A growing number of companies use cloud platforms to build, deploy, maintain and scale solutions more quickly and efficiently. Cloud platforms deliver this speed and efficiency by providing centralized security, services, support and other features.
These centralized features, and the volume discounts that most cloud providers offer, have drawn many companies to concentrate all their solutions onto one full-service platform.
However, concentrating your business on one cloud platform can create risks.
Your business becomes locked into the tech stack of a single provider — and cloud platforms, solutions and the associated risks can change rapidly.
“Cloud platforms add a level of complexity that is different from what we've seen in the past,” said Grant Thornton Internal Audit Cybersecurity Practice Managing Director Vikrant Rai. “The only constant here is rapid change, and that impacts how we take our solutions to market.” To manage this change, companies need to continually train employees and collaborate with vendors. New changes can put a strain on existing controls.
If these quick and complex changes are made incorrectly or misconfigured, cloud platforms can be subject to outages, malicious attacks, ransomware and other issues. If all your solutions depend on one cloud platform, any one of those threats could be an existential threat to your business.
The emergence of these risks led the UK and European Union to implement broad regulations like the Digital Operational Resilience Act (DORA), PRA/FCA supervisory oversight, PRA SS 2/21 Outsourcing and Third-Party Risk Management. Within the U.S., the current guidance is more specific — like the recently released NIST Cybersecurity Framework Version 2.0, with a focus on technology, infrastructure resilience and the cybersecurity supply chain.
To enable regulatory compliance and to protect your data, consider a risk mitigation strategy with a focus on operational resilience.
A three-part resilience strategy
Today’s emerging risks should be met with an operational resilience strategy. In a recent Grant Thornton webinar on cloud concentration risks, a poll showed that just more than half of the attendees felt like their organization needed some help with this strategy.
Your strategy can combine several approaches. One approach is simply to choose more than one cloud provider, but this introduces other concerns. “Managing multiple cloud service providers could get a little bit risky, but it does allow you to be fully in charge of creating your environment in a way that is based on your operations and your needs,” said Grant Thornton Internal Audit Cybersecurity Practice Manager Alex Hinkebein. Your organization’s unique needs and operations processes should define your operational resilience strategy.
1. Identify your needs
Security “of” the cloud largely depends on the underlying deployment models, but customers have some categories of responsibility for security “in” the cloud. It’s important to look at your business holistically, but a few categories represent a significant portion of risk:
- Identity and Access Management: Review access controls for human and non-human accounts, service accounts, privileged users, and ghost accounts or administrator accounts, as account service is often not timely in a complex environment.
- Application Security: Increased scalability enables faster development cycles, and organizations need to be responsible for secure application development processes.
- Data Security: The complexity of the cloud environment increases the fluidity of data flow within the cloud environment, and implementing security controls needs to be considered with a data-first approach.
“To develop a heterogeneous strategy, you need to intimately understand your operations and applications,” Hinkebein said. “That way, you understand what type of critical applications and services need to be protected to improve operational resiliency for your business needs.”
2. Find the exit
If you need to consider an alternative cloud provider, you’ll need a cloud exit strategy. Define a shared responsibility model, to help identify who needs to do what, across key areas like:
- Networking
- Storage
- Servers
- Virtualization
- O/S
- Middleware
- Runtime
- Data
- Applications
- Access Management
Who performs these functions now, and who will perform them if you have to exit a cloud provider? You might need to work with a secondary cloud service provider. You might need to develop some of those capabilities internally, which can lead to dependencies, requirements, training and costs. “Your exit strategy is driven by your business model, performance impact, budget, regulatory requirements and information security risks,” said Grant Thornton Risk Advisory Director Gary McPartland.
3. Plan for continuity
Consider the risks of cloud concentration as you review your business continuity and disaster recovery plans. Ask: What are our critical processes? What are the downstream effects of any disruption of those processes, by outages or transitions? How should they be updated? Do the people responsible for taking action in such scenarios know what is required of them?
Governance, controls and testing
Engage your cloud partners in a robust discussion that starts with a high-level shared understanding of responsibilities, then explore details and include operational personnel. How do the cloud provider’s requirements line up with your expectations? Are there preventable risks? Where is your data, at the application level? What data is essential? According to your best organizational and industry intelligence, what are the likely threats to your data? While you can’t plan for every risk, you should be as thorough as possible in identifying risks, including those of working with customers and suppliers.
Your discussions will help you make informed governance decisions. Any governance should emphasize transparency, communication and accountability. It should also specify key roles and responsibilities. Your governance decisions should, in turn, inform your policies, requirements and other recommendations.
Once you have a deep understanding of your data and you clarify governance, you need to work with your internal audit team to create, implement and validate the sustainability of controls. Rai cautioned that, “we are seeing that data breaches continue to happen, despite investment in cloud and cybersecurity controls. The reason is simple: Controls are being implemented without fully understanding the data environment. However, you have a good starting point if you take a data-first approach — identify assets that process or store sensitive or critical information you must protect.” By looking closely at the data structures and your data environment, you can identify sensitive data stores and implement data protection controls to optimize those controls in the cloud environment.
Once your cloud governance and data protection controls are in place, you can run adversary simulations and penetration testing to see if you’ve achieved a level of cyber resilience. Continue to review your cloud resilience and make any necessary updates as your business evolves and continuous reporting reveals new insights. Collaborate with your cloud partner as they release new features or enhanced services.
Specialized insight
Throughout all this work, your secret weapon can be a proactive, consultative internal audit function. In addition to its traditional focus on improving governance and ensuring compliance, internal audit can provide a valuable perspective on cloud infrastructure issues like data encryption, data management and network security.
Internal audit can also examine and fortify your approach to identity and access management, application security and data security. When data or intellectual property is vulnerable, internal audit’s specialized insight into risk management can help you manage the risks.
Contacts:
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Our featured insights
No Results Found. Please search again using different keywords and/or filters.