Move to the Cloud with Confidence:
6 Key Risks & Mitigation Techniques, Part 1
Author: Samuel Lewis, Senior Security Consultant, CISO Global
Over the past several years, an increasingly fluid work environment has followed trends of modern globalization in the workplace. Leveraging cloud solutions, many companies have let go of historical limitations imposed by on-premises and local solutions. The truth is, cloud outsourcing can be a game changer, as it provides organizations with more cost effective and management friendly software, infrastructure, and computing power than would otherwise be possible. To support organizations who may not have application- or infrastructure-specific expertise to architect rollouts, many cloud services providers also offer cloud engineering services. While convenient and budget-friendly, outsourced cloud offerings can also introduce risk that may reduce ROI or even result in costly breaches whose expenses far supersede monies saved. The goal is always to find a way to maximize benefits without succumbing to unforeseen consequences. In this series, we’ll explore the six most important risks to address when implementing outsourced cloud solutions, starting with information security and service availability.
Risk 1: Information Security
When it comes to sensitive data your organization wishes to send, receive, store, or process in the cloud, you’ll want to consider not just your organization’s regulatory requirements for information security and privacy protections, but also security best practices that can help mitigate the risk of a breach. You are trusting your provider to take certain precautions when outsourcing, but it’s easy to misunderstand certain components of what most cloud service providers (CSPs) call a shared responsibility matrix, or a model for who is responsible for securing which systems and data in the cloud. Most of the time, your provider only secures the infrastructure, leaving all configurations, settings, and additional protections in your hands. If you enlist outsourced architects, as well, you will also want to validate that what is being done on your behalf is what should be done – that all risks are countered by strong security controls.
Measures you can take to protect sensitive data sets include properly implemented encryption, access controls, and multi-factor authentication (MFA). To ensure you align sensitive datasets with the right corresponding controls, you will want to perform a data inventory and classification review, ensuring that you not only know where all your datasets are, but also that they are correctly classified according to their level of sensitivity and importance. This can seem straight-forward but is typically more involved than people realize.
When looking to encrypt your most valuable datasets, you will want to be sure to consider that they need to be protected both at rest and in transit, and use extreme caution about security and management of the encryption keys. If they are stored in accessible locations, all an attacker has to do is navigate to the keys and use them to unlock the data they wish to exfiltrate. However, if you have stored them in a separate, highly secure location, an attacker who gains access to that data will find it useless. For this reason, aligning levels of access to defined roles – rather than providing data/key access to people who don’t need it to perform their work duties – can help minimize the risk of compromise through stolen credentials or other means. This is known as the principle of least privilege.
Another security control that is not likely to come with your outsourced cloud solutions “out of the box” is multi-factor authentication. You will want to implement a system that requires something users have, something they know, and something they are. What that means is that they may have an authentication token, know a corresponding password, and be validated as the correct user through face recognition or other biometrics-based authentication measure.
Risk 2: Uptime and Availability
Another issue to consider when outsourcing to the cloud is your provider’s rates of uptime and availability. When you have hardware on-premises your IT teams can monitor for outages and quickly make repairs as needed. However, relying on a CSP means trusting that when you need to use their service, it’s not experiencing an outage. Downtime of any kind can cause disruptions to your business, which can impact productivity and revenue. Determining your organization’s risk tolerance for downtime is a fairly simple calculation which you may already have on-hand for your backup and recovery systems. For cloud outsourcing, you would just apply that logic to the particular datasets and processes that will be stored/performed in the cloud based on their level of importance in your business.
Of course, it would be unrealistic to think your CSP will never experience disruptions, because natural disasters, manmade hazards, internet outages, cyber attacks, or other issues are unpredictable by nature. However, CSPs who have adequate redundancy and failover systems in place will be much more reliable, so it’s good to get service level agreements (SLAs) from your CSP that are aligned to your uptime and availability needs. Part of examining the adequacy of their documentation will be validating that their redundancy covers multiple availability zones and geographical regions (so they can still serve you if one zone or region is experiencing an outage). It’s also good to get written evidence of their incident response and disaster recovery measures. Based on the shared responsibility matrix, some part of this may fall on your organization, so be sure to consider what you need to do on your end to ensure that if an emergency does occur, business can continue as usual.
If your organization is considering outsourcing some or all of your systems to a cloud service provider, and you’d like support mitigating the risks associated with information security, privacy, compliance, availability, or any other concerns, reach out to us for a chat here.