I am often asked “does using a cloud service alter risk?” I always reply to this question with “well it depends”. Every organization has its own set of circumstances, and the answer needs to take these into account. It is also important to think about how the responsibility for security is shared between the service provider and the customer. This blog outlines the core business risks and what organizations need to consider.
While much discussion focusses on the technical risks, at the business level there are three distinct cyber risks, and using cloud services can have an impact on all of these.
Poorly secured service infrastructure can result in all of the above business risks, and securing that infrastructure against all the potential risks is challenging. The large cloud service providers have the skills and resources to secure their infrastructure to a level beyond that possible for many enterprises.
For example, many small businesses run their IT services in environments with poor physical security. They may have little or no control over physical access or protection against fire and floods, and disruptions to the power supply or communications networks. This is described eloquently in a presentation by Mark Evans entitled: The reasons why RLB moved to the cloud. All the major cloud services provide their services from datacentres with strong controls over all of those aspects.
However, there is still a residual risk because some cloud services have been impacted by disruptions, and the customer always needs to consider this.
Data is the most important business asset of the modern enterprise and needs to be protected against unauthorized access and changes. Its confidentiality and integrity can be compromised while it is in transit, in storage, and being processed, and using cloud services places all three of these outside of the customer’s direct control.
Organizations must evaluate these risks based on the sensitivity of their data and ensure that it is appropriately protected both on premises as well as in the cloud. Organizations using cloud services should protect their sensitive and regulated data using certified strong encryption algorithms and implement strong controls to protect the encryption keys. Cloud services must provide capabilities to help their customers protect their data as well as supporting the various technologies that the customers may adopt.
Loss of access to your business data would have a severe impact. The prevalence of ransomware attacks has emphasized the need for data resilience. In addition, the changes in working patterns following the COVID-19 pandemic have also increased organizational dependency on cloud services.
There is a temptation to believe that the use of a cloud service removes the need for the customer to consider the resilience of their data. The responsibility for data held in cloud services is shared between the tenant and the service provider, and there are many situations where the tenant is responsible for the resilience of their data. For example, while many cloud services promise very high levels of data resilience, these do not cover the data being deleted by the customer.
Whether or not you use a cloud service you need to back up your data and have a tested disaster recovery plan.
Controlling which people and which devices can access your assets is a fundamental security control. It is your responsibility to control access to your business services and data, whether or not, they are held in the cloud. This is an essential part of a Zero Trust approach.
Virtualized services such as those delivered from the cloud add a new challenge in this area. The virtual service elements need access to each other and the service infrastructure, and failure to manage this can lead to data breaches. An example of this led to a data breach and a large financial penalty.
Many organizations have mature processes and technologies in place to manage access to their on-premises services. However, these may not be well integrated with their use of cloud services. This is especially important in the area of privilege management.
Managing IT services uses accounts with privileged access, and it is vital to control these. These accounts are the targets of cyber attackers – since they provide a route into the organization’s IT infrastructure. They can be misused by insiders, and even a simple mistake can have a severe impact on the business-critical service.
The cloud service provider needs these accounts to manage their service and there are concerns that these could be used to access the cloud customers’ assets. In particular, there are concerns that governments could legally demand that the cloud service provider turn over their customers’ data. This is effectively the risk underlying the Schrems II judgement.
In addition, where many departments with a large organization use the same cloud service, there will be many local administrators. The scope of these administrators’ privileges should be limited to prevent malice or mistakes from affecting other parts of the service.
The more complex the system, the more difficult it may be to protect. One argument for using a cloud service is that it provides a consistent environment and together with application modernization using containers it reduces complexity. Unfortunately, most organizations now have a hybrid environment using multiple clouds as well as on premises delivery of business applications.
This hybrid environment is even more complex because each cloud has its own security model and associated tools. According to the Cloud Migration Stats - 2022 Flexera State of the Cloud Report the top challenges are trustworthiness with security, risk and compliance as well as cost management. These challenges stem from the added complexity from the multiple environments.
Organizations need to adopt a security fabric paradigm to assist with this complexity.
For highly regulated industries such as finance, healthcare, and pharmaceuticals the issue is transparency of cloud service controls. In these industries, it essential to be able to prove the existence and effectiveness of controls to demonstrate compliance. Currently it is not practical for the large CSPs to allow tenants to audit the services they use, and so tenants must rely on independent third-party attestations that the services comply with standards and regulations. This is an inhibitor to the take up of cloud services in these sectors.
Cloud service providers will need to provide much greater transparency around their controls. This should be done in a way that allows an organization using the service to map both their own controls and the controls in the service to their compliance obligations. This should ideally be automated, for example through APIs, in a way that allows compliance to be monitored in near real time. Some cloud vendors are moving towards this to meet cloud sovereignty obligations.
The business risks associated with the use of cloud services depend upon several factors. The cloud is only one service delivery model in today’s complex hybrid, multi cloud IT environment. Organizations should consider at least the aspects described above in their own context. KuppingerCole can provide advisory services to help find the best approach for your organization. You can get more details by attending the KuppingerCole Cyber Security Leadership Summit in Berlin from November 8th to 10th 2022.