INFO: Cloud Security Risk Assessment Process

Keywords: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), repository, cloud security, cloud risk assessment, provisioning

The Cloud Security team and Risk Assessment team at Mass General Brigham (MGB) have developed a process to help expedite and identify any risks when business owners request to use MGB cloud services. Several steps need to be followed before getting approval. For this guidance, the business owner is the project administrator or point of contact of the organizational group they are a part of. Regardless of the cloud service provider (AWS, GCP, Azure) or nature of the project, business owners will have to follow these steps to access approved MGB cloud resources.

1. If the business owner has a defined architecture that highlights dataflow, networking boundaries, cloud services being used, and identities that are a part of the project, skip to step 3.

2. If the business owner does not have a defined architecture as described above. The business owner will request a cloud architecture consult.
   
   
   1. For Azure and AWS, create a IS Service Hub Request. For GCP, create a request for RC Services. The respective cloud administrator will reach out to discuss the project requirements and provide feedback on the solution architecture.

3. With the cloud needs defined and a cloud architecture solution in place, the business owner fills out an ISPO Cybersecurity Risk Assessment Request through the IS Service Hub. You can refer to the HOWTO: Request ISPO Cybersecurity Risk Assessment for additional details.
   
   
   1. The business owner will receive a cloud questionnaire. This questionnaire will ask questions about the system, such as how the business owner will access the system, what controls are involved in the environment, how the network is configured, identities involved, will backups be required, how long logs will be retained, etc.
   2. The business owner will then fill out the Cloud Security Questionnaire document and submit it to the risk assessment TASK.

4. Permissions in the cloud are not directly assigned to users at MGB. Instead, roles and permissions are assigned to groups.
   
   
   1. In order for non-administrative roles and permissions to be provided to business owners, a Personnel Authorization System (PAS) group needs to be chosen (if already in existence), or a new PAS group created if no existing groups can be used.
      
      
      1. Keygiving - PAS training is required to obtain access to the PAS system and become a Keygiver.
   2. For any administrative roles required to be assigned, the business owner needs a privileged 1Account created before any administrative roles are given/applied.
      
      
      1. Refer to the 1Account KB article for steps on requesting 1Account credentials.
         
         
         • Note: AWS Projects do not need a 1Account at this time.
         • Note: manager approval is required when requesting 1Accounts and can cause delays if managers do not approve in a timely manner.

5. The risk team then reviews the questionnaire. The risk team will determine if any additional information is needed and may request a follow-up conversation from the business owners and cloud administrators to address any concerns.

6. Once the risk assessment is completed and all aspects of the requested cloud infrastructure satisfy expectations, the business owner will receive a security brief from the assigned risk analyst. The cloud resources will be ready for provisioning.

Additional Notes:

1. Once the risk assessment is completed, the business owner should open a request or continue with a request for account creation, access provisioning, and resource deployment with the "Cloud Platform Services – phs" queue in ServiceNow

2. For additional information, refer to the cloud security page. Please feel free to reach out to the cloud security team if you have any questions.

MGB Cloud Services Workflow.png