sb-au logo
Story image

Architecture, models and... zombies? The three major risk areas when moving to cloud

31 May 2017

As more organisations take the journey to the cloud, there are also inevitable risks along the way. Alongside better scalability and processing capabilities, businesses must consider the risk factors surrounding security and privacy.

That's the advice from RSM's partner in Risk Advisory Services Michael Shatter, who says the benefits have created a "widespread transition to the cloud, with more companies adopting cloud solutions to support growth and add flexibility while cutting costs".

RSM Australia has compiled three key risk areas that organisations need to consider when transitioning to cloud: 1. Architecture The cloud typically consists of one of three major architectures: Software-as-a-Service (SaaS); Platform-as-a-Service (PaaS); and Infrastructure-as-a-Service (IaaS). Security and regulatory compliance procedures are directly tied to the model chosen.

SaaS: The most common example of the cloud, when using this platform a company simply leverages an application completely controlled by an external provider. Examples include webmail and social media. However, when using SaaS solutions, a company has little opportunity to conduct a security review, with risks predominately managed through the contract. Particular areas to closely evaluate include availability, ownership of liability, and the processes and responsibilities of the cloud provider during a data breach.

PaaS: This cloud solution typically involves the movement of an application to a cloud vendor, with this third-party provider then providing the business with the required virtualised server and connectivity needed to operate the application. Vendor risk is still managed through contracts however, the company needs to keep in mind they are still responsible for maintaining the application.

IaaS: This solution takes existing physical or virtual servers and transitions them into a cloud environment. The vendor’s main responsibility when using an IaaS solution is to manage the connectivity and security of the fundamental infrastructure, with the organisation maintaining responsibility for securing applications and operating systems.

2. Models

There are three types of cloud solutions available for organisations to implement including public cloud, community cloud and private cloud.

Public cloud: Public cloud encompass platforms including Gmail and Dropbox. When using this solution, all customers are in the basic environment and generally have basic security controls.

Community cloud: Designed to meet a specific industry’s security and regulatory demands, examples of community cloud solutions are designed to meet the standards and requirements set by the Australian Signals Directorate. With more specialised security requirements, community cloud options tend to be more costly than public cloud.

Private cloud: Organisations with extensive internal information technology capabilities can choose to deploy a private cloud solution within their internal environment. This solution delivers complete control over security details and compliance demands, but carries the most expense.

3. Zombies

Representing the most significant risk, zombie systems result when an original application or underlying operating system is not maintained. Once an organisation transitions a system, application, or business process to the cloud, it is often assumed that the original assets will deactivate rather quickly. However, studies show that the sun-setting process takes an average of two to three years. This delay typically occurs due to linkages to the original system that cannot be broken without interrupting critical business processes. Also, often as soon as cloud migration occurs, the attention of IT teams is diverted from original systems to the new cloud solutions. However, those legacy systems still exist and can contain sensitive data. As these systems do not necessarily receive the same security maintenance and updates, they can be highly vulnerable and present significant risks to the company.  To guard against zombie systems creating potential exposures in the IT environment, businesses' cloud migration strategy should include full maintenance and tracking of these systems until they are officially removed from the network. “Cloud usage is only projected to rise due to solutions that can support growth and increase profitability becoming more realistic and available for middle market companies. However, these cloud platforms are not without risk, so businesses must fully understand their cloud options and choose the option that best aligns with their regulatory demands and risk appetite," Shatter comments. “Organisations should evaluate their potential cloud architectures and models to develop a cloud roadmap that will let them reduce their technology vulnerabilities while creating a competitive advantage.”

Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
Security training and tech: Empowering staff in a hybrid work environment
As employees travel back and forth between home and the workplace, are they walking through the door with cyber threats sitting on their devices?More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More
Story image
Thales: A/NZ cybersecurity approach more talk than action
“While some organisations are talking a good story … predicted spending shows that most have the wrong focus.”More
Story image
Video: 10 Minute IT Jam – Who is Cohesity?
If you could pick two words to describe Cohesity, ‘data management’ fit very well.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More