sb-nz logo
Story image

Architecture, models and... zombies? The three major risk areas when moving to cloud

31 May 2017

As more organisations take the journey to the cloud, there are also inevitable risks along the way. Alongside better scalability and processing capabilities, businesses must consider the risk factors surrounding security and privacy.

That's the advice from RSM's partner in Risk Advisory Services Michael Shatter, who says the benefits have created a "widespread transition to the cloud, with more companies adopting cloud solutions to support growth and add flexibility while cutting costs".

RSM Australia has compiled three key risk areas that organisations need to consider when transitioning to cloud: 1. Architecture The cloud typically consists of one of three major architectures: Software-as-a-Service (SaaS); Platform-as-a-Service (PaaS); and Infrastructure-as-a-Service (IaaS). Security and regulatory compliance procedures are directly tied to the model chosen.

SaaS: The most common example of the cloud, when using this platform a company simply leverages an application completely controlled by an external provider. Examples include webmail and social media. However, when using SaaS solutions, a company has little opportunity to conduct a security review, with risks predominately managed through the contract. Particular areas to closely evaluate include availability, ownership of liability, and the processes and responsibilities of the cloud provider during a data breach.

PaaS: This cloud solution typically involves the movement of an application to a cloud vendor, with this third-party provider then providing the business with the required virtualised server and connectivity needed to operate the application. Vendor risk is still managed through contracts however, the company needs to keep in mind they are still responsible for maintaining the application.

IaaS: This solution takes existing physical or virtual servers and transitions them into a cloud environment. The vendor’s main responsibility when using an IaaS solution is to manage the connectivity and security of the fundamental infrastructure, with the organisation maintaining responsibility for securing applications and operating systems.

2. Models

There are three types of cloud solutions available for organisations to implement including public cloud, community cloud and private cloud.

Public cloud: Public cloud encompass platforms including Gmail and Dropbox. When using this solution, all customers are in the basic environment and generally have basic security controls.

Community cloud: Designed to meet a specific industry’s security and regulatory demands, examples of community cloud solutions are designed to meet the standards and requirements set by the Australian Signals Directorate. With more specialised security requirements, community cloud options tend to be more costly than public cloud.

Private cloud: Organisations with extensive internal information technology capabilities can choose to deploy a private cloud solution within their internal environment. This solution delivers complete control over security details and compliance demands, but carries the most expense.

3. Zombies

Representing the most significant risk, zombie systems result when an original application or underlying operating system is not maintained. Once an organisation transitions a system, application, or business process to the cloud, it is often assumed that the original assets will deactivate rather quickly. However, studies show that the sun-setting process takes an average of two to three years. This delay typically occurs due to linkages to the original system that cannot be broken without interrupting critical business processes. Also, often as soon as cloud migration occurs, the attention of IT teams is diverted from original systems to the new cloud solutions. However, those legacy systems still exist and can contain sensitive data. As these systems do not necessarily receive the same security maintenance and updates, they can be highly vulnerable and present significant risks to the company.  To guard against zombie systems creating potential exposures in the IT environment, businesses' cloud migration strategy should include full maintenance and tracking of these systems until they are officially removed from the network. “Cloud usage is only projected to rise due to solutions that can support growth and increase profitability becoming more realistic and available for middle market companies. However, these cloud platforms are not without risk, so businesses must fully understand their cloud options and choose the option that best aligns with their regulatory demands and risk appetite," Shatter comments. “Organisations should evaluate their potential cloud architectures and models to develop a cloud roadmap that will let them reduce their technology vulnerabilities while creating a competitive advantage.”

Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Microsoft Exchange breach a wake-up call to ditch the server
"There are owners who still have in-house exchange servers because they are suspicious of the cloud or have concerns about their data sovereignty or don't want to contemplate the capital expenditure. But the warning is clear. Get rid of them."More
Story image
Financial malware activity dropped in 2020 as creators honed their wares
Cybercriminals used the time to plan more malicious propagation techniques, both new and evolved from previous methods.More
Story image
Data transparency increasingly important, Kaspersky study states
“It is clear from the data that people have developed a sense of control and they are now demanding openness about how and where their data is being managed."More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More