Toby Merrill, Division SVP, Global Cyber Risk Practice Leader, ACE Group
Cloud computing has become, among other things, a buzzword nearly everyone is familiar with, but very few truly understand. Even fewer grasp all its implications for the future—largely because they are not yet completely clear, much less visible. The reason? As a technology, cloud computing is still closer to the infancy of its development. As a result, many of its benefits have not been fully realized, and its many risks are largely unknown.
What is clear, however, is that “the Cloud” is poised to do nothing less than redefine and take over the IT landscape and, with it, the way every company around the world does business.
Most companies are very familiar with the potential benefits of outsourcing their computing to the cloud, including speed, security, backup, reduced infrastructure costs, increased capacity, scalability, availability, geography, mobility and, in some cases, regulatory compliance. However, many companies are not as familiar with the new risks this evolution in technology has introduced.
The tremendous benefits of cloud computing are accompanied by a host of perils, including data security, privacy, contractual, aggregation, hidden costs, and business interruption—all of which have the potential for significant financial liability. Unfortunately, the decision to move to the cloud is often made before these risks are properly communicated and considered. CIOs should be working in close partnership with their company’s risk management departments to properly assess and mitigate these risks. With the cloud, it is not just the risk manager’s responsibility to mitigate these dangers. As every employee interacts with and uses data constantly—from the CIO to the board to the new associate just out of college—everyone in the organization needs to have some awareness of data security measures.
“Managing the risks of the cloud require careful due diligence and a rational analysis of both cloud provider services and the changing needs of the organization”
What are the Risks of Cloud Computing?
Being aware of the potential risks, practicing due diligence when hiring cloud computing service providers, and implementing comprehensive risk management programs are steps that are more than recommended; they are essential. Though certainly not all encompassing, there are five core areas deserving of careful consideration by any enterprise contemplating a cloud migration:
Contracts: The contracts offered by cloud providers don’t often incorporate the usual indemnification, limitations of liability or other terms pertaining to privacy and data security that most organizations expect to negotiate into service provider contracts. In some instances, the cloud provider may not even be contractually obligated to provide notification of a breach, leaving organizations noncompliant with regulatory and other legal obligations. This means that customers may find themselves facing full liability of a data breach that was arguably not their fault.
Loss of Control: When working with a cloud provider, organizations often cede control of data and network availability. Some cloud providers store data in multiple jurisdictions, perhaps even transferring data to warehouses in other countries. Privacy regulations differ by country, even by state, and data that is considered compliant in one location may not be in another. Also, in a public cloud, one company’s data may be intermingled with another’s, making it difficult to complete even a simple investigation if a breach does occur.
Aggregation Risk: Advanced attacks—often referred to as Advanced Persistent Threats (APT)—against large, highly sophisticated technology companies continue to increase. The cloud therefore creates a new aggregation exposure that organizations have not previously faced.
Cost: No one can dispute the up-front savings that an organization can realize by migrating to the cloud. Potentially, though, there are a number of hidden costs that many may not have considered. For example, what are the costs associated with transferring your data and network to another cloud provider? Other costs that need to be considered include further legal expenditures and tax implications, as well as audit and oversight.
Data Security: Many organizations fail to realize that it is their responsibility to secure data before sending it to the cloud, as cloud providers generally will not guarantee the security of data stored in their cloud. In fact, most will limit their contractual exposure entirely.
Making Cloud Computing Work for Your Company
An organization about to send its precious data to a cloud needs to use the same level of due diligence that it would when constructing a building in a fire, flood or earthquake zone. That analogy is apt because there are many risks and control issues that need consideration if an organization wishes to mitigate as many pitfalls as possible. Some core areas to consider include:
Privacy by Design: Migration into the cloud environment should be an extension of “privacy by design” principles already in use, since organizations should incorporate privacy requirements during their development of new systems, products, and services. According to the Department of Homeland Security, many organizations now perform a Privacy Impact Assessment—a process that helps identify and reduce the privacy risks of products and services under development.
Shared Security and Related Responsibilities: Risk managers need to keep in mind the fact that data privacy and security responsibilities begin within their own organization before continuing into the cloud. Vital security controls can be overlooked if the allocation of security responsibilities between the organization and the cloud provider isn’t fully understood.
Control and Liability: While companies must sacrifice some element of control in order to utilize the benefits of cloud computing, there are best practices that can help mitigate the security concerns as well as the financial risks associated with this loss of control—such as utilizing proper encryption key management to control data access, vigilant monitoring of traffic and activity in their cloud environment, and negotiating rights to audit and access the cloud platform or infrastructure into the contractual agreement.
Due Diligence and Vendor Management Programs: Increasingly, cloud customers are developing formal due diligence processes and vendor management programs to assess the risks of adopting cloud technology. Common elements include a preliminary data assessment, a security and privacy risk assessment process, and standard contract terms focused on data security and privacy.
Balancing the Benefits and Risks of the Cloud
In the not-too-distant future, a majority of companies, both large and small, will likely utilize the cloud for some aspect of their business. The benefits of the cloud are tremendous and impossible to ignore—to do so could put an organization at a considerable competitive disadvantage. However, managing the risk requires careful due diligence and a rational analysis of both cloud provider services and the changing needs of the organization.