The cloud: are you sure you have fully assessed the risks?

Published: Tuesday, 09 November 2021 08:46

Cloud usage is becoming increasingly widespread across organizations of all sizes; but at the same time cybercriminals are also paying a lot of attention to the opportunities that cloud offers them. Tony Beveridge highlights some potential cloud risks you may not have thought of…

Are you sleeping easily? Good, then I’ll begin…

So, like most other organizations in the western world are you moving or did you recently make  the move to the cloud? After all, everyone’s doing it and the reasons are clear: it’s an opex rather than capex model, paying for what you consume is more economical and you don’t have to worry about owning, running, and maintaining kit and the environment. It makes sense… doesn’t it? Well, apart from a few applications that don’t yet fit too well. But what is the reality of this cloud or the more common hybrid cloud mixed with in-house IT strategy?

First, a little history. Back in the day, compute resource was very expensive, so a more cost-effective solution to owning your own, was to rent time on something like an IBM mainframe. We called this ‘bureau computing’, and it was very successful. Of course, back then, access to the computer was really only for a few key internal departments, using point-to-point communications or telephone dial-up links – yes, we really did survive without the instant gratification of immediate access! To help overcome the frailty of the old storage systems, data stored at these bureaus was dumped down to tape on a periodic basis, and it was hoped that we would be able to read the data if needed.

Computing became more and more popular, smaller and, as a result, cheaper, so bureau computing went out of fashion in favour of localised office machines. Machines such as System 36/38s, DEC Vax, AS400s and then the desktop PC. So the bureau business had to withdraw and reinvent itself. Meanwhile, the responsibility for doing backups now fell on the shoulders of the company’s IT department. The trusted tape backup solved this to an extent and, again, we all hoped that we could read the tapes if we needed to.

Some companies periodically conducted a recovery test, and for some companies this worked. But organizations’ reliance on data and IT was growing, a dependence that meant downtime was less tolerable – the very existence of a company might now be threatened if the IT systems were compromised – The Beast was created! Data volumes and processing speed grew almost exponentially and this started to get expensive. How could a company depreciate expensive kit over a time period that meets the financial director’s requirements when it is unlikely to meet the business demands for that long? And the IT department needed to keep asking for more cash to buy another storage system as data was growing so fast. Couple this with the birth of the easy access which the Internet brought and the bureau was reborn. A panacea solution – an opex model with predictable usage costs, so the financial director should be happy and now everyone can have access to the compute capability. What’s not to like? The problem has been outsourced to big players who are now household names, and by the time the various marketing departments had finished with the re-brand, the world was accustomed to the use of the cloud.

The cloud promises to take problems away; look after YOUR data whilst facilitating your access to it and allowing you to manipulate it on cloud internal resources (for agreed charges). You may even be able to get your data back, if you want it. But it is always important to remember that the responsibility for the security of your data remains with you and not the company that you choose to outsource to.

But what of the access medium - the Internet? It’s fast, it’s cost-effective, it’s pretty much available everywhere, and everyone can use it from devices like laptops, mobile phones, heck, even some domestic fridges and kettles. Everyone can have access, if they have the security clearance, right? Wrong! Security is one of the biggest challenges and in some cases this solution’s greatest weakness – if security is compromised then your data, your IT systems, your company’s very existence is at risk. A quick search on the Internet demonstrates that the bad guys, the cybercriminals, are winning the battle to access companies’ data and hold them to ransom. So, is it safer to use the cloud, rather than have your own IT kit on-premise or in a co-location site? Why should it be? The bad guys, who can now be anywhere in the world and may even be rogue state sponsored, are looking for ways to infiltrate your cloud. As you read this, specialists are drilling down into the very code, the fabric of the services that so many organizations rely on, and whether their aim is to be mischievous, hold companies to ransom or cause national or international outages, they are working on it! This very moment.

So, you need to protect your data and have a plan as to what you do if the household name that you have trusted with your company’s most prized asset is deliberately or accidentally unavailable, encrypted, or destroyed. What do you do? Well, you could pay the cloud provider more money as they say that they can keep another copy of your data somewhere else to add a layer of resilience. That ‘somewhere else’ being on their estate and with the same type of Internet access. Does that help you to sleep easily at night? It might be cheap, it might be easy to just deal with one company and after all, it is a household name that you are trusting with your most valuable asset.

Now, the chances are that you still have some applications that you haven’t quite managed to move to the cloud yet, and that sit in an ageing comms room in your basement or in some third party’s data centre / center – all this linked to the cloud as the applications have inter-dependencies, and someone in your organization, kind of remembers how it works if it should go wrong. You occasionally do a tape backup for this data – yes, remember that solution? Or you can back it up into the same cloud provider – brilliant! Does that help you sleep more easily at night?

Your data is now pretty much with one company, and as for the organizations that you are outsourcing your HR system, payroll systems, CRM systems etc. to? Well, they might well be using that same cloud provider. Gosh, I hope you still manage to sleep well! Of course the experts, the media, the marketing-induced websites tell you that your data is safe, it is resilient, it can be restored and… you can trust them, they are a household name after all.

Of course, you might step back from all this and think, “This is madness”, no one would do that – trust a third party with unknown vulnerabilities with your most important assets? No way! But the reality is, this is exactly what is playing out in most organizations.

Now that you are thinking about it, what are the options? I am not suggesting the cloud is about to completely fail, or that you can’t partially recover if there were a problem. Neither am I saying that you shouldn’t exploit the benefits of outsourcing some of your IT functions to a third party, but what I am saying is, consider the risks and the ‘what ifs’. Is it sensible to allow one company to run your mission-critical IT functions and then rely on that same company to store your only backups, which you might later rely on for them to recover your company, first and above all others? Might it be prudent to have an external, secure, and recoverable copy of your most valuable asset with another, trusted company? Should the worst happen, you will still have your data, your biggest asset.

One final point, I started this with my simplistic view of the evolution of  the cloud. One of the advantages of getting older is being able to see the patterns of life, the cyclic nature of things. Cloud is the latest thing, and while many people say that there will be no going back, I believe that IT, like all things in life, is cyclical and at some time companies will move back to a more under-their-control solution, if not in-house approach. How easy will it be for you to get your company’s most valuable asset out of your chosen cloud provider, to move to something else or somewhere else, of your choice? Certainly, having an external copy of your data, which provides far greater resilience, also provides you with future freedoms of choice on the next stage of your company evolution

Sleep well.

The author

Tony Beveridge is a business continuity account director at Daisy. He started his working life as a telecommunications technician but has spent the last 35 years specialising in all aspects of business continuity, helping the industry grow from its roots, very firmly set in mainframe IT recovery, to its current position where it is seen by many as a critical part of an organization’s wellbeing and compliance. He has worked with companies around the world helping them ensure that their critical business functions can continue, if something untoward should happen to them or those that they depend on.