Reassessing Data Risk in the Cloud? A Chief IT Risk Officer's Advice
The last two years of the pandemic accelerated cloud adoption for organizations of all sizes. But now that the dust has settled, enterprises have an opportunity to step back and assess their cloud transition with a fresh set of eyes. Business leaders are telling us they are looking for how to best hone their strategy to balance data protection, resilience, and access with enterprise risk.
To discuss data risk assessment, ShardSecure CEO and Co-Founder Bob Lam recently sat down with Marios Damianides, Chief IT Risk Officer for Omnicom Group, a global media, marketing, and corporate communications holding company. With nearly four decades of experience leading transformation initiatives, Marios shared his personal insights on how to create a solid strategy that spans full cloud lifecycle management. Below are some of the highlights from the 30-minute session.
Benefits organizations can expect in the cloud
Lower Total Cost of Ownership (TCO) and increased agility, acceleration, and productivity are some of the benefits of moving to the cloud. These benefits will vary based on the size of your enterprise and your key strategies. For example:
- If the goal is to grow the business or create a new business, the cloud can provide economies of scale and accelerate the process.
- If the goal is to replace systems that are end-of-life, the cloud may be a more cost-effective and quicker replacement.
- If the goal is to mitigate the lack of availability of IT and security personnel, the cloud allows for scalability and flex to address internal resource management challenges.
There are also security benefits. Major cloud providers have spent billions of dollars improving security of cloud infrastructure and, especially for midsize and small companies, some components may be more secure, and data may be more available and resilient.
But caveat emptor— let the buyer beware. Some companies, particularly those that are larger and in heavily regulated industries, are reluctant to move their more sensitive data due to concerns about loss of control. To understand what users are responsible for versus the cloud provider, companies need to dig deep into the cloud provider’s shared responsibility model. Generally, cloud providers take more ownership for physical and operating systems controls and put responsibility for data protection on the user. With an understanding of where the lines are drawn and additional assurances from the cloud provider (outlined below), business leaders can better assess their risk and do their part to secure their data in the cloud.
Strategies to address data security, resiliency, and availability in the cloud
An organization’s cloud strategy will determine what data should be moved to the cloud. Here are a few tips as you move through the process:
- Make risk assessment part of the process of deciding whether to use a cloud provider. Lower TCO is great — but only if you’re responsible for data security and regulatory risk and can avoid major incidents.
- Know the location of your data and your backups, and plan for what might happen when data is moved somewhere temporarily — for example, while the cloud provider does resiliency testing. You could be liable from a regulatory standpoint if data is sitting where it shouldn’t be, even briefly.
- Have an incident response plan with clearly defined processes and ownership. This includes knowing who will announce an incident and notify stakeholders.
- Consider whether there is enough resiliency and regulatory compliance built into your service level agreement. If there are power failures in Europe at the data center point, what happens to your processing and availability? Will it move to another jurisdiction that it should not move to?
- Scrutinize your SLAs to make sure the risk and security reporting, monitoring of events, and frequency of information sharing is acceptable to you.
- Examine SOC 1 and SOC 2 reports as well as ISO certifications. Ask three major questions: is the audit report unqualified, what is the scope of the report, and are your cloud services included in that scope? Pay close attention to the complementary user entity controls (CUEC) section, which outlines which controls the provider is responsible for, and make sure you have the capabilities in place to handle your side.
Don’t forget that frameworks like NIST SP 800-37 and ISO/IEC 27001 can be helpful resources with guidance on how to manage transitions and data throughout its lifecycle. For instance, ISO/IEC 27001, an international standard, includes 2022 updates with more direct requirements around IT security and the use of cloud services. This framework provides a model for cloud migration, data storage and backup, exit strategies, and protection of data in the transmission stage. It also includes best practices for the delineation of day-to-day roles and responsibilities, provisioning of users, incident response, and much more.
Manage risks in the cloud with microsharding
The right microsharding solution supports secure cloud adoption with strong data security and resilience. By shredding data into tiny pieces (microshards) and distributing those microshards across multiple customer-owned storage locations, ShardSecure offers advanced data privacy and protection in hybrid- and multi-cloud environments. With virtual clusters, high availability, and self-healing data, we also ensure strong data resilience — even if your cloud provider experiences an outage or a cyberattack.