While references to “the cloud” and “cloud computing” are significantly more familiar than they were five years ago, it remains clear that many organizations implement cloud resources ineffectively – or at least do not understand the implications of the shift. Some all-too-common lines of thinking:
- We’ve moved our applications to our cloud provider – what does that have to do with our software development life cycle?;
- Our cloud-platform provider is responsible for securing our applications and data; or
- We’ve outsourced that – and all the associated risk and liability.
So, what are you to do when reviewing current cloud strategy? Because you do have one…right?
Cloud Native or Not
There are many ways to engage a cloud provider, ranging from Microsoft’s Office 365 to Amazon’s Platform as a Service solutions. Even among platform services, these range from a private cloud, to hybrid, to use of a public cloud. Earlier this year, Transparency Market Research reported that the market for managed cloud services alone (e.g., managed mobility or managed security) would reach $86.4 billion by 2022.
For those modifying internal applications for hosting on a cloud platform, effective use of the cloud’s elasticity really means a reconsideration of software development. Bernard Golden is the VP of Cloud Strategy at Capital One and a thought leader in the cloud-computing space. “What you need to really take advantage of cloud computing is a complete rethink of your approach to IT,” opines Golden. Do not “treat cloud computing like a data center at the end of the wire.” Golden believes that to take full advantage of a cloud platform’s power, organizations need to revise their approach to the software development life cycle.
This means that the IT team becomes more integrated with the business teams to understand application requirements, and the development and deployment approaches presume errors, functionality changes, and adaptable resources. You can still modify a legacy application to sit atop a cloud platform, but without other organizational change you probably won’t get the benefit you could.
Our Cloud Provider Secures Our Data and Applications
Maybe, but probably not. An organization should leverage the teamwork that Golden espouses and ensure that “the organization,” and not simply the IT team, understands who is doing what with any cloud solution. The below image from Microsoft’s develop blog demonstrates how, even with Software as a Service, there remain important security and operational roles for the client.
The implications here are legal and financial, as well as technological. In a recent interview discussing cybersecurity risks in 2019, Deloitte’s chief of risk and financial advisory practice highlighted the importance of managing the extended (read: outsourced and cloud) enterprise, involving leadership and integrating IT security with business risk management. Whether the applications are oriented internally or externally, an organization risks revenue, reputation, and expense when security incidents occur.
For example, it is not uncommon for a cloud customer to experience a data breach of their SaaS application, not because the cloud provider did anything wrong, but because a customer employee’s laptop was hacked, providing valid user credentials to the thief. The resulting incident – and often, breach – reporting responsibilities demonstrate how important it is for legal and finance and audit to all be a part of the vendor selection, ensuring both proper security controls on the customer side and appropriate training for employees using the system.
And as we’ve discussed before, the C-suite is at risk if the incident is bad enough.
We Outsourced That – They Hold The Bag
Organizations have varied reasons for outsourcing information technology functions to third parties. Unfortunately, significant risks associated with outsourcing those functions are often overlooked. These include business continuity, cybersecurity and data privacy, intellectual property loss, and un-transferred litigation risks. At the broadest level, lack of oversight and management controls create most risks associated with outsourcing. All of these risks implicate the broader topic of compliance, and when key functions are outsourced, it becomes increasingly difficult to manage risk and monitor compliance.
Virtually all cloud and outsourcing transactions involve written agreements that contain risk-balancing and risk-shifting provisions. However, very few organizations have the size and clout to truly negotiate risk-shifting provisions with a cloud provider the size of an IBM, Amazon, or Google. Complicating this is the fact that regulatory schemes around the world – whether they touch financial services, healthcare, or personal data – generally insist that an organization engaging a service provider be fundamentally responsible for how that provider performs.
Although it is possible to negotiate indemnities to cover certain losses, an organization’s reputation – with consumers and regulators – remains valuable and potentially ephemeral. Consistent with President Truman’s desk sign of “The Buck Stops Here,” an organization can mitigate a certain degree of financial risk, but in most circumstances, skeptical third parties will look to how the firm managed the outsourcing activities.
In the end, whether you accept Golden’s perspective that effective adoption of cloud resources means a revamping of how you develop and manage applications, it remains critical to understand what cloud providers typically are not. They typically are not responsible for securing the entire software stack. They typically are not solely to blame when there has been a security incident. And they typically will not be the liability shield you imagine because they are, in reality, simply your service provider.