We’ve all heard of ‘The Cloud’, but even its name is elusive- the details surrounding it such as who should use it, how much it can or should be trusted, and what exactly it entails seem just as ambiguous. However, at its baseline, the Cloud is shared infrastructure and applications (think SaaS: Software As A Service) designed to accelerate and increase means, and done in a space that’s secure and accessible from anywhere.

Amazing, right? Right! This means that a user could access the data and tools necessary to run their business from just about anywhere. Does anyone else hear Hawaii calling their name…?

But all jokes aside (or most, for now), we’re going to need to take a step back to answer some of the most common questions I receive regarding the use of Cloud infrastructure and point out key aspects of using the Cloud in relation to cybersecurity responsibilities before we go running off to the tropics.

I’m constantly asked whether the Cloud is good, bad, or should even be used by companies from data protection and security aspects. Unfortunately, like Cloud services themselves, the answer to this is slightly elusive. ‘Good’ and ‘bad’ are merely relative terms here- whether or not you utilize Cloud capabilities, there will still be room for error and imperative monitoring responsibilities involved. However, I’m going to share what’s most important to understand when deciding to integrate Cloud services into your business’ technological scope. 

It seems like there’s a new Cloud service available every day, but Azure and AWS (Amazon Web Services), are the two most commonly used Cloud infrastructure services. Each of these companies offers different packages at different price points, ensuring there’s something available to suit every user’s needs. I’ll be referring to these throughout this article as general references. 

With all of this in mind, let’s dive into the most crucial thing to be aware of when learning about Cloud services: shared responsibility.   

You absolutely (and I cannot stress this enough) will NOT be able to buy into Cloud services at ANY package level and think that’ll allow you to be “hands-off”. Even if you decide to implement a package that has system management included, it’s still your responsibility to ensure that your company’s controls are consistently and adequately managed in conjunction with whatever Cloud service you’ve decided upon. No matter how big the company you partner with, cybersecurity breaches are and will always be a reality. If you aren’t actively monitoring your controls and there happens to be a breach within the company’s software you’ve assumed to be safe, you’re going to lose some serious brownie points with your clients- or lose them entirely. 

Think of it this way: if you own an apartment complex and lease out individual units, who’s going to be held responsible in the event the security system in place stops working and multiple people are robbed- the tenants, or you- the complex owner? If you chose ‘the complex owner’, congratulations! You’re correct. You may also think, “but wait, shouldn’t the company who installed and manages the security system be held responsible?” which, while understandable, fails to recognize the responsibility of the building owner’s duty to conduct routine maintenance and perform regular inspections for all parts of the building. If you try to tell the tenants whose belongings were stolen that “it isn’t your fault”, it probably won’t play out well for you. 

It’s the same gist here. If you fail to take responsibility for the control design and monitoring required in conjunction with your Cloud service and end up facing a cyber-attack, your clients are going to blame you- no one else. You’re doing a huge disservice to the data entrusted to you if you aren’t doing your due diligence, and clients deserve the assurance that you’ve done your part in security upkeep. 

In fact, it’s helpful to be aware of something referred to as CUECs: Complementary User Entity Controls. This is a section of a SOC 2 audit report that expects your company’s controls in conjunction with your Cloud provider’s controls. SOC 2 audits include this information because they recognize that the Cloud is shared infrastructure, and therefore shared responsibility. Because of these things, Cloud service companies like AWS and Azure expect you to have your own security controls in place with the appropriate practices, handlings, monitoring, and policies. Not an exhaustive list, but examples of processes you still need to manage could include patch management, change management, business continuity, encryption, asset identification, risk analysis, and access control- the list goes on and on.

Okay, deep breath. Now that you’re aware of just how essential it is to continue your control ownership and practices if and when you choose to integrate something like AWS, let’s look at why you should choose to jump into the Cloud!

Cloud services are simply services or infrastructure you’re outsourcing under the umbrella of your own programs and processes, and moving to the Cloud is a great idea as long as you know this. It allows experts of infrastructure and software to focus on what they excel at, leaving you with less to manage and worry about. Even more is that some packages come with system management, which yes, means even less work and time spent worrying that the system you’ve chosen is running as effectively as it’s supposed to. Of course, those systems come with a higher price tag, but they end up saving your company money in the long run by saving you and your employee’s valuable time. 

You can leverage new technology and state-of-the-art programs without having to try your hand at creating your own, ultimately less effective software, or purchasing high price tag assets to maintain. Save that for large companies with countless experts working nonstop to create the best software and infrastructure possible. Not only is it going to save you time, money and hassle- it’s going to ensure you get to work with optimal systems and advanced technology. Let’s face it- we can’t all be developers or server experts! 

Getting back to what is perhaps my favorite point about the Cloud: you get to take your work basically anywhere you want. Don’t feel like changing out of your pajamas and going into the office? No problem. Craving a change in scenery but can’t abandon all responsibility? Not to worry- your data is secure (as long as you’re doing your part, too!) and easily transportable. The list here goes on and on. Life happens- kids get sick and can’t go to school, WiFi at the office crashes, or a global pandemic makes it impossible to be around other people for an undetermined amount of time. Whatever the case, the Cloud has your back- and your business. 

So yes, use Cloud infrastructure and applications! Just understand that you’re still responsible for the Cloud content and data and for controls in place that keep it safe and secure. As long as you treat Cloud services as you would treat any other function of your company (actively managed and owned as part of a holistic enterprise control environment) the benefits will be unmistakable.

Published Link: https://fizentech.com/jumping-into-the-cloud/

About the Author

Partner, vCISO Cheri Hotman

Cheri is a vCISO on a personal mission to simplify cybersecurity and SOC 2 so companies have what they need to make strategic decisions around implementing the right solutions, not too much and not too little. She sees a lot of "noise" in the marketplace around cybersecurity and SOC 2 that causes confusion which leads to haphazard and knee-jerk decisions, but is absent of an overall strategy for how to build out and manage a company's cybersecurity and SOC 2 posture that's actually in alignment and supporting the business objectives. Ultimately, it's all about risk and achieving the most creative way to reduce it with limited resources and budget. Cheri graduated with an MBA from the University of Texas at Dallas and her drive toward Tech and cybersecurity has only grown since then. With a Corporate career - to the Vice President level - in banking, financial services, and consulting, she has a firm grasp on the particulars of the business world. Continuing education and consultancy work has made her even more informed and effective on the topic of modern cybersecurity and SOC 2. Cheri is a CPA, meaning she can both perform SOC 2 audits and help companies prepare for them. She is a BCC (Board Certified Coach), and holds her CISSP (Certified Information Systems Security Professional) - the gold standard in cybersecurity. In sum, you can count on her to know her stuff!