Risk Management in the Cloud: A Guide On What You Need to Know
Information Technology professionals play an essential role in migrating content to the cloud, as well as managing access and security protocols. We must remain vigilant and anticipate the risks of placing any material in the cloud.
Here is a general, non-technical overview of things we should consider. This includes evaluating and choosing a cloud provider, negotiating the service agreement, developing guidelines or policies that involve risk assessment, monitoring risks, and having appropriate disaster recovery solution options.
Evaluating Cloud Providers
The first step any technology professional must make when choosing a cloud provider involves investigating the services required and clearly articulating these needs to others in leadership. Mistakes made at this early stage may pose more significant problems when moving forward. We need to determine the balance of services we require through the cloud:
- Software as a Service (SaaS) focuses primarily as software applications
- Platform as a Service (PaaS) includes applications and an on-demand platform with storage
- Infrastructure as a Service (IaaS) includes more functionality
To decision-makers in our organization, the cloud may resemble an amorphous entity. We must clearly explain the types of services we need and the best way to move forward. Without our involvement at this critical moment, others unfamiliar with IT may make unwise decisions that will harm our network.
Selecting a Provider and Negotiating the Service-Level Agreement
After carefully determining our needs and reviewing the providers, we can move forward with negotiations to choose the provider and develop the Service-Level Agreement (SLA).
Since multiple parties share and store resources across the cloud, traditional ways to measure service performance and interruptions become more difficult than in traditional systems. If a hard drive fails or applications crash on a stand-alone computer or server, we can isolate the problem. Service interruptions due to loss of data integrity or other factors across the cloud require higher levels of investigation.
With this in mind, our negotiations for SLAs that cover cloud servers will take a different form than those used for partnering companies that may house or maintain more traditional storage arrangements of applications and data. Once we move applications to the cloud, for example, we will expect them to meet an even higher level of reliability. If an application on one computer fails, it is a problem; if that same application–now cloud-based–fails, the problem multiplies with each person unable to use the application.
Developing Risk Assessment Guidelines and Policies
When we move infrastructure and applications onto the cloud, we make a decision that also requires us to surrender some control. In earlier days, when a business entity maintained their trade secrets or other intellectual property in a secured vault or safe on site, they were the actual gatekeeper and had full authority and ability to monitor access. While there was always the possibility that someone could leak or share sensitive content in this earlier way of managing information, at the very least the company had a way to track physical access.
All of this changed with electronic networks. As a growing number of companies–as well as individuals–place digital resources on the cloud, they expose themselves to a higher level of vulnerability. By outsourcing the management of data, applications, or platforms, we have to trust that those partners will maintain the integrity of the data, ensure its security, and guarantee its availability.
Security of access and reliability of content are imperative. The number of cybersecurity breaches is growing year after year. We must maintain frequent communication with our cloud partners through electronic handshakes as well as human contact. Our company must have in place guidelines and policies that clearly outline how responsible parties will track and respond to any risks our data, applications, or other resources could face once hosted outside of our physical control.
These guidelines and policies require review up to the highest levels of the organization. We should not try to craft them in a silo because if a breach or damage to our data ever occurs, we need to make sure that those above us have had a chance to review our risk assessment practices.
The company’s legal office or liaison should review any policies or guidelines created as well. Archivists often talk about “chain of custody”: Once an entity gives up absolute custody, others may question an item’s integrity. If a document is in a locked box onsite, we maintain custody and monitor all access. If a digital archive has content stored in the cloud, the archivist has to trust a third party as a gatekeeper. Can that archivist say under oath that the integrity of the data remains unaltered and in its original form? Our policies must address who is responsible within our organization and the cloud providers to make these assurances.
We have made the decision to move some elements to the cloud, selected providers, and developed guidelines. Those at higher levels and legal staff have reviewed our risk assessment plan. Are we finished? Hardly. We know that risk assessment is ongoing and vigilance is never-ending. If a company enters the cloud cautiously by placing only a few assets into a cloud platform, we must consider the potential risk each time our organization decides to place additional or different types of content into the cloud.
For example, if a company decides to outsource content that it already offers through Open Access and has Creative Commons licenses in place that allow outside users to share, the risk posed by placing this content in the cloud is minimal. The risk increases if we add intellectual property that we do not want to share with outsiders. Down the road, if sensitive human resources data enters the cloud, the risk becomes more substantial.
Along the way, we need to assess risk on two levels: 1. Has the risk changed for what we already have placed in the cloud? 2. Will risks become different for varying content or applications?
Mitigation strategies will vary. If someone downloads an item with a Creative Commons license and fails to attribute content, that is improper and a violation of how we expected an item to be used. If another party gains access to our payroll data stored in the cloud, our threat level and mitigation strategy differ significantly from a violation of a Creative Commons license.
Ongoing risk assessment requires that we have the following competencies:
Knowing Who Can Gain Access to Data. The in-house controls formerly in place no longer apply. Especially for sensitive data, risk assessment is ongoing. We used to limit which employees could gain physical access to records in our company. We need to know who can view these same records at the cloud company that hosts our content. Detailed background checks in-house will do little good if the cloud provider fails to monitor the practices of its staff.
Understanding Compliance Responsibilities. When a company places content in the cloud, it does not abolish its accountability. Compliance considerations must be part of your risk assessment process. If security is breached or data is compromised, we are on the hook. Also, if we have regulatory compliance reporting that we must perform for governmental bodies or our boards of directors, we must assure that we have a way of auditing data and reporting compliance.
Realizing the Many Locations Where Your Data Resides. Cloud servers may parse and spread your data across many geographical boundaries. Does the cloud provider maintain your data at one location or in many countries? How do the laws in these locations differ from the laws that govern your company’s activities? You must always ask questions if you have concerns about how the location of their cloud platforms might pose an issue.
Maintaining a Secure Environment for Your Offsite Content. It goes without saying that data encryption must occur. In addition to standard encryption, you may want to implement a virtualized version of your encryption software that corresponds with any applications kept in the cloud. This model is known either as BYOE or BYOK because you bring your own Encryption or Key that provides an even higher level of security.
Having Disaster Recovery And Risk Mitigation Solutions in Place
Inevitably, we will have to confront some crisis related to our presence on the cloud. The situation may be a temporary inconvenience, such as a power outage or server failure. We can address these issues quickly and move forward. However, more severe situations such as denial of service attacks or the theft of sensitive data will have long-term effects our reputation, bottom line, and corporate social responsibility.
Similar to the way we maintain insurance for assets and evacuation plans for fires and other emergencies, we need to have plans in place to address disaster recovery as part of our risk management plan for content and applications placed on the cloud. Disaster recovery solutions must address the following:
Evaluating Data Loss: We must clearly define the roles of both our entity and the data provider in this process.
Implementing Data Recovery: With most if not all of our data encrypted, we need to have steps in place that allow us to recover as much of the corrupted and encrypted content as possible.
Restoring Availability of Cloud Content: If a failure or interruption affects the equipment, network, applications, or data, we cannot access information. Before putting our inventory records entirely in the cloud, we need to consider redundancies or backups to assure minimal downtime. Imagine a retailer and its customers if access to inventory disappears on Black Friday!
Planning for Unexpected Changes in Our Relationship with a Provider: If a cloud provider is acquired or merges with another company, we need to consider plans to reassess our contractual relationship, find alternatives and terminate the relationship.
We hope you enjoyed the promoted post as much as we did!