Member Article

Public cloud computing: Why business leaders need to understand potential risks before making the shift to cloud

Tom Moore, Business Development Director, Acronyms

As with anything that involves transferring data to a third party there are inevitably risks involved.

Firstly, it can limit your control over the data. With data residing with a third party it is ultimately under their control. For example, this means it could be hard if not impossible to enforce your own security policies, and you may have to change them to reflect the third party you’re using. International service providers are not going to change their global policies for you.

Although many public cloud providers are well known and trusted brands, this doesn’t mean that they won’t or can’t fail. If there is a failure, then you have no control over when an issue is fixed, and you are reliant on others to get you back up and running. The move to the public cloud means you are essentially saying to the provider “I trust that you’re better at this than I am.”

Data ownership can also be an additional complication with some contracts changing the ownership of the data from you to the provider. Contracts also mean that you are often charged for everything you do. If you accidentally leave an old server on or temporarily expand your storage and forget, you’ll get billed; these mistakes can be costly. Also contracts and billing can change. If you are tied in with most of your data stored with the provider, you have little choice but to accept or go through the often-massive hassle of moving the data.

Finally, whilst security is often improved when compared to on-prem servers, public cloud providers offer cyber criminals a very tempting target. The amount of data held, across many companies, means one exploit may reward cybercriminals with a particularly large return in comparison to others. Also, you must consider that not all attacks are financially motivated. By disrupting a large international organisation, a cyberattack may be designed to make a political or social statement, that inadvertently implicates your organisation as a user of that platform.

What must business leaders be aware of before making that shift?

The key is to have a strategy and a plan. During the last couple of years, the move to the cloud has allowed many companies to continuing trading despite the uncertainty and confusion surrounding the pandemic and new working practices. As a result, there is an increased confidence in cloud and whilst this is encouraging it has led to blasé attitude from some.

It should not be an all or nothing approach. Public cloud has many benefits, but it isn’t always the best fit. Business leaders need to fully explore why they are moving to the public cloud and why it is their best option.

Essentially, like any investment or business change, there has to be a strong business case put forward. What are the benefits? Why are you doing it? The business case also needs to take into consideration the potentially large amount of disruption that shifting to the public cloud will cause. Highlighting what you are getting in return and ensuring that it makes it a worthwhile project is critical.

Other considerations business leaders need to consider might include: Is it more beneficial to include physical IT infrastructure as an asset on the company balance sheet? This isn’t a possibility with public cloud, where you don’t own the asset.

• Does your software work on the public cloud? Will it have any impact on the services you rely upon daily? • Are you able to move easily to the cloud, or will it cause issues that outstrip the benefits? It can always be done incrementally. It’s best to consult an IT expert when considering this. • Do you have the skill set or budget to pay for those with the skills required to manage your estate in the public cloud? • What is the plan if something goes wrong? What’s the contingency plan?

How do businesses balance the convenience of public cloud computing with the need to maintain integrity and security of sensitive company data?

Again, going into the relationship with the public cloud provider with your eyes open is critical. Like the start to any new business relationship, ensure you read in-depth the T&Cs and get expert interpretation; who owns the data, does this comply with local laws and specific regulations that you must adhere to? The new confidence in cloud has to be tempered with a sensible approach.

It does not have to be an all or nothing approach either. Splitting your data on sensitivity is a sensible and effective route some are taking. Using the public cloud for less sensitive data, whilst keeping more valuable data in your on-premises server allows you to test the system without risking as much. This hybrid approach also tends to be more cost effective and easier to achieve.

A hybrid approach does not just mean data split between cloud and on-prem. It might be worth considering splitting the data between two different types of public cloud, based on the varying sensitivity levels and/or regulatory requirements.

Security always has to be your number one priority, over and above cost and convenience. You may wish to seek advice from independent third parties who can offer opinion and advice on the services being offered and their security credentials. What safeguarding strategies should businesses implement before making the move to public cloud?

A data audit is an important first step. It allows you to gain a full overview of exactly what data you hold. This process will also allow you to identify the highly sensitive data too.

Ensure that the devices that are connecting to the public cloud are secure. Make sure that you are not the one granting access to malicious third parties. Throughout the last couple of years, a number of successful and high-profile cyber-attacks have originated in the supply chain or third party.

The key is that this is not a ‘keeping up with the Jones’“ scenario. What is right for one will almost not be certainly be right for another. Do not just move to the cloud because it is a buzzword. It should be treated as any other critical business decision. Make sure that there is a business case. Sometimes keeping things simple is the best approach and managing it yourself could be that option as you’re not reliant upon a third party.

This should be a given anyway, but make sure that you have a robust back up and disaster recovery process in place. As with any project work through the risks and mitigate where you can.

Is there a type of data that is too sensitive to be stored on the cloud? Not as such. It’s more a matter of how much protection you can afford to put in place and/or live with. On prem/hybrid/cloud approaches aren’t necessarily more or less secure than each other, it is the measures you have in place that dictate security and how it is used.

There is no 100 percent secure approach to data. Cyber criminals are increasing sophisticated in their approach and we have seen some extraordinarily high-profile successful attacks against organisations. For most businesses it is about finding the right balance of cost/convenience and security, based on the data you hold and how sensitive it is.

This was posted in Bdaily's Members' News section by Anna Boyce .