{"id":2395,"date":"2018-05-31T18:01:13","date_gmt":"2018-05-31T11:01:13","guid":{"rendered":"http:\/\/54.151.235.32\/?p=2395"},"modified":"2024-12-05T14:07:56","modified_gmt":"2024-12-05T07:07:56","slug":"7-risk-mitigation-strategies-for-the-cloud","status":"publish","type":"post","link":"https:\/\/renovacloud.com\/en\/7-risk-mitigation-strategies-for-the-cloud\/","title":{"rendered":"7 Risk Mitigation Strategies For The Cloud"},"content":{"rendered":"<p><strong>Cloud services \u2014 and the risks associated with them \u2014 will only become more critical over time. Here\u2019s how to manage those risks without missing out on the benefits of the cloud.<\/strong><\/p>\n<p>Cloud services are here to stay, and they are taking over more enterprise functions every year. Where once cloud services were limited to simple storage or contact management, core functions like\u00a0<a href=\"https:\/\/www.cio.com\/article\/3221349\/enterprise-resource-planning\/cloud-erp-the-rising-alternative-to-hosting-your-own.html\" rel=\"noopener\">ERP have now moved to the cloud<\/a>. And with a broad array of essential services increasingly shifting to the cloud, IT leaders must keep an eye on the risks inherent in today\u2019s cloud environment and take preventative steps to mitigate them.<\/p>\n<p>Here\u2019s a look at what your organization should do to assess and mitigate the risks of cloud computing.<\/p>\n<h2>Assess Your Appetite For Risk In The Cloud<\/h2>\n<p>In the banking industry, it is common to set a risk appetite to guide organizational decisions. For example, a conservative risk appetite would lead one to decline lucrative but highly uncertain loans. A more \u201cbleeding edge\u201d risk appetite may deliver higher returns during booms. The downside? Your bank may take massive hits during the next crisis.<\/p>\n<p>From an IT management perspective, your risk appetite will inform your due diligence, ongoing monitoring and willingness to invest in reducing risk. For example, you may set up a tiered approach to risk mitigation to make the best use of your limited resources. The risk of a \u201cTier 1\u201d cloud service failing may be reduced through staffing (e.g., having a dedicated relationship manager), regular testing and paying for top-tier vendor support.<\/p>\n<aside id=\"\" class=\"nativo-promo nativo-promo-1 smartphone\"><\/aside>\n<h2>Revisit Your Cloud Usage Culture<\/h2>\n<p>Cloud providers like to emphasize ease of use and flexibility. And once organizations experience the ease of the cloud, few have the desire to go back to maintaining their own legacy infrastructure. But a casual attitude toward cloud services may lead employees to take foolish risks.<\/p>\n<p>\u201cCloud services often encourage \u2018casual use\u2019 of data; I can collect, search and store anything just about anywhere\u201d is the hook, says John Hodges, vice president of product strategy for AvePoint. \u201cWe often see this in systems like Box, DropBox or OneDrive, where there is a real mixed-use danger in how content is stored and shared.\u201d The simple solution? Prohibit services where mixed-use is likely to be a problem.<\/p>\n<p>Banning higher-risk cloud services helps, but it does not eliminate the problem entirely. \u201cWith corporate-provided accounts such as Slack channels or Microsoft Teams or other systems, users always take the route that is most convenient for sharing data. That behavior may not align with records retention policies or restrictions on data sharing,\u201d explains Hodges. Inconsistent application of record retention policies may cause headaches if your company is subject to litigation or a similar investigation.<\/p>\n<aside id=\"\" class=\"nativo-promo nativo-promo-1 tablet desktop\"><\/aside>\n<h2>Use Zero Trust Models To Reduce Risk<\/h2>\n<p>Zero trust is an IT security strategy wherein an organization requires every user, system or device inside or outside its perimeter to be verified and validated before connecting to its systems. How can you use a zero trust model to mitigate cloud risk? For Insurity, an organization that specializes in property and casualty insurance services and software, a zero trust approach means restricting access tightly.<\/p>\n<p>\u201cWe provide logical access to the minimum set of users with a minimum set of rights and privileges in line with job function requirements. This control is audited internally by our Enterprise Security team and externally as part of our annual SOC audit,\u201d says Jonathan Victor, CIO of Insurity.<\/p>\n<p>Regularly examine user access levels and ask yourself whether they make sense. Do you need dozens of users with administrative access? Each super user adds additional risk.<\/p>\n<h2>Learn From IT Failures In The News<\/h2>\n<p>Taking time to study industry news for cloud-related failures will help you mitigate your cloud risk. The complex and evolving nature of cloud use in today\u2019s enterprise means there\u2019s always something to learn from high-profile incidents gone wrong.<\/p>\n<p>\u201cOur focus is on the loss of data, so we see important lessons in incidents like the Meraki data loss in August of 2017, when on-premises systems failed to back up data to the cloud service as it was designed to do,\u201d says Rich Petersen, co-founder and president of JetStream Software.<\/p>\n<p>Cisco admitted that cloud configuration error caused data loss and lost productivity. As\u00a0<a href=\"https:\/\/www.theregister.co.uk\/2017\/08\/06\/cisco_meraki_data_loss\/\" rel=\"nofollow noopener\">The Register<\/a>\u00a0reported, \u201cthe incident is a huge mess for Cisco, because Meraki&#8217;s sold on the basis that its supporting cloud service removes much of the grunt work required to run networks and voice systems. That Meraki&#8217;s team made such a substantial mistake \u2014 and seemingly lacked data protection tools to cover such an eventuality \u2014 is a very big black mark on its reputation.