Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Do you know your cloud risk profile? Best practices in building your cloud security strategy


Ed Choi.PNGSecurity has always been a critical consideration for enterprise IT.  As more enterprises adopt cloud, the risk and threat landscape is changing rapidly with more complex and creative attacks. Chief Information Security Officers (CISOs) need to have a long range cloud security strategy in conjunction with the cloud transformation journey, rather than in isolation. This article provides key insights and practical considerations for developing your cloud security strategy.



Security breaches spell disaster for your business


In the past few years, we have become increasingly aware of various security breaches.  Anthem, the second largest health insurer, suffered a massive data breach in early 2015 with 78.8 million patient records being compromised. Target, a major national retailer, suffered a data breach in December 2013 with up to 70 million customers’ personal information being compromised.  These security breaches reveal not only the impact to customers (stolen credit cards, personal health information) but the ripple effect it has on the reputation and the bottom line of these companies. Target reported a profit drop of 46 percent in its fourth fiscal quarter of 2013 and banks reported estimated cost of $200 million to reissue cards. No industry is immune, though the health care industry tends to be an easier target for hackers, largely due to its tendency to lag in technology adoption.  


While these incidents seem to be more common today, security risks have always existed. We are more aware of them now because the attacks have become more sophisticated. It has become critical for the business to develop a strong security strategy. This strategy not only needs to discuss how to prevent security attacks, but also needs to include a plan on how to respond when the breach happens, since it’s no longer a question of ‘if’ but ‘when’ a breach will occur.


Key considerations in developing a robust security strategy


Most business and IT professionals understand how critical it is to protect sensitive customer data and valuable business assets.  From my experience working with SMB to large enterprise customers over the past two decades, I’ve learned that most companies struggle with building a security strategy. This strategy is not only for today’s environment but also needs to prepare them for the ever-changing technology landscape and more sophisticated threats -- even more so when they move to the cloud.  A solid security strategy must employ synergistic methods for risk prevention, detection, response and compliance.  Before you start developing your security strategy and action plan, you must thoroughly assess your risk profile, your IT environment, potential internal and external threats, and the  potential impact to your business if you are breached.


Know your risk profile


Understanding your risk profile is a critical task to perform before you develop or revisit your security strategy. There are three key factors contributing to the risk profile: vulnerability, threat and impact.  Some people use a formula to express security risk as a function of these factors:


Risk Profile = Vulnerability x Threat x Impact  


Vulnerability is the weakness or gap that can be exploited by threats to gain unauthorized access to an asset. Common security vulnerabilities include websites lacking security measures such as SSL and applications not enabled with multi-factor authentication.  A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage or destroy an asset.


According to a recent PWC security survey of enterprise CIO’s/CISO’s, the top three security threats they are most concerned about are: malware/viruses, internal sabotage and external attacks. Finally, the impact is the potential financial and non-financial damages to your business caused by a successful attack.  Once you understand your risk profile, you can build your security strategy and action plan to mitigate or minimize the risk.


 Leverage your Cloud Service Provider


Companies of all sizes can get help from Cloud Service Providers (CSPs) in their cloud journey. Many cloud service providers such as HP provide integrated solutions, education and consulting services to help customers design, implement, and manage their cloud security strategy.


For specific industries such as health care, companies should look for HIPAA certified CSPs that provides HIPAA BAA (Business Associate Agreement) between the service provider and health care providers to protect personal health information in accordance with HIPAA guidelines.


Learn from industry best practices


It is important to note that there is no single ‘silver bullet’ for your security strategy that eliminates all security risks. When it comes to heterogeneous IT environments such as traditional datacenters, public clouds, private and hybrid cloud, one has to consider and apply best practices accordingly.  


Many companies are rethinking their traditional approaches to cybersecurity as they adopt mobile and cloud technologies to accelerate business strategies.  Proven approaches, insights and best practices used by other companies can help you build and optimize your security plan.  For example,  this blog post by Terence Ngai provides a good list of practical modern approaches in securing the cloud:


  • Effective identity and access management
  • Runtime security virtualization
  • Session containers
  • Security service provider




You must keep an eye on your most important assets and defend them with everything that you've got.  Security breaches can result in heavy damage to your company’s bottom line, and can affect your customer loyalty and your company’s reputation. You must focus on assessing your risk profile based on vulnerability, threat and impact and then employ synergistic methods to address security risk prevention, detection, response and compliance.  Leverage your cloud service providers and best practices from industry leaders to help build a robust security strategy.


Look out for my next blog post on top trends in cloud security.


For more information on how HP can help, please visit

0 Kudos
About the Author


Edward Choi is the Vice President of WW Cloud and Indirect Channel Programs. Choi is an accomplished, results-focused executive with a passion for driving large-scale strategic initiatives and solution delivery transformation. In his current role, he is responsible for the cloud channel strategy development and execution to drive market testing and scaling of a collaborative ecosystem of service providers, VARs, and ISVs that will leverage HPE and 3rd party technologies, JGTM motions, and financial innovations to build/sell/deliver differentiated services-led hybrid-Cloud solutions. Prior to his current role, Choi was the Vice President of Cloud Customer Success Management. He was responsible for the “One-HP” client experience for the delivery of cloud services across all HP business units.

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all