7 risk mitigation strategies for the cloud

Cloud services — and the risks associated with them — will only become more critical over time. Here’s how to manage those risks without missing out on the benefits of the cloud.

Cloud services are here to stay, and they are taking over more enterprise functions every year. Where once cloud services were limited to simple storage or contact management, core functions like ERP have now moved to the cloud. And with a broad array of essential services increasingly shifting to the cloud, IT leaders must keep an eye on the risks inherent in today’s cloud environment and take preventative steps to mitigate them.

Here’s a look at what your organization should do to assess and mitigate the risks of cloud computing.

Assess your appetite for risk in the cloud

In the banking industry, it is common to set a risk appetite to guide organizational decisions. For example, a conservative risk appetite would lead one to decline lucrative but highly uncertain loans. A more “bleeding edge” risk appetite may deliver higher returns during booms. The downside? Your bank may take massive hits during the next crisis.

From an IT management perspective, your risk appetite will inform your due diligence, ongoing monitoring and willingness to invest in reducing risk. For example, you may set up a tiered approach to risk mitigation to make the best use of your limited resources. The risk of a “Tier 1” cloud service failing may be reduced through staffing (e.g., having a dedicated relationship manager), regular testing and paying for top-tier vendor support.

Revisit your cloud usage culture

Cloud providers like to emphasize ease of use and flexibility. And once organizations experience the ease of the cloud, few have the desire to go back to maintaining their own legacy infrastructure. But a casual attitude toward cloud services may lead employees to take foolish risks.

“Cloud services often encourage ‘casual use’ of data; I can collect, search and store anything just about anywhere” is the hook, says John Hodges, vice president of product strategy for AvePoint. “We often see this in systems like Box, DropBox or OneDrive, where there is a real mixed-use danger in how content is stored and shared.” The simple solution? Prohibit services where mixed-use is likely to be a problem.

Banning higher-risk cloud services helps, but it does not eliminate the problem entirely. “With corporate-provided accounts such as Slack channels or Microsoft Teams or other systems, users always take the route that is most convenient for sharing data. That behavior may not align with records retention policies or restrictions on data sharing,” explains Hodges. Inconsistent application of record retention policies may cause headaches if your company is subject to litigation or a similar investigation.

Use zero trust models to reduce risk

Zero trust is an IT security strategy wherein an organization requires every user, system or device inside or outside its perimeter to be verified and validated before connecting to its systems. How can you use a zero trust model to mitigate cloud risk? For Insurity, an organization that specializes in property and casualty insurance services and software, a zero trust approach means restricting access tightly.

“We provide logical access to the minimum set of users with a minimum set of rights and privileges in line with job function requirements. This control is audited internally by our Enterprise Security team and externally as part of our annual SOC audit,” says Jonathan Victor, CIO of Insurity.

Regularly examine user access levels and ask yourself whether they make sense. Do you need dozens of users with administrative access? Each super user adds additional risk.

Learn from IT failures in the news

Taking time to study industry news for cloud-related failures will help you mitigate your cloud risk. The complex and evolving nature of cloud use in today’s enterprise means there’s always something to learn from high-profile incidents gone wrong.

“Our focus is on the loss of data, so we see important lessons in incidents like the Meraki data loss in August of 2017, when on-premises systems failed to back up data to the cloud service as it was designed to do,” says Rich Petersen, co-founder and president of JetStream Software.

Cisco admitted that cloud configuration error caused data loss and lost productivity. As The Register reported, “the incident is a huge mess for Cisco, because Meraki's sold on the basis that its supporting cloud service removes much of the grunt work required to run networks and voice systems. That Meraki's team made such a substantial mistake — and seemingly lacked data protection tools to cover such an eventuality — is a very big black mark on its reputation.

Rethink your mix of manual vs. automated cloud management strategies

Automation, virtual assistants and data crunching can help companies not only sell more products but manage their cloud services as well. For Barracuda Networks, the scale of manual security work has come down significantly since it began automating processes for the cloud.