\u201d<\/p>\n<h2>Rethink Your Mix Of Manual VS. Automated Cloud Management Strategies<\/h2>\n<p>Automation, virtual assistants and data crunching can help companies not only sell more products but manage their cloud services as well. For Barracuda Networks, the scale of manual security work has come down significantly since it began automating processes for the cloud.<\/p>\n<p>\u201cWe have abandoned performing manual security checks and moving to automated scans because increasing and continuous threats require 24x7x365 vigilance to ensure system integrity, data protection and compliance control requirements,\u201d says Greg Arnette, director of data protection platform strategy at Barracuda Networks.<\/p>\n<aside id=\"\" class=\"nativo-promo nativo-promo-2 tablet desktop smartphone\"><\/aside>\n<p>The drive to automate has significant limits, however, when it comes to mitigating cloud risks. After all, you can\u2019t automate a risk assessment of a cloud provider. But if you use more automated tools to detect problems and standardize configuration in the cloud, you can focus more staff time on complex issues such as training and managing your relationships with cloud providers.<\/p>\n<h2>Push For Audit Rights For Your Most Sensitive Suppliers<\/h2>\n<p>Whether you have the right to audit your cloud suppliers is a hot topic. If your contracts and agreements lack this provision, your hands may be tied if there is an incident. On the other hand, large cloud providers are pushing back on these requirements.<\/p>\n<p>\u201cRegarding audits, many cloud companies are pushing back on organizations and not allowing them audit rights to audit their data centers and their processes, procedures and security measures,\u201d says Ted Rogers, project execution advisory practice leader at UpperEdge. \u201cWhy? They are hesitant to have a third party show up and conduct an audit. Instead, the vendor says that they are compliant, or they say not to be worried about it because if they do not do it, they will be in trouble for other reasons under the contract such as a breach event.\u201d<\/p>\n<p>One solution is to critically assess the audit methodology developed by the cloud provider. Rogers suggests the following alternative: \u201cGet access to the cloud provider\u2019s audit documentation. Specifically, look for if they have made updates in light of Facebook\u2019s difficulties with data privacy. Some of these cloud providers say they are just a data processor.\u00a0 They claim they do not touch the data and don\u2019t give it away.\u201d That just begs the question: how do know whether the provider is following their word?<\/p>\n<p>If a cloud provider is resistant to giving your company audit rights, there are still ways to mitigate this risk. You can request more robust reporting and emphasize leading risk indicators. You can also ask your internal audit department to provide input during contract discussions.<\/p>\n<h2>Rethink Avoidance As A Risk Mitigation Strategy<\/h2>\n<p>Lastly, hacking and security are not the only risks to consider. There is also the risk of being left behind.<\/p>\n<p>\u201cA significant business risk for some of our less mature clients is not pursuing cloud transformation and services aggressively enough. The cloud is not just a new technology \u2014 it has changed the business and operating paradigm for many industries. It is about transforming the business to become more agile and competitive,\u201d says Tony Buffomante, U.S. Leader of KPMG\u2019s Cyber Security Services.<\/p>\n<p>Moreover, few organizations have the budget or inclination to build data centers and develop all their software and infrastructure on premises. In fact, companies with a smaller IT capability may benefit from the risk management capabilities of large cloud providers.<\/p>\n<p>\u201cIn our experience, the ability for large-scale cloud providers like Amazon, Microsoft and Google to provide secure IT environments dwarfs that of on-premises or custom data center configurations. We believe strongly that shunning the cloud would introduce significant risk to our business,\u201d says Keith Cerny, chief technology officer at ACL. \u201cOur direct experience has been that a well-architected cloud environment addresses our security, privacy and availability requirements at a level we could not achieve through any other means. In 2016 when we moved our headquarters to a new location, we realized the major benefit of experiencing no business downtime. Our employees were able to work remotely using our cloud services, making it a seamless transition.\u201d<\/p>\n<p><span style=\"color: #808080;\"><em><span class=\"by\">By\u00a0<\/span><span class=\"fn\"><a style=\"color: #808080;\" href=\"https:\/\/www.cio.com\/author\/Bruce-Harpham\/\" rel=\"author noopener\">Bruce Harpham<\/a><\/span><\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cloud services \u2014 and the risks associated with them \u2014 will only become more critical over time. Here\u2019s how to manage those risks without missing out on the benefits of the cloud. Cloud services are here to stay, and they are taking over more enterprise functions every year. Where once cloud services were limited to [&#8230;]\n","protected":false},"author":7,"featured_media":2394,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[83,84],"class_list":["post-2395","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","tag-cloud-migration","tag-risk-mitigation"],"_links":{"self":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/2395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/comments?post=2395"}],"version-history":[{"count":2,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/2395\/revisions"}],"predecessor-version":[{"id":27411,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/posts\/2395\/revisions\/27411"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media\/2394"}],"wp:attachment":[{"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/media?parent=2395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/categories?post=2395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/renovacloud.com\/en\/wp-json\/wp\/v2\/tags?post=2395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}