Although this article came out a few months ago I’ve been meaning to put it out there as it may give those unfamiliar with addressing risk a good overview of what’s involved. In this case study the author focuses on doing a security assessment for a cloud system but the same approach could be used in almost any IT scenario. Yes, this article will probably get poo-pooed by the risk gurus out there but I think it does a nice job introducing the topic.
The basic scenario is is as follows…
Faced with a steep bill for securing a new cloud application, a client asked us to help find a way to reduce their risk exposure at the lowest possible cost.
By using the Business Threat Modeling methodology and PTA (Practical Threat Analysis) software, we were able to build a risk mitigation plan that mitigated 80% of the total risk exposure in dollars at half the original security budget proposed by the vendor.
This paper describes a customer case study of a risk analysis for a next generation call accounting system provided as a cloud service.
The author then goes on to describe details of the process they followed. These included going through the following steps.
- Step 1: Identify Assets
- Step 2: Identify Vulnerabilities
- Step 3: Define Countermeasures
- Step 4: Build Threat Scenarios
- Step 5: Understand the calculated Risk
- Step 6: Optimize Countermeasures
In the end they were able to get a nice balance between implemented countermeasures (and their associated cost) and the amount of risk they were willing to accept.
Well at a high level that is pretty much it but I’d encourage you to read the full case study to fill in the gaps. Today’s post image is from SANS.org.