How to Reduce Risk in Cloud Computing

Cloud computing is now being used in every type of industry by organizations large and small.

In the earliest days of cloud computing, security was a top concern — and it's still a concern today. As with any form of technology, cloud security is an issue that organizations need to take a proactive approach to stay ahead of risks. For financial services firms in particular, technology investments are often considered in terms of risk. To that end, the U.S. Department of Treasury released a 71-page cloud report in February outlining the opportunities and challenges that face financial sector cloud adoption. The report provides direction that is useful not just for financial services firms, but for any organization using the cloud.

"The recent U.S. Treasury report shines a light on the challenges of engaging with critical third- and fourth-party providers, and the need for strong governance to manage risk and ensure operational resilience," Aly Farooqui, chief risk officer for IBM Cloud for Financial Services, told ITPro Today. "These are important considerations for all regulated industries that need to keep business operations up and running at all times — not only financial services."

The report puts the need to increase operational resilience front and center and is a reminder that minimizing downtime and closing gaps in the supply chain should always be at the top of an organization's priorities, according to Farooqui.

Related:How Cloud Computing Has Intensified Cybersecurity Challenges

Overall, there is a lot to unpack when it comes to understanding what cloud risk is and what it isn't, as well as best practices for organizations in all industries to consider.

Myths and Misconceptions About Risks in the Cloud

There are a number of common myths and misconceptions about risks in the cloud:

Shared responsibility model. One of the most common misconceptions of risk in cloud computing concerns the shared responsibility model. With the shared responsibility model, the cloud service provider (CSP) is responsible for some things, while users are responsible for others.

CSP-vs-customer

The reason there are misconceptions about the shared responsibility model is because there is a lack of understanding as to what specifically the consuming organization is responsible and what the CSP is responsible for, Randy Armknecht, managing director of emerging technologies and global cloud practice leader at global consulting firm Protiviti, told ITPro Today.

For instance, many organizations fall into the trap of not realizing that CSPs determine what their responsibilities are on a service-by-service basis, he noted. With hundreds of services offered, it can be quite the endeavor for a community or regional bank to get a handle on. This leads to missing items in their governance programs, which may not be caught until a risk is realized.

Related:What Happened in That Cyberattack? With Some Cloud Services, You May Never Know

"I've had clients misstep most often on resilience because while the CSP may be available, that doesn't necessitate that the client's workloads will be available," Armknecht said. "The same applies when the CSP has a particular compliance certification and a client misinterprets, thinking that the CSP is responsible for a larger portion of controls than they really are."

Data backup. Another misconception is that all data stored in the cloud is automatically backed up. Tyler Moffitt, senior security analyst at OpenText, told ITPro Today that while cloud providers may provide basic data backup services, financial services firms need to have their own backup and recovery processes in place to ensure that they can quickly recover data in the event of a disaster or attack.

Compliance. There is a misconception that certain types of industries or use cases will not work in the cloud due to regulatory compliance concerns. However, many cloud providers are certified and follow data privacy standards including General Data Protection Regulation (GDPR), ISO 27001, or SOC 2 and are compliant with other regulatory requirements standards as well, according to Sam Levy, a partner at technology-focused investment bank Drake Star.

Best Practices for Reducing Risk in the Cloud

Understanding the myths and misconceptions about cloud security is a good starting point for better management of risk, though there is more that can and should be done.

So what should IT professionals be doing to reduce risk in the cloud?

Establish controls and monitoring.

The U.S. Department of Treasury report suggests that financial institutions assess cloud services to ensure compliance, security, confidentiality, and safe operations. In addition, the Treasury report notes that financial institutions should "establish a range of internal and external (within the cloud environment) security and resilience controls, configurations, and monitoring for the cloud services."

Develop and test a failover and plan.

For any type of industry, Scott Siegel, data and analytics expert at PA Consulting, suggests that organizations ensure data is backed up and recovered in case of an unexpected emergency.

Encrypt data, but use open formats.

Data in the cloud should be encrypted, but it shouldn't be locked into a proprietary format that will only run on a single cloud provider. Srujan Akula, CEO and co-founder of The Modern Data Company, suggests that however an organization is operating in the cloud, it's important to make sure the data is in an open format.

"In the chance that you need to egress your data elsewhere, you do not want to be locked in with the current provider," Akula told ITPro Today.

Conduct thorough risk assessments.

It's also critical for organizations to conduct thorough risk assessments using approaches such as the NIST SP 800-30 guide for conducting risk assessments.

According to Protiviti's Armknecht, risk teams need to ask themselves some core questions, such as: Do we have ownership, purpose, and classification defined of all our cloud assets? Do we have visibility into the health and security of each asset? Do we have a recovery plan in place for each asset? Do we understand the shared responsibility matrix of each asset?

"I see these as the foundation to understanding and then reducing risk within your cloud environment," Armknecht said.