As many as 96% of respondents to a recent survey by software service company RightScale reported already using cloud technologies.
The benefits to efficiency, profitability and security are by now well known. “Businesses go into the cloud because it’s transformative,” says Jason Carter, general manager – professional services at Interactive, Australia’s largest privately-owned IT services company. “It provides an opportunity to review the IT ecosystem and transform it to provide greater business value.”
And in the cloud, collaborating is easier and document creation is faster. Your data is safer there, too. “Storing data in the cloud enables the use of tools that can provide greater protection of that data than if it were stored on-premise,” says Carter. “Not to mention, outsourcing or transforming technology can provide mitigation for legacy equipment or operating systems, removing key person risks.”
But how well known are the risks associated with the transition process? Risk managers of course play a central role in ensuring that all goes according to plan – here’s what you need to know:
Know your compliance requirements
Data sovereignty and privacy legislation varies greatly depending on what country you’re operating in. "Australia, for example, has very strict privacy legislation that includes mandatory reporting for data breaches,” says Carter. “Risk managers need to be aware of the legislation that governs data security, not just in the jurisdiction where their business is registered but also the jurisdiction where the cloud services are provided.”
Microsoft has found itself entangled in a years-long legal battle as the US government demands that the company release a customer’s e-mail that is stored in an Irish data centre. The argument has gone all the way to the Supreme Court, proving that data sovereignty is no straightforward matter. Risk managers ought to keep an eye out for any new developments in this space.
Understand what you’re buying
Choosing the right tools is complex, but critical. “When consuming services from the hyperscalers, like AWS and Azure, you need to know what you're doing to ensure you're buying the services that meet functionality and compliance needs,” Carter says. “Working with a provider who can bridge business requirements with cloud services is critical.”
Risk managers also need to understand the terms, conditions, and configuration of their cloud services. “Setting those up can be quite complex, and you’re trusting either your internal IT team or a consultant to set up those cloud services for you,” Carter says. “You need a means of auditing that the security they said was going to be put in place to protect your environment is, in fact, in place.”
If organisations fail to ensure that the web ‘bucket’ they’re loading data into is properly configured, they could fall victim to potentially devastating breaches. Multinational companies like Paramount Pictures and MTV are just a few big names that have recently had their data leaked from Amazon Web Services (AWS) S3 buckets, a storage space, because of configuration issues.
One of the ways to ensure proper configuration is by performing what’s called a penetration test – bringing in an external company to perform tests to make sure your environment is secure before you go live.
Undertake a cloud readiness assessment
When migrating to the cloud, there’s a major risk that performance could be negatively impacted. “Applications may perform and act differently when running on cloud infrastructure,” says Carter. “You have to see if those applications will work on a cloud environment, so you need to work with a cloud provider to help you make sure they perform when migrated,” he says. “Otherwise, you end up with poor-performing applications or applications that don’t work at all, and that can be a critical business risk.”
To mitigate the risk, businesses should carry out a cloud readiness assessment, which looks at the cloud ecosystem, including the applications, the networks, the people, the processes, and the entire business view, to make sure the business is ready to migrate to the cloud. At this stage, risk managers can work with project managers and IT to identify risks early. “Any benefits you get, whether they be financial or process-driven benefits, can be quickly eroded if that cloud readiness assessment isn’t performed,” says Carter.
Encrypt your data
You can mitigate risks associated with cloud migration by making sure data is encrypted at rest and in transit. “At rest is how data is encrypted on the storage devices or storage services, and in transit is network security,” he says. “If you’re now dislocated from your data, you’re going to want to encrypt it to make sure there isn’t someone listening in between and capturing that data.”
Make sure passwords are strong
“This should be a no-brainer,” Carter says. “Certainly risk managers need to be involved in the policies that are in place in most organisations around data security and safe usage of IT equipment, which includes password complexity.” That could mean setting guidelines for using uppercase letters, special characters, or the like. Risk managers should also be aware of additional technology, like two-factor authentication, which involves two layers of protection to ensure your passwords aren’t compromised.
Check your networks
Before migration, you’ll need to ensure that the networks you use to connect to your cloud service provider support the performance and resilience metrics you’ve defined. In some parts of the world, networks are still run on poor copper networks. Poor infrastructure like that can be a limitation to moving to the cloud. “There is no point moving into the cloud and then having everyone on the shop floor waiting five minutes to open an e-mail,” says Carter. “Any benefits go out the window in lost productivity.”