Best Practices to Manage Risks in the Cloud

The growth in cloud computing has been exponential. Forrester predicted that the global public cloud infrastructure will grow 35% to US$120 billion in 2021. COVID-19 has served to accelerate this trend further. According to Sid Nag, research vice president at Gartner, the pandemic has validated the cloud’s value proposition. 

Cloud computing offers agility, efficiency and flexibility to deliver the tools that can be accessed by the workforce wherever they may be located, and allows the business improved speed to market. It can also curtail tech spend and worries about maintaining and updating IT infrastructure.

There are different cloud service delivery and deployment models that a business can adopt:

Primary cloud delivery models include: 

• Software as a Service (SaaS) – SaaS vendors deliver software applications over the internet.
• Infrastructure as a Service (IaaS) – IaaS vendors deliver IT infrastructure services such as servers, data centers, storage and networking over the internet.
• Platform as a Service (PaaS) – PaaS vendors deliver the platform and tools to develop software applications.

Cloud deployment models include:

• Public – Available to the general public, data are created and/or stored on the service provider infrastructure who administers pool resources. These resources can be free or pay per use via the internet.
• Private – As the name suggested, this option consists of cloud computing resources used exclusively by one business or organization. It can be hosted on premises or by a provider but the services and infrastructure are always maintained on a private network. Private clouds are often used by financial institutions, government agencies and other organizations that require more control of their environment.
• Hybrid – This deployment option combines private computing resources and public services.

These new business models offer many of the benefits noted above, but they come with potential risks:

• Financial – cost overruns, impact on business return on investment (ROI)
• Privacy – entrusting the organization’s sensitive data to a third party
• Compliance – inability to meet contractual, legal and regulatory obligations
• Security – access, misconfiguration
• Performance and quality – degradation
• Technical – inability of the business to adapt to dynamic technologies, incompatibility, and limitations on what and how much can be customized

Below are some best practices to manage these risks:

1. Plan. Develop a cloud computing strategy that is aligned with your business strategy. This will help to manage investments and to deliver on business objectives.

2. Choose your cloud service provider (CSP) wisely. Perform vendor risk assessments for contractual clarity, ethics, legal liability, viability, security, compliance, availability, business resiliency, etc. Leverage independent audit reports to assess soundness of the CSP’s controls. Determine if the CSP has service providers they rely on to provide their services/solutions and scope accordingly.

3. Adopt the cloud service delivery and deployment model that will facilitate achieving business objectives, minimize risk and optimize the value of the cloud investment.

4. Understand the shared security responsibility model defined by the CSP. Shared security model divides responsibility between the organization and the CSP. The models differ by CSP, so it is imperative to agree to clearly defined boundaries. Regardless of deployment, the customer is responsible for their own data, endpoints, identity and access management.

5. Do not store your encryption keys where your data is. There are several methods to consider: storing keys on premises while data is in the cloud, separated by virtual private clouds (VPC), or even utilizing commercial key managers separate from your cloud ecosystem.

6. Strategize not only for scalability but for availability. Establish redundancy by regions and zones.

7. Deploy technical safeguards such as a Cloud Access Security Broker (CASB). CASB can be on-prem or cloud-based security policy enforcement points, placed between cloud service users and cloud service providers. It serves as an enforcement point of the enterprise’s security policies as users access cloud-based resources. CASB provides visibility to all cloud services in use, identifies risks, monitors data flowing in and out of the enterprise to the cloud, blocks threats from malware and APT attacks, provides audit trails and facilitates compliance.

8. Establish an end-to-end cyclical risk assessment of the cloud project throughout its lifecycle. Mitigate risks. Monitor, test and repeat.

Bear in mind that these cloud risk mitigation practices will only be effective if an equally effective security foundation has been implemented and enforced across the organization.