Executive Briefings

Are Cloud Applications a Cybersecurity Threat?

To be a corporate I.T. professional today, you have to be obsessed with cybersecurity. A line on your resume should read "paranoid tendencies." Because somebody really is out to get you - or, at least, your company's proprietary information.

Are Cloud Applications a Cybersecurity Threat?

With that in mind, why would anyone want to exacerbate the situation by moving critical applications into the cloud? Aren't you just ramping up an already significant threat? Can you really trust your data with some distant server farm, which is storing the intelligence of countless other companies, including, in all likelihood, your fiercest competitors?

All right, so I'm somewhat overstating the case. Cloud technology has matured to the point where security isn't a crippling concern - no more, at least, than it is for software that sits behind a company's firewall. Nevertheless, if you're moving major apps to the cloud, there are steps you should be taking to ensure the stability of your organization.

It's not all about security. According to Matt Goche, director of information security consulting with Sungard Availability Services, there are three things you need to ensure when you're moving to the cloud: that your data remains highly available, secure and recoverable. Service disruptions might be rare, but even those of short duration can be devastating to a business.

Goche acknowledges the risks involved. He suggests three main ones to think about:

Failing to understand the security of your partner. Companies might start out by taking the baby step of deploying a dedicated private cloud, but the true economies of scale don't kick in until they embrace the public cloud, involving multiple vendors and services readily available on demand. That option, however, requires the presence of a third-party provider. You should be intimately familiar with its security procedures, how they overlap with yours, and the compliance standards being observed. You can't achieve that level of knowledge without a lot of pre-assessment work, says Goche.

Losing control of your data. The system and network administrator roles that you previously handled in-house are now being performed by an outsider. But accountability must remain within your organization. You need to know that the cloud provider is meeting the same expectations that you used to uphold internally. You need to clearly delineate how tasks are being apportioned between you and your partner. And you need a precise understanding of the chain of reporting, including the mechanism for responding to any problem.

Botching the execution. You've done your due diligence, selected your cloud provider, and designed a secure architecture so that no unauthorized parties have access to sensitive data. How, then, do you guard against degradation of the agreement over time? The parties can't be dropping the ball, for example, when it comes to understanding and enforcing patch management. (The regular downloading of patch applications is a key element of any cybersecurity initiative.)

Most important, says Goche, is the enforcement of a clear and consistent policy on incident response, with each party knowing its responsibilities and respecting clearly delineated lines of communication. Initial migration is only the first step in maintaining a successful cloud engagement.

Another big concern among potential users of cloud services is redundancy. No respectable provider would rely on a single server to store its customers' critical data, and many take care that multiple machines are hooked up to separate power sources. Still, I.T. managers might question whether their providers have adequately backed up both apps and data, in preparation for that inevitable moment when something goes wrong.

Goche recommends that companies approach the problem from another direction. Instead of worrying about how many servers are in play, think in terms of data availability, as spelled out in your service-level agreement.

"Make it more of a business question than an I.T. question," says Goche. "You build enough redundancy into your architecture to provide me with that solution. It drives you to your business goal of x-percent availability."

Security, of course, is as much a concern for on-premises systems as for those in the cloud. But Goche believes the cloud has the potential to make a company's data even more secure.

"Maybe your internal resources are falling behind on patch and logistics management," he notes. "Intensive, day-in and day-out services might be better handled by a cloud provider." A vendor with a large network operation is likely to be in a better position to detect intrusions than a medium-sized business lacking round-the-clock I.T. staff.

What's more, Goche says, migration to the cloud forces a company to come up with a detailed road map that can uncover gaps in resiliency or instances of I.T. overspending. (And, of course, it sharply reduces the cost of system upgrades. The point at which you're about to make a big capital expenditure on new software is probably the best time to be thinking about the cloud.)

Not everything is suited for the cloud. Certain highly customized applications, designed for subsets of an organization, might be better handled in-house. And site-specific applications such as warehouse-management systems have been slow to embrace the technology. But Goche believes - and companies are increasingly coming to agree - that the cloud is appropriate for most types of business software, as long as proper steps are taken to ensure data security, and the provider is fully validated.

The key word is vigilance. Says Goche: "Whether you're maintaining traditional I.T. processes in house, or moving to a private, public or hybrid cloud, I.T. security is a paramount issue for any company."

