Domain 3 of 6 · Chapter 3 of 5

Cloud Infrastructure Risk Analysis

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The risk model: threat times vulnerability, scoped to your slice
  • Quantitative vs qualitative: the ALE math and when each wins
  • Cloud vulnerabilities, threats, and attacks
  • Risk treatment, mitigation strategies, and exam patterns

Quantitative vs qualitative risk analysis

DimensionQuantitativeQualitative
OutputMoney: SLE, ARO, ALERatings: High / Medium / Low on a heat map
Inputs neededAsset value, exposure factor, loss frequency dataExpert judgment of likelihood and impact
Best forCost-benefit decisions, insurance, control ROIFast triage and ranking when data is scarce
Main weaknessHard data rarely exists for novel cloud threatsSubjective, not directly comparable to control cost
Typical useDeep-dive on the few largest risksFirst pass across the whole risk register

Decision tree

Have AV, EF, ARO data?choose analysis methodQuantitative: ALE > cost?ALE = SLE x AROQualitative: heat maplikelihood x impact ratingYesNo / novel threatNow treat the riskby likelihood + impactMitigatelikely, controlaffordableTransferunlikely buthigh impact: insureAvoidno control fits,activity optionalAccepttreat costs morethan the lossWhat remains is residual risk: management accepts it or treats it further (your-half-of-shared-responsibility risk stays yours)

Cheat sheet

  • A risk needs both a threat and a vulnerability; one alone is nothing
  • Identify before you analyze, analyze before you treat
  • Single loss expectancy is asset value times exposure factor
  • Annualized loss expectancy is SLE times the annual rate of occurrence
  • Quantitative analysis exists to make cost-benefit decisions in money
  • Qualitative analysis ranks risks by judgment when data is scarce
  • Run qualitative first to triage, then quantify the few biggest risks
  • Misconfiguration is the most common cause of cloud breaches
  • A hypervisor escape crosses a tenant boundary, which is worse than one host
  • Containers share the host kernel, so a breakout reaches the host
  • Management-plane compromise has the widest blast radius in cloud
  • Side-channel attacks leak data across tenants on shared hardware
  • Mitigate when the risk is likely and the control is affordable
  • Transfer a low-likelihood, high-impact risk with insurance
  • Accept a risk only as a documented decision, never by silence
  • Residual risk is what remains after controls, and the customer owns their half
  • Assess the provider's layers through its audit reports, not your scanner
  • NIST SP 800-88: Purge keeps media reusable; Destroy gives the highest assurance

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments Whitepaper
  2. CSA Top Threats to Cloud Computing Whitepaper