“If you fail to take responsibility for the control design and monitoring required in conjunction with your Cloud service software, you may face a cyber-attack. Your clients will blame you – no one else.”
~ Cheri Hotman
What is “The Cloud”?
We’ve all heard of ‘The Cloud’, but even its name is elusive. Details such as who should use it, how much it can be trusted, and what it entails seem ambiguous. However, at its baseline, the Cloud is shared infrastructure and applications (think SaaS: Software As A Service). It is designed to accelerate and increase means, and done in a space that’s secure and accessible from anywhere.
Amazing, right? Right! This means that a user could access the data and tools necessary to run their business from just about anywhere. Does anyone else hear Hawaii calling their name?
Jokes aside, we need to take a step back to answer some of the most common questions I receive. Questions regarding the use of Cloud infrastructure beg me to point out key aspects of using the Cloud. These relate to cybersecurity responsibilities before we go running off to the tropics.
Is this good or bad?
I’m constantly asked whether the Cloud is should even be used by companies from data protection and security aspects. Unfortunately, like Cloud services themselves, the answer to this is slightly elusive. ‘Good’ and ‘bad’ are merely relative terms here. Whether or not you utilize Cloud capabilities, there will still be room for error and imperative monitoring responsibilities involved. I’m going to share what’s most important to understand when deciding to integrate Cloud services into your business’ technological scope.
It seems there’s a new Cloud service available every day, but opens in a new windowAzure and opens in a new windowAWS (Amazon Web Services), are the two most commonly used services. Each of these companies offers different packages at different price points, ensuring there’s something available to suit every user’s needs. I’ll be referring to these throughout as general references.
The most crucial thing to be aware of when learning about Cloud services is shared responsibility.
I cannot stress this enough. You absolutely will NOT be able to buy into Cloud services at ANY package level and think that’ll allow you to be “hands-off”. You may decide to implement a package that has system management included. However, it’s still your responsibility to ensure that your company’s controls are consistently and adequately managed with your Cloud service. No matter how big the company you partner with, cybersecurity breaches are and will always be a reality. If you aren’t actively monitoring your controls, there could be a breach within the company’s software. You’re going to lose some serious brownie points with your clients – or lose them entirely.
Think of it this way. Say you own an apartment complex and lease out individual units. Who’s going to be held responsible in the event the security system stops working and multiple people are robbed? Will it be the tenants or you the complex owner? If you chose ‘the complex owner’, congratulations! You may also think, “but wait, shouldn’t the company who installed and manages the security system be held responsible?” While understandable, the question fails to recognize the responsibility of the building owner. It is their duty to conduct routine maintenance and perform regular inspections for all parts of the building. If you try to tell the wronged tenants it isn’t your fault, then it probably won’t play out well.
It’s the same gist here. If you don’t take responsibility for the control design and monitoring required with your Cloud service software, you may face a cyber-attack. Your clients will blame you – no one else. You’re doing a huge disservice to the data entrusted to you if you aren’t doing your due diligence. Clients deserve the assurance that you’ve done your part in security upkeep.
Complementary User Entity Controls
Be aware of CUEC: Complementary User Entity Controls. This is a section of a SOC 2 audit report that expects your company’s controls to be in conjunction with your Cloud provider’s controls. Cloud is shared infrastructure, and therefore shared responsibility. SOC 2 audits include this information. Cloud service companies like AWS and Azure expect you to have your own security controls in place. They expect the appropriate practices, handlings, monitoring, and policies. Not an exhaustive list, but examples of processes you still need to manage could include:
- patch management
- change management
- business continuity
- asset identification
- risk analysis
- access control
Okay, deep breath. Now let’s look at why you should choose to jump into the Cloud!
Moving to the Cloud
Cloud services are simply services or infrastructure you’re outsourcing under the umbrella of your own programs and processes. Moving to the Cloud is a great idea as long as you know this. It allows experts of infrastructure and software to focus on what they excel at, leaving you with less to manage. Moreover, some packages come with system management, which means even less time worrying that the system is running effectively. Those systems come with a higher price tag, but they end up saving your company money by saving valuable time.
Leverage new technology and state-of-the-art programs. It’s easier than creating your own, less effective software, or purchasing high price tag assets to maintain. Save that for large companies with countless experts working nonstop to create the best software and infrastructure possible. Not only will it to save you time, money and hassle, but it will ensure you work with optimal systems and advanced technology. Let’s face it – we can’t all be developers or server experts!
Choosing Where to Work
Getting back to what is my favorite point about the Cloud: you get to take your work anywhere you want. Don’t feel like changing out of your pajamas and going into the office? No problem. Craving a change in scenery but can’t abandon all responsibility? Not to worry- your data is secure (as long as you’re doing your part, too!) and easily transportable. The list here goes on and on. Life happens. Kids get sick, WiFi at the office crashes, or a global pandemic can make it impossible to be around other people for a time. Whatever the case, the Cloud has your back- and your business.
So yes, use Cloud infrastructure and applications! You’re still responsible for the Cloud content and data and for controls in place that keep it safe and secure. As long as you treat Cloud services as you would treat any other function of your company you will benefit. You should always manage and own your Cloud services as part of a holistic enterprise control environment.
About the Author:
Cheri Hotman is an enthusiastic, passionate professional. Her drive to succeed began when she graduated with an MBA from the University of Texas at Dallas. Cheri has a track record that includes a career in banking, financial services and consulting. She was also Vice President in the Tech/IT space. You’d think her tenacity to have faltered- and you’d be wrong. Cheri is a CPA, now holds her CISSP (cybersecurity certification), and has launched her own cybersecurity, risk, and compliance practitioner company. If you need a cybersecurity expert, or even just some inspiration, connect with her through www.hotmangroup.com, or via LinkedIn at opens in a new windowwww.linkedin.com/in/cherihotman.