Shifting business to the cloud has its appeals. Platforms like Microsoft Azure, Amazon Web Services, and Google Cloud Platform offer economies of scale, enhanced security, and access to newer technologies like artificial intelligence and machine learning, capabilities smaller organizations might not have the resources to develop in-house. Much of the hype around the cloud revolves around these advantages, but there are disadvantages, too.

A panel of cybersecurity experts, joined by a chief compliance officer in the financial services industry, discussed the risks and opportunities associated with moving to the cloud at Compliance Week’s virtual Cyber Risk & Data Privacy Summit. Despite being users and proponents of the cloud, the panelists listed far more cons—or rather, caveats—than pros.

Outsourcing trust to a third party raises obvious security and privacy risks, especially when managed service providers are a known target for state-sponsored attackers, as seen with Chinese hacker group APT10. That’s just to start.

The known benefits of the cloud can devolve into detriments if an organization is not scrupulous about asking the right questions, knowing the threat vectors, and establishing appropriate controls before executing on the move, the experts warned.

Companies considering a cloud shift should heed the following advice before acting.

Glossary

SaaS: Software as a service is on-demand access to ready-to-use, cloud-hosted application software.

 

PaaS: Platform as a service is on-demand access to a complete, ready-to-use, cloud-hosted platform for developing, running, maintaining, and managing applications.

 

IaaS: Infrastructure as a service is on-demand access to cloud-hosted physical and virtual servers, storage, and networking—the backend IT infrastructure for running applications and workloads in the cloud.

 

On-prem: ‘On-premises’ is IT infrastructure hardware and software applications deployed in-house and within an enterprise’s IT infrastructure.

 

Source: IBM

The cloud is not a Band-Aid for poor cyber hygiene. “A lot of organizations believe when they shift to the cloud, they’re going to be more secure. I don’t necessarily agree,” said Greg Wendt, executive director of security solutions at Pathlock. “When you look at what you do today, you’re probably going to continue to do the same thing tomorrow.

“If you consider the pendulum of how secure or how robust you are on the security scale—if you’re way over on the not-very-secure side, not doing a lot of the advanced techniques, you’re probably not going to do a lot of them in the cloud either. … You’re probably going to make the same mistakes when you go into PaaS and IaaS.”

Ed Vasko, director of Boise State University’s Institute for Pervasive Cybersecurity, agreed.

“If the intent is to simply lift and shift existing on-prem, collocated infrastructure and architecture into a cloud-oriented environment, then you’re likely going to find yourself not just duplicating the good but duplicating the bad of your own environment,” he said.

SaaS environments are not customizable when it comes to security. Cloud platforms build their own architectures and specific sets of capabilities—take it or leave it.

“For many companies, that’s exactly what they’re looking for: a set-it-and-forget-it type of thing,” said Bill Tolson, compliance and e-discovery expert at Archive360. “That’s what they’re paying for; they don’t want to have to worry about it. But these days and in this environment, especially around security, [chief information security officers] may want to dial up additional security capabilities. … But can they do it?”

Beware vendor lock-in with cloud providers, where organizations are stuck paying exorbitant costs to extract their own data from the cloud.

Sometimes a vendor will convert a customer’s data to enhance storage capabilities, then charge the customer a fee per gigabyte to reconvert it. A cloud provider might also “throttle the data,” Tolson said, where the provider “dials down the extraction rate, meaning it only allows 10 gigabytes a day to come out. So, you’re looking at three years to get your data out, and that whole time you’re still paying them for the data. That does happen,” Tolson said.

Adversaries can leverage cloud capabilities too, Vasko said, admitting it was his biggest cloud concern.

“Our enemies from a cyber nation state … as well as from a cybercriminal organization state can leverage these same services and oftentimes do,” he said. “So, the same ability to scale, to present service activation and deactivation, to move and transition among different types of available platforms … allow for our adversaries to essentially start spinning up and tearing down services in a way that certainly makes it much harder than the traditional Whac-A-Mole that we’ve had for the past 40-plus years in cyber.”

Be cognizant of the potential for exploitation by organizations, Vasko added. Different divisions, units, and teams within an organization might sidestep the enterprise information technology team and unilaterally sign up for a SaaS to meet certain corporate goals. To sign up, they simply upload a client list.

“That entire creation of effective shadow IT repositories and shadow IT environments is certainly a very large-scale issue and one I think organizations [will become aware of] as they begin the process of really examining what their cloud footprint looks like,” Vasko said.

Ready, set, shift

Mario Chilin, chief compliance officer of EP Wealth Advisors, recently witnessed his organization transition from on-prem to the cloud and was able to echo a lot of the advice put forth by his copanelists. Companies set on shifting to the cloud should understand the regulations and expectations of the industry in which they operate and take a risk assessment of their business and organization before pulling the trigger, he said.

“The cloud is not a silver bullet. My big point is, typically, be pragmatic about what the cloud is first and foremost; it’s not some sort of thing that’s going to take care of all your problems. It has its own set of threat vectors.”

Ed Vasko, Director, Boise State University’s Institute for Pervasive Cybersecurity

“What is the goal in relation to potentially moving to the cloud? If you’re transitioning from an on-premises environment to a hybrid or fully cloud environment, understand the pros and cons of each,” Chilin said.

Vasko and Wendt advised audience members to follow the foundational tenet of cyber and information security: trust but verify. Do your due diligence both internally and externally before committing to a cloud provider.

“Don’t move at a pace that’s unreasonable. You may be thinking you’re doing something that’s in the best interests of the organization when in reality it could set you up for exposure in the absence of appropriate controls,” Chilin warned.

Like the cyber experts, Chilin advised against getting caught up in the hype. Even though it might seem most technical platforms are moving to the cloud, it doesn’t necessarily mean it works for everyone, he said.

“The cloud is not a silver bullet. My big point is, typically, be pragmatic about what the cloud is first and foremost; it’s not some sort of thing that’s going to take care of all your problems. It has its own set of threat vectors,” said Vasko.

Aly McDevitt is Data & Research Journalist at Compliance Week. She has a background in education and college consulting. Prior to teaching, she was an editor/author at Thomson Reuters.

Topics