Domain 3: Cloud Platform & Infrastructure Security Module 32 of 70

Module 32: Risk Assessment for Cloud Infrastructure

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section B 6–8 min read
The CCSP exam expects you to assess risk in cloud environments differently than traditional IT — factoring in shared responsibility, limited visibility, and provider dependency.

Risk Assessment in Cloud Is Not the Same

Traditional risk assessments assume full control. Cloud introduces variables that fundamentally change the equation:

  • You share risk with the provider (shared responsibility model)
  • You have limited visibility into provider infrastructure
  • Multi-tenancy introduces risks you cannot directly mitigate
  • Provider lock-in creates business continuity risk
  • Data location affects regulatory risk
When the exam presents a risk assessment scenario in cloud, the correct answer accounts for both customer-controlled and provider-controlled risk factors. An answer that only addresses one side is incomplete.

Qualitative vs. Quantitative Risk Assessment

The exam tests both methodologies:

Qualitative — uses categories (high/medium/low) based on expert judgment:

  • Faster to perform
  • Better for cloud scenarios with limited historical data
  • Uses risk matrices to prioritize
  • Subjective but practical

Quantitative — uses numerical values to calculate expected loss:

  • ALE = SLE × ARO (Annual Loss Expectancy = Single Loss Expectancy × Annual Rate of Occurrence)
  • More precise but requires reliable data
  • Difficult in cloud because provider outage data may be limited

Exam thinking: The CCSP typically favors qualitative assessment for cloud environments because quantitative data about provider-side risks is often unavailable. If the question asks which method is MOST appropriate when limited historical data exists, choose qualitative.

Cloud-Specific Risk Factors

The exam expects you to identify risks unique to cloud deployment:

  • Vendor lock-in — proprietary services make migration difficult and expensive
  • Data sovereignty — data stored across jurisdictions introduces legal risk
  • Multi-tenancy — noisy neighbors, side-channel attacks, shared resource contention
  • API dependency — management plane compromise affects all resources
  • Supply chain — CSP subcontractors and fourth-party dependencies
  • Insecure interfaces — poorly designed APIs and management consoles

The CSA (Cloud Security Alliance) Treacherous Twelve and the ENISA cloud risk assessment framework are reference points the exam may draw from.

Risk Treatment Options

After assessing risk, you must decide how to treat it. The exam tests four standard options:

  • Mitigate — implement controls to reduce likelihood or impact
  • Transfer — shift risk to another party (insurance, contractual terms)
  • Accept — acknowledge the risk within appetite and document it
  • Avoid — eliminate the activity causing the risk

Cloud adds nuance: Using a CSP itself is a form of risk transfer for physical security risks. But the exam will remind you that you cannot transfer accountability — only the task.

Moving to cloud transfers the execution of physical security to the CSP. It does not transfer your accountability for protecting the data. The exam tests this distinction repeatedly.

Risk Registers and Continuous Monitoring

Risk assessment is not a one-time activity. The exam expects you to understand continuous risk management in cloud:

  • Maintain a risk register that includes cloud-specific entries
  • Reassess risk when the CSP changes terms, services, or infrastructure
  • Monitor CSP status pages and incident reports for emerging risks
  • Review third-party audit reports on a recurring schedule
  • Update risk assessments when regulatory requirements change

The exam rewards candidates who recognize that cloud risk is dynamic. A CSP acquisition, a new vulnerability class, or a regulatory change can shift risk levels overnight.

AI and Emerging Technology Risks

Modern risk assessments must account for AI-specific infrastructure risks: GPU resource exhaustion, model poisoning through compromised training pipelines, and the amplified impact of data breaches when training data is exposed. The exam expects you to apply the same risk assessment frameworks to AI workloads — assess likelihood, impact, and treatment options just as you would for any other cloud workload.

Next Module Module 33: Vulnerability and Threat Analysis