Risk and Compliance in the Cloud
This is a guide on risk and compliance in the cloud.
Cloud Computing Risks
For our first presentation of this course, we'll compare the security implementations and the associated risks of on-premises environments to those in the cloud. But before getting into any details, I would like to point out that in terms of comparisons, many may wonder which option is simply better, but there really is no answer to that because any kind of security implementation will entirely depend on your specific circumstances. There are risks present in any environment, regardless of whether they're using an on-premises solution or if they're using the cloud. So, the goal really is to determine which approach will work better for you and or your organization. Again, there is no definitive answer with respect to which security approach is better or which one presents fewer