PROTECTING YOUR CLOUDS | A ZDNet Multiplexer Blog What's this?

How to Assess Risk to Cloud-Based Data

Software-as-a-service delivers significant benefits and advantages over traditional installations, but data security cannot be overlooked. Here, we discuss high-level policy considerations such as how to classify data based on its sensitivity, assign risk levels, and set access privileges based on those tiers.

When classifying data for risk, you must first consider a list of threats that the data and applications may face. You then weigh those risks by their likelihood. This is not an exact science, but it can be intelligently handled by an experienced security consultant.

Typical threats include:

  • Loss or disclosure of small/large numbers of records of personal data of customers/employees (These may be considered as four different risks)
  • Loss or disclosure of sensitive company intellectual property, such as business plans or program source code
  • Loss of physical media containing unencrypted, sensitive data
  • Spread of malware through SaaS

This, of course, is not an exhaustive list. Any thorough plan would include more specific considerations for your business.

If you weigh the threats by their likelihood and their impact, though, you can get a sense of where you should prioritize your efforts. This may be as simple as multiplying a likelihood factor, from 1 for least likely to 5 for most likely, against an impact factor, from 1 for lowest impact to 5 for greatest.

To determine these factors, there are many questions you should ask. This is where an expert in risk analysis can help. Among these are:

  • How many people access the data?
  • To what extent is the data anonymized (e.g. storing only the last 4 digits of a credit card number)?
  • Does the data ever leave the SaaS for other domains? Is it processed on partner sites or on-premises company systems?
  • Is the data always encrypted, at rest and in transit?

The real-world list is much longer. But an important question to ask right now is, how do you apply this risk assessment to the world of SaaS providers like Microsoft Office 365 and Google G Suite?

SaaS providers are not bereft of security features, however they don't have the functionality required to mitigate your organization's risk. For that, the introduction of a third party CASB (Cloud Access Security Broker) - such as PaloAlto Networks' Aperture -- is necessary. The best CASBs operate in the cloud themselves and integrate with SaaS applications at the API layer. In this scenario, the CASB has access to user information and system logs, allowing it to automate policy enforcement.

A CASB like Aperture monitors the actual data being accessed by the user and can therefore examine it for sensitivity. Does it have the characteristics of a technical diagram? Is it software source code? Does the data in it match the patterns of social security numbers or other PII? Are emails being forwarded to an unauthorized domain? If any of these is the case, does the user have authority to access it and send it?

Only a security policy operating in the SaaS application itself can detect malicious events as they happen and put a stop to them. In addition to Aperture, Palo Alto Networks can help with risk assessment and security planning.

Learn more about Palo Alto Networks® Next-Generation Security Platform for cloud at