Taking advantage of the cloud to strengthen cybersecurity efforts

At this point, almost every middle market company has transitioned at least some of its critical data and applications to the cloud for enhanced security. While companies still retain the responsibility for their data security, cloud vendors typically have more extensive security capabilities due to their economies of scale.

MMBI data shows how middle market companies have established different balances of what should reside in the cloud versus on-premises. The greatest share of survey respondents (34%) reported having 21%−50% of their environment operating in the cloud; the next largest group (22%) reported having 51%−75% of their operations in the cloud. For larger middle market companies, the top result (42%) was 21%−50%, while the leading responses for smaller middle market respondents were 21%−50% and 51%−75%, cited by 24% of respondents respectively.

“Migration to the cloud is an ever-evolving journey,” says Steve Kane, a managing director at RSM US. “Given the remote workforce and the ability to do anything anywhere, moving things to the cloud to make them accessible and more secure is going to continue to drive adoption.”   

While moving to the cloud is not a new idea, companies can utilize several strategies to protect their assets there. In the MMBI data, middle market respondents cited cloud-native tools and practices (31%), hybrid solutions combining on-premises and cloud security (31%), and a cloud provider’s built-in security measures without additional enhancements (26%) as the leading cloud technologies used to enhance cybersecurity efforts. 

Many middle market companies are being increasingly exposed to multicloud environments, where assets are divided among multiple cloud providers. For larger companies with complex operations and extensive assets, a multicloud environment can help offset the concentration risk that might come with using only one cloud provider. But the strategy almost always brings more complexity than middle market companies truly need.

“The need for a multicloud environment really has to be compelling,” says Justin Devine, a director at RSM US. “Concentration risk is worth considering, but the effort, cost and complexity of going multicloud to avoid it are generally not worth the benefit. Unless you are running exceptionally critical workloads where downtime could affect the global economy or endanger people's lives, going multicloud is generally not the best approach. Given today's modern cloud services, it's possible to build extremely resilient architectures without going multicloud. I'd advise consulting with cloud resilience professionals before adding a cloud service provider as the ‘easy button’—as building, securing and managing a multicloud environment is anything but easy.”

But Devine believes that many middle market companies that choose to implement a multicloud environment may be getting ahead of themselves and introducing unnecessary risk to the organization.

“My honest opinion is that people go multicloud way too early,” he says. “I have seen organizations go multicloud when they really don’t have a handle on one cloud yet. They double the complexity, split resources in half, make upskilling people twice as difficult, double the attack surface and double the risk.”

However, Gabriel believes most middle market companies that have a multicloud environment got there not necessarily by choice, but because of a transaction. “Most of our clients, you will only see them in a multicloud situation after they acquired another organization,” he says. “You end up acquiring someone that is an Azure shop, but you just happen to be an Amazon Web Services shop. The question becomes: What do you do, and is this something you want to manage?”

In most cases, the answer is no. To effectively manage both environments and the complexity between them, companies need duplicative resources with different skill sets. In addition, the authentication source would likely need to be externalized, adding another layer of complexity just to ensure that if something is compromised, the issue doesn’t spread to both environments.

“You basically have three options,” says Devine. “The first is to double your cloud engineering team so you can support multiple cloud platforms. The second is to refactor and migrate all the workloads to a single platform, and that probably is not worth the effort. Then the third is to limit the risk by transferring the management of the new cloud platform and transferring the risk to a managed service provider. Out of the three options, the first two are not very good.”

Ultimately, outsourcing the management of the new cloud environment—the platform with which internal staff lack experience—is the most effective path forward in many situations.

“You have to weigh your options,” says Gabriel. “You have two things you must deal with, but your core capabilities likely only align with one of them. Can you find a qualified advisor to help you? They can support you as you grow as an organization and determine where your cloud journey is eventually headed.”