United States

Cloud risks: Security and privacy concerns when moving to the cloud

RISK BULLETIN  | 

With an eye toward greater productivity and profitability, organizations are seeking initiatives that offer greater scalability, diversity and processing capabilities. These demands are driving more businesses to the cloud, as cloud solutions are now acceptable for most businesses to support growth and add flexibility while cutting costs. Cloud offerings will continue to grow and become more attractive in the coming years, and your business must be aware of potential options and whether they align with your risk tolerance.

We have discussed the widespread transition to the cloud for middle market organizations on many occasions, but several key points have resonated deeply with our clients. Before starting the process to move your sensitive systems, data or applications to the cloud, your organization must understand several key factors:

Architecture: The cloud typically consists of one of three major architectures, and necessary security and regulatory compliance procedures are directly tied to which model you choose.

  • Software as a Service (SaaS): This platform is the most common example of the cloud, where a company simply leverages an application completely controlled by an external provider. For example, many popular webmail and document sharing solutions are built upon SaaS applications. With a SaaS solution, you have little opportunity to conduct security review, with risks mainly managed through the contract. Particular areas to closely evaluate should include availability, ownership of liability and the cloud provider’s processes and responsibilities during a data breach.
  • Platform as a Service (PaaS): This cloud solution typically entails moving an application to a cloud vendor, with that third-party providing your company with the required virtualized server and connectivity to enable an application to operate. With this platform, vendor risk is still managed through contracts, but your team must understand they are still responsible for maintaining the application itself.
  • Infrastructure as a Service (IaaS): An IaaS solution takes existing physical or virtual servers and completely transitions them into a cloud environment. In this scenario, your vendor’s main responsibility is to manage the connectivity and security of the fundamental infrastructure, but your organization maintains responsibility for securing applications and operating systems.

Models: Similar to the key points related to architecture, your organization must understand the characteristics of the cloud solution you plan on moving to, focusing on ensuring that the chosen model meets necessary regulatory requirements.

  • Public cloud: The public cloud is the most common example of cloud storage, encompassing platforms such as Gmail and Dropbox. In this solution, all customers are in the same basic environment, generally with basic security controls.
  • Community cloud: These cloud solutions are designed to meet a specific industry’s security and regulatory demands. Some examples include cloud environments designed to align with the Federal Information Security Management Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) or payment card industry (PCI) guidelines. With the more specialized security requirements, the community cloud tends to be more costly than public cloud options.
  • Private cloud: Organizations with extensive internal information technology (IT) capabilities can choose to deploy a private cloud solution within their internal environment. This solution results in complete control over security details and compliance demands, but it carries the most expense.

Zombies: Zombies may seem like an odd term to use when discussing cloud services, but they represent the most significant risk we encounter in many client environments. Once an organization transitions a system, application or business process to the cloud, it is often assumed that the original assets will be deactivated rather quickly. However, many studies show that the sunsetting process averages two to three years.

This delay typically occurs because many linkages to the original system, often unknown until the migration is occurring, cannot be broken without interrupting critical business processes, and months or even years can go by to unravel certain dependencies. Often, as soon as a cloud migration occurs, the attention of the IT teams is diverted from original systems to the new cloud instances, but those legacy systems still exist and can contain volumes of sensitive data.

Eventually, if the original application and underlying operating systems are not maintained, a zombie system (not quite alive, not quite dead) can reside on your environment, but in many cases only a few individuals know that they are there. These systems can be highly vulnerable and present significant risks to your company. To guard against zombie systems creating potential exposures in your IT environment, your cloud migration strategy must include full maintenance and tracking of these systems until they are officially removed from your network.

Conclusion
Cloud usage is only projected to grow, as more solutions that can support growth and increase profitability become realistic and available for middle market companies. However, these cloud platforms are not without risk, and you must ensure that you understand your cloud options and which ones align with your regulatory demands and risk appetite. Carefully evaluate your potential cloud architectures and models to develop a cloud road map that can reduce your technology vulnerabilities while creating a competitive advantage.