor's house, your security risk changes. While you don't think he's going to do something bad, you want to be sure that he stores your computer (with the sensitive data) somewhere out of the normal traffic area in the home, preferably in a locked area of the house.

Why Is the Cloud So Risky?

We view cloud risk the same way we view risk for data that is located outside our company's data centers or networks. KC's security due diligence process demonstrates this risk view, via its developed programs and processes that perform specific security control reviews to lower the risk with cloud deployments.

A vendor's cloud security can be optimized by using frameworks and patterns. Not only does this provide clarity to the vendor on what is expected on the cloud, but it also provides a way for their cloud security reviews to be more transparent. Understanding the Shared Responsibility Model (unlike in internal data centers, where everything ...