As cloud offerings continue to grow and become more attractive in coming years, so will their risks.
Michael Shatter, partner, Risk Advisory Services, RSM Australia said, “With demands for greater productivity and profitability, businesses are seeking initiatives that offer greater scalability, diversity, and processing capabilities. As a result, we have seen a widespread transition to the cloud, with more companies adopting cloud solutions to support growth and add flexibility while cutting costs. Before beginning the process of moving sensitive systems, data, or applications to the cloud, businesses must ensure time has been taken and effort made to understand several key factors.”
RSM Australia has identified three key risk factors organisations need to consider when developing a cloud transition strategy:
1. Architecture
The cloud typically consists of one of three major architectures: Software-as-a-Service (SaaS); Platform-as-a-Service (PaaS); and Infrastructure-as-a-Service (IaaS). Security and regulatory compliance procedures are directly tied to the model chosen.
- SaaS: The most common example of the cloud, when using this platform a company simply leverages an application completely controlled by an external provider. Examples include webmail and social media. However, when using SaaS solutions, a company has little opportunity to conduct a security review, with risks predominately managed through the contract. Particular areas to closely evaluate include availability, ownership of liability, and the processes and responsibilities of the cloud provider during a data breach.
- PaaS: This cloud solution typically involves the movement of an application to a cloud vendor, with this third-party provider then providing the business with the required virtualised server and connectivity needed to operate the application. Vendor risk is still managed through contracts however, the company needs to keep in mind they are still responsible for maintaining the application.
- IaaS: This solution takes existing physical or virtual servers and transitions them into a cloud environment. The vendor’s main responsibility when using an IaaS solution is to manage the connectivity and security of the fundamental infrastructure, with the organisation maintaining responsibility for securing applications and operating systems.
2. Models
There are three types of cloud solutions available for organisations to implement including public cloud, community cloud and private cloud.
- Public cloud: Public cloud encompass platforms including Gmail and Dropbox. When using this solution, all customers are in the basic environment and generally have basic security controls.
- Community cloud: Designed to meet a specific industry’s security and regulatory demands, examples of community cloud solutions are designed to meet the standards and requirements set by the Australian Signals Directorate. With more specialised security requirements, community cloud options tend to be more costly than public cloud.
- Private cloud: Organisations with extensive internal information technology capabilities can choose to deploy a private cloud solution within their internal environment. This solution delivers complete control over security details and compliance demands, but carries the most expense.
3. Zombies
Representing the most significant risk, zombie systems result when an original application or underlying operating system is not maintained. Once an organisation transitions a system, application, or business process to the cloud, it is often assumed that the original assets will deactivate rather quickly. However, studies show that the sun-setting process takes an average of two to three years.
This delay typically occurs due to linkages to the original system that cannot be broken without interrupting critical business processes. Also, often as soon as cloud migration occurs, the attention of IT teams is diverted from original systems to the new cloud solutions. However, those legacy systems still exist and can contain sensitive data. As these systems do not necessarily receive the same security maintenance and updates, they can be highly vulnerable and present significant risks to the company.
To guard against zombie systems creating potential exposures in the IT environment, businesses cloud migration strategy should include full maintenance and tracking of these systems until they are officially removed from the network.
Michael Shatter said “Cloud usage is only projected to rise due to solutions that can support growth and increase profitability becoming more realistic and available for middle market companies. However, these cloud platforms are not without risk, so businesses must fully understand their cloud options and choose the option that best aligns with their regulatory demands and risk appetite.
“Organisations should evaluate their potential cloud architectures and models to develop a cloud roadmap that will let them reduce their technology vulnerabilities while creating a competitive advantage.”