Cloud technology is becoming the infrastructure of the next generation of commerce. Enterprise spending on cloud-based infrastructure is expected to surpass in-house technology investments by 2022, by some estimates. For many organizations, a cloud strategy is a well-considered move that brings the promise of improved operational efficiency and lower costs — but it also poses new risks not considered previously.
Cloud risks are similar, in many ways, to the risks of traditional data infrastructure: loss of data (both sensitive customer information and company intellectual property), reputation damage, regulatory challenges and financial loss. However, the cloud also poses new risks, including the increased hacker appeal of large data concentrations in a single location; an evolving regulatory landscape; and unintended consequences, such as the consolidation of magnetic tape suppliers, which could lead to supply chain issues for cloud vendors down the road.
To address these risks, company leaders must adopt a risk-savvy cloud approach that addresses strategy, implementation, service assurance and security. Failure to adopt such an approach raises the likelihood of experiencing higher cloud-related costs as well as data access and security issues that can expose organizations to data, reputational and financial losses.
We discussed cloud-related risks in Protiviti’s latest emerging risks newsletter, focusing on several specific cloud considerations. As outlined above, these are not, by far, the only cloud risks organizations should consider, but our recent experience suggests that they are some of the most frequently ignored.
Vendor Consolidation — In July 2018, the European Banking Authority (EBA) Recommendations flagged the limited and shrinking number of cloud service providers, including the often-overlooked need for an exit strategy should a vendor relationship fail to meet expectations, as a “key risk.” To address concentration risks, organizations should ensure that vendors are selected and monitored in accordance with the company’s cloud strategy and vendor risk management policies, sufficient vendor diversification is maintained, and service level agreements (SLAs) are well-designed and actively managed.
Data Location and Data Ownership — Some cloud vendors treat customer data stored on their servers as an asset to be aggregated and sold to retailers, search engines and other third parties. Imprecise data ownership stipulations should be identified and challenged by cloud customers prior to entering into a vendor relationship. Often, however, the teams procuring cloud offerings are not sufficiently educated on data ownership risks, which can result in cloud providers negotiating outright ownership of the customer data on their servers. That could prove problematic for the customer, especially if that data includes regulated information under, for example, the General Data Protection Regulation (GDPR). To limit risks associated with data ownership and location, organizational cloud strategies and governance should emphasize ongoing education concerning these issues. These strategies also should contain specific policies regarding data ownership and location.
Legal Holds and Investigative Support — The manner in which data is stored and controlled by cloud providers can affect the ease and speed with which companies can respond to pending litigation. A legal hold requires an organization to preserve records and information related to the legal matter. While cloud vendors should have tools and processes in place to respond swiftly to legal holds issued to their customers, this capability is frequently overlooked during the due diligence and provider selection process and the finalization of SLAs and contracts. The vendor selection processes should include mechanisms for determining prospective cloud vendors’ ability to respond and preserve data and information in accordance with these types of requirements.
Vendor Lock-In — Snapchat parent company Snap reported a couple of years ago that it was bound by contract to spend $2 billion with Google Cloud over the next five years, that it has built some of its systems to work exclusively with Google, and that it uses some Google services for which there are no alternative vendors in the market. This kind of exclusive vendor “lock-in” makes the subsequent movement of data in-house or to another cloud vendor difficult and expensive and could expose the company to significant maintenance and service fees. These kinds of lock-ins should be identified and addressed in SLAs and in ongoing performance monitoring.
Unsanctioned Cloud Services — Just as the proliferation of cell phones led to the unauthorized access of enterprise access via unsecured mobile devices, the ubiquity of and easy access to cloud apps and services has led to an increase in the unauthorized use of unvetted cloud services. A survey by NTT Communications found that 77 percent of companies had experienced unauthorized cloud service issues. This is a serious concern as such unauthorized cloud apps are a common attack vector for cyber criminals.
Although the move to a well-managed cloud platform will, in most cases, result in decreased data risk overall, appropriate vendor selection criteria, well-crafted SLAs and effective IT and vendor risk management governance and controls are essential to mitigate the additional risks that come with a third-party data management strategy. Creeping cloud costs are another emerging risk not discussed here, which we are following and will address in future issues of PreView.