Comment on This Article


Keywords: supply chain, supply chain management, cloud supply chain, SaaS, supply chain planning, supply chain systems, supply chain risk management

With that in mind, why would anyone want to exacerbate the situation by moving critical applications into the cloud? Aren't you just ramping up an already significant threat? Can you really trust your data with some distant server farm, which is storing the intelligence of countless other companies, including, in all likelihood, your fiercest competitors?

All right, so I'm somewhat overstating the case. Cloud technology has matured to the point where security isn't a crippling concern - no more, at least, than it is for software that sits behind a company's firewall. Nevertheless, if you're moving major apps to the cloud, there are steps you should be taking to ensure the stability of your organization.

It's not all about security. According to Matt Goche, director of information security consulting with Sungard Availability Services, there are three things you need to ensure when you're moving to the cloud: that your data remains highly available, secure and recoverable. Service disruptions might be rare, but even those of short duration can be devastating to a business.

Goche acknowledges the risks involved. He suggests three main ones to think about:

Failing to understand the security of your partner. Companies might start out by taking the baby step of deploying a dedicated private cloud, but the true economies of scale don't kick in until they embrace the public cloud, involving multiple vendors and services readily available on demand. That option, however, requires the presence of a third-party provider. You should be intimately familiar with its security procedures, how they overlap with yours, and the compliance standards being observed. You can't achieve that level of knowledge without a lot of pre-assessment work, says Goche.

Losing control of your data. The system and network administrator roles that you previously handled in-house are now being performed by an outsider. But accountability must remain within your organization. You need to know that the cloud provider is meeting the same expectations that you used to uphold internally. You need to clearly delineate how tasks are being apportioned between you and your partner. And you need a precise understanding of the chain of reporting, including the mechanism for responding to any problem.

Botching the execution. You've done your due diligence, selected your cloud provider, and designed a secure architecture so that no unauthorized parties have access to sensitive data. How, then, do you guard against degradation of the agreement over time? The parties can't be dropping the ball, for example, when it comes to understanding and enforcing patch management. (The regular downloading of patch applications is a key element of any cybersecurity initiative.)

Most important, says Goche, is the enforcement of a clear and consistent policy on incident response, with each party knowing its responsibilities and respecting clearly delineated lines of communication. Initial migration is only the first step in maintaining a successful cloud engagement.

Another big concern among potential users of cloud services is redundancy. No respectable provider would rely on a single server to store its customers' critical data, and many take care that multiple machines are hooked up to separate power sources. Still, I.T. managers might question whether their providers have adequately backed up both apps and data, in preparation for that inevitable moment when something goes wrong.

Goche recommends that companies approach the problem from another direction. Instead of worrying about how many servers are in play, think in terms of data availability, as spelled out in your service-level agreement.

"Make it more of a business question than an I.T. question," says Goche. "You build enough redundancy into your architecture to provide me with that solution. It drives you to your business goal of x-percent availability."

Security, of course, is as much a concern for on-premises systems as for those in the cloud. But Goche believes the cloud has the potential to make a company's data even more secure.

"Maybe your internal resources are falling behind on patch and logistics management," he notes. "Intensive, day-in and day-out services might be better handled by a cloud provider." A vendor with a large network operation is likely to be in a better position to detect intrusions than a medium-sized business lacking round-the-clock I.T. staff.

What's more, Goche says, migration to the cloud forces a company to come up with a detailed road map that can uncover gaps in resiliency or instances of I.T. overspending. (And, of course, it sharply reduces the cost of system upgrades. The point at which you're about to make a big capital expenditure on new software is probably the best time to be thinking about the cloud.)

Not everything is suited for the cloud. Certain highly customized applications, designed for subsets of an organization, might be better handled in-house. And site-specific applications such as warehouse-management systems have been slow to embrace the technology. But Goche believes - and companies are increasingly coming to agree - that the cloud is appropriate for most types of business software, as long as proper steps are taken to ensure data security, and the provider is fully validated.

The key word is vigilance. Says Goche: "Whether you're maintaining traditional I.T. processes in house, or moving to a private, public or hybrid cloud, I.T. security is a paramount issue for any company."

Comment on This Article


Keywords: supply chain, supply chain management, cloud supply chain, SaaS, supply chain planning, supply chain systems, supply chain risk management

Are Cloud Applications a Cybersecurity Threat?