Cloud risks: Security and privacy concerns when moving to the cloud
Zombies can exist in your IT systems and consideration of how to eliminate them is an important factor in developing any cloud transition strategy!
With an eye toward greater productivity and profitability, organizations are seeking initiatives that offer greater scalability, diversity and processing capabilities. These demands are driving more businesses to the cloud, as cloud solutions are now acceptable for most businesses to support growth and add flexibility while cutting costs. Cloud offerings will continue to grow and become more attractive in the coming years, and businesses should be aware of potential options and whether they align with your risk tolerance.
In discussing the widespread transition to the cloud, several key points have resonated deeply with our clients. Before starting the process to move your sensitive systems, data or applications to the cloud, your organisation should ensure time has been taken and the effort made to understand several key factors:
Architecture: The cloud typically consists of one of three major architectures, and necessary security and regulatory compliance procedures are directly tied to which model you choose.
- Software as a Service (SaaS): This platform is the most common example of the cloud, where a company simply leverages an application completely controlled by an external provider. For example, many popular webmail and document sharing solutions are built upon SaaS applications. With a SaaS solution, you have little opportunity to conduct security review, with risks mainly managed through the contract. Particular areas to closely evaluate should include availability, ownership of liability and the cloud provider’s processes and responsibilities during a data breach.
- Platform as a Service (PaaS): This cloud solution typically entails moving an application to a cloud vendor, with that third-party providing your company with the required virtualised server and connectivity to enable an application to operate. With this platform, vendor risk is still managed through contracts, but your team must understand they are still responsible for maintaining the application itself.
- Infrastructure as a Service (IaaS): An IaaS solution takes existing physical or virtual servers and completely transitions them into a cloud environment. In this scenario, your vendor’s main responsibility is to manage the connectivity and security of the fundamental infrastructure, but your organisation maintains responsibility for securing applications and operating systems.
Models: Similar to the key points related to architecture, we think it is critical your organisation understands the characteristics of the cloud solution you plan on moving to, focusing on ensuring that the chosen model meets necessary operational and if applicable, regulatory requirements.
- Public cloud: The public cloud is the most common example of cloud storage, encompassing platforms such as Gmail and Dropbox. In this solution, all customers are in the same basic environment, generally with basic security controls.
- Community cloud: These cloud solutions are designed to meet a specific industry’s security and regulatory demands. Some examples include cloud environments designed to align with the Commonwealth and meets the standards and requirements set by the Australian Signals Directorate. With the more specialised security requirements, the community cloud tends to be more costly than public cloud options.
- Private cloud: Organisations with extensive internal information technology (IT) capabilities can choose to deploy a private cloud solution within their internal environment. This solution results in complete control over security details and compliance demands, but it carries the most expense.
Zombies: Zombies may seem like an odd term to use when discussing cloud services, but they represent the most significant risk we encounter in many client environments. Once an organisation transitions a system, application or business process to the cloud, it is often assumed that the original assets will be deactivated rather quickly. However, many studies show that the sun-setting process averages two to three years.
This delay typically occurs because many linkages to the original system, often unknown until the migration is occurring, cannot be broken without interrupting critical business processes, and months or even years can go by to unravel certain dependencies. Often, as soon as a cloud migration occurs, the attention of the IT teams is diverted from original systems to the new cloud instances, but those legacy systems still exist and can contain volumes of sensitive data.
Eventually, if the original application and underlying operating systems are not maintained, a zombie system (not quite alive, not quite dead) can reside on your environment, but in many cases only a few individuals know that they are there. These systems can be highly vulnerable and present significant risks to your company. Unlike like systems, these systems do not necessarily receive the same attention associated with security maintenance and updates. Vulnerabilities management processes that may have once been effective, fall by the wayside, significantly increasing the risk of these environments and systems to attacks while they continue to hold important and sensitive data.
To guard against zombie systems creating potential exposures in your IT environment, your cloud migration strategy should include full maintenance and tracking of these systems until they are officially removed from your network.
Conclusion
Cloud usage is only projected to grow, as more solutions that can support growth and increase profitability become realistic and available for middle market companies. However, these cloud platforms are not without risk, and you must ensure that you understand your cloud options and which ones align with your regulatory demands and risk appetite. Carefully evaluate your potential cloud architectures and models to develop a cloud road map that can reduce your technology vulnerabilities while creating a competitive advantage.
Senior Employment Lawyer
7 年I am already 'freaking out' Bernie. You and I will be fine, question is what about our progeny. look after yourself.