In my last article, we understood the fundamental concepts of cloud and how they are deployed. Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are essentially 3 of the most popular models of Cloud deployment. In this article, it is time to delve deeper into cloud risks and how they are treated. Some fundamental questions like how safe is the Cloud model? Is it free from Risks? Does the Cloud Service Provider have access to data? are questions worth exploring.
Imagine keeping all your valuable jewelry at your friend’s place when you are travelling or keeping them in a bank locker. You find it safe as there is somebody around your valuables to constantly safeguard or protect it and more importantly you have transferred the risk to someone else. In case of a bank, they secure with dual keys and keep them in bank lockers. They also restrict access to only those whom you (the “Owner”) authorize, and they also take a basic insurance in case of any untoward incident.
Using the same analogy, your valuable data is stored with the Cloud service provider, and he takes care of the physical and logical safety of the data, while giving a provision to you, on how you access and to whom, do you give the access to.
But the real question is what the risks in this setup and how can one overcome them.
Since your data is stored with the cloud service provider, the biggest risk is the confidentiality and integrity of your data. How does one ensure that the data of one customer is restricted only to them and not to others? Since most of the Cloud service providers use a public cloud model, this is of huge significance.
Cloud service providers work on a concept of multi-tenancy, where a single instance of a software application serves multiple customers. Each customer is called a tenant. Tenants would be given the ability to customize some parts of the application, such as the color of the user interface (UI) or business rules, but they cannot customize the application’s code. One could imagine multiple tenants staying in the same building and still retaining their individual security and privacy.
This could be further strengthened by using additional methods of access restrictions such as IP based restrictions, browser-based restrictions, device-based restrictions, geography / country / region-based restrictions, time-based restrictions etc.
Many of the statutes across the world have started mandating the data to be residing within the country or region. General Data Protection Regulations (GDPR), the Privacy law of Europe, for instance mandates Personal information of EU Data subjects to be stored within EU region only. Similar requirements are in place in other countries. In India, for banking financial services insurance (BFSI) sector, securities market sector, similar such requirements are in place.
The ideal control in this would be to check if data is hosted locally. Care should also be in mind to check where the Disaster recovery centers are hosted.
The next biggest risk in case of Cloud is whether the data is adequately backed up? And if yes, what is the frequency of the data backup. Many a times it happens that the data is backed up once a week or once a day. In those circumstances it is important for organizations to understand if they are okay with such data loss. For example, if the daily backup schedule runs at 8am every day, this means the next back up would take place on the following day at 8am. In case of an attack or a failure of the IT Systems at 7.30 am the next day, data for the last 23.5 hours is lost!
The ideal control in these circumstances is to classify your data and understand the implication. If organizations want zero data loss, such as BFSI sector, the cloud service provider must perform a real-time backup.
What happens to the data if the user is unable to access the data? What if there is a power failure or system unavailability at the end of the Cloud service provider? Bear in mind that it is the normally the responsibility of the Cloud service provider to ensure there is a disaster recovery system in place.
In the event of a disaster the infrastructure and the data should be shifted to an alternative site if the primary location fails. It is recommended that the primary site and the disaster recovery site should be at alternative locations so that in the event of a disaster at the primary site, the disaster recovery center would still be safe to operate from.
Due to constant evolution of technology, there is an underlying risk that the cloud service providers keep updating the infrastructure or the application. The question to ponder is, what the implication of such technology upgrade on the organization’s environment? Will such technological upgrade force organization to also upgrade its underlying infrastructure or other dependent applications? How long can organizations resist such upgradation sighting other operations challenges? The other aspect is to check the compatibility of applications whenever there is upgrade in one or more cloud service providers.
Much of these Cloud solutions are driven by vendors. While the underlying concept of cloud remains the same, each vendor builds the cloud infrastructure and application differently. This makes it challenging for you to port into another vendor if need be. But the bigger risks are what happens if these vendors run out of business and shuts shop? What happens to your data?
In such cases, the cloud service provider and the customer enter into a triparty escrow agreement where the source code is provided to custodian who shall keep in safe custody and give it to the customer only in the event of vendor running out of business or shutting shop.
Since the cloud works on a shared responsibility model, there are certain responsibilities on the cloud service provider vs certain responsibilities on the customer. Many a times there is lack of clarity in this. An illustrative case is mentioned below:
Responsibility | On-Prem | IaaS | PaaS | SaaS |
---|---|---|---|---|
Data classification and accountability risk | End-Customer | End-Customer | End-Customer | End-Customer |
Client and endpoint risk | End-Customer | End-Customer | End-Customer & CSP | |
Identity and access risk | End-Customer | End-Customer & CSP | ||
Application risk | End-Customer | CSP | ||
Network risk | Customer & CSP | CSP | CSP | |
Hosting Risks | CSP | CSP | ||
Infra Risk | CSP | CSP | CSP |
This can be mitigated by only clearly defining the responsibility in each model and users at both ends clearly understanding the accountability
Understanding the cloud risks helps organizations to build the right type of controls to reduce the risk. While cloud model has multiple advantages, the risks must be carefully addressed. As auditors, it is important that we understand these risks and assess impact of these risks on the organization.
The author CA Narasimhan Elangovan, is a practising CA and partner KEN & Co. He is a GRC Professional, a Digital transformation catalyst and an author. He believes in the power of technology to solve everyday problems. He can be reached at narasimhan@ken-co.in