Cloud services — and the risks associated with them — will only become more critical over time. Here’s how to manage those risks without missing out on the benefits of the cloud.
Cloud services are here to stay, and they are taking over more enterprise functions every year. Where once cloud services were limited to simple storage or contact management, core functions like ERP have now moved to the cloud. And with a broad array of essential services increasingly shifting to the cloud, IT leaders must keep an eye on the risks inherent in today’s cloud environment and take preventative steps to mitigate them.
Here’s a look at what your organization should do to assess and mitigate the risks of cloud computing.
Assess your appetite for risk in the cloud
In the banking industry, it is common to set a risk appetite to guide organizational decisions. For example, a conservative risk appetite would lead one to decline lucrative but highly uncertain loans. A more “bleeding edge” risk appetite may deliver higher returns during booms. The downside? Your bank may take massive hits during the next crisis.
From an IT management perspective, your risk appetite will inform your due diligence, ongoing monitoring and willingness to invest in reducing risk. For example, you may set up a tiered approach to risk mitigation to make the best use of your limited resources. The risk of a “Tier 1” cloud service failing may be reduced through staffing (e.g., having a dedicated relationship manager), regular testing and paying for top-tier vendor support.
Revisit your cloud usage culture
Cloud providers like to emphasize ease of use and flexibility. And once organizations experience the ease of the cloud, few have the desire to go back to maintaining their own legacy infrastructure. But a casual attitude toward cloud services may lead employees to take foolish risks.
“Cloud services often encourage ‘casual use’ of data; I can collect, search and store anything just about anywhere” is the hook, says John Hodges, vice president of product strategy for AvePoint. “We often see this in systems like Box, DropBox or OneDrive, where there is a real mixed-use danger in how content is stored and shared.” The simple solution? Prohibit services where mixed-use is likely to be a problem.
Banning higher-risk cloud services helps, but it does not eliminate the problem entirely. “With corporate-provided accounts such as Slack channels or Microsoft Teams or other systems, users always take the route that is most convenient for sharing data. That behavior may not align with records retention policies or restrictions on data sharing,” explains Hodges. Inconsistent application of record retention policies may cause headaches if your company is subject to litigation or a similar investigation.
Use zero trust models to reduce risk
Zero trust is an IT security strategy wherein an organization requires every user, system or device inside or outside its perimeter to be verified and validated before connecting to its systems. How can you use a zero trust model to mitigate cloud risk? For Insurity, an organization that specializes in property and casualty insurance services and software, a zero trust approach means restricting access tightly.
“We provide logical access to the minimum set of users with a minimum set of rights and privileges in line with job function requirements. This control is audited internally by our Enterprise Security team and externally as part of our annual SOC audit,” says Jonathan Victor, CIO of Insurity.
Regularly examine user access levels and ask yourself whether they make sense. Do you need dozens of users with administrative access? Each super user adds additional risk.
Learn from IT failures in the news
Taking time to study industry news for cloud-related failures will help you mitigate your cloud risk. The complex and evolving nature of cloud use in today’s enterprise means there’s always something to learn from high-profile incidents gone wrong.
“Our focus is on the loss of data, so we see important lessons in incidents like the Meraki data loss in August of 2017, when on-premises systems failed to back up data to the cloud service as it was designed to do,” says Rich Petersen, co-founder and president of JetStream Software.
Cisco admitted that cloud configuration error caused data loss and lost productivity. As The Register reported, “the incident is a huge mess for Cisco, because Meraki's sold on the basis that its supporting cloud service removes much of the grunt work required to run networks and voice systems. That Meraki's team made such a substantial mistake — and seemingly lacked data protection tools to cover such an eventuality — is a very big black mark on its reputation.”
Rethink your mix of manual vs. automated cloud management strategies
Automation, virtual assistants and data crunching can help companies not only sell more products but manage their cloud services as well. For Barracuda Networks, the scale of manual security work has come down significantly since it began automating processes for the cloud.
“We have abandoned performing manual security checks and moving to automated scans because increasing and continuous threats require 24x7x365 vigilance to ensure system integrity, data protection and compliance control requirements,” says Greg Arnette, director of data protection platform strategy at Barracuda Networks.
The drive to automate has significant limits, however, when it comes to mitigating cloud risks. After all, you can’t automate a risk assessment of a cloud provider. But if you use more automated tools to detect problems and standardize configuration in the cloud, you can focus more staff time on complex issues such as training and managing your relationships with cloud providers.
Push for audit rights for your most sensitive suppliers
Whether you have the right to audit your cloud suppliers is a hot topic. If your contracts and agreements lack this provision, your hands may be tied if there is an incident. On the other hand, large cloud providers are pushing back on these requirements.
“Regarding audits, many cloud companies are pushing back on organizations and not allowing them audit rights to audit their data centers and their processes, procedures and security measures,” says Ted Rogers, project execution advisory practice leader at UpperEdge. “Why? They are hesitant to have a third party show up and conduct an audit. Instead, the vendor says that they are compliant, or they say not to be worried about it because if they do not do it, they will be in trouble for other reasons under the contract such as a breach event.”
One solution is to critically assess the audit methodology developed by the cloud provider. Rogers suggests the following alternative: “Get access to the cloud provider’s audit documentation. Specifically, look for if they have made updates in light of Facebook’s difficulties with data privacy. Some of these cloud providers say they are just a data processor. They claim they do not touch the data and don’t give it away.” That just begs the question: how do know whether the provider is following their word?
If a cloud provider is resistant to giving your company audit rights, there are still ways to mitigate this risk. You can request more robust reporting and emphasize leading risk indicators. You can also ask your internal audit department to provide input during contract discussions.
Rethink avoidance as a risk mitigation strategy
Lastly, hacking and security are not the only risks to consider. There is also the risk of being left behind.
“A significant business risk for some of our less mature clients is not pursuing cloud transformation and services aggressively enough. The cloud is not just a new technology — it has changed the business and operating paradigm for many industries. It is about transforming the business to become more agile and competitive,” says Tony Buffomante, U.S. Leader of KPMG’s Cyber Security Services.
Moreover, few organizations have the budget or inclination to build data centers and develop all their software and infrastructure on premises. In fact, companies with a smaller IT capability may benefit from the risk management capabilities of large cloud providers.
“In our experience, the ability for large-scale cloud providers like Amazon, Microsoft and Google to provide secure IT environments dwarfs that of on-premises or custom data center configurations. We believe strongly that shunning the cloud would introduce significant risk to our business,” says Keith Cerny, chief technology officer at ACL.
“Our direct experience has been that a well-architected cloud environment addresses our security, privacy and availability requirements at a level we could not achieve through any other means. In 2016 when we moved our headquarters to a new location, we realized the major benefit of experiencing no business downtime. Our employees were able to work remotely using our cloud services, making it a seamless transition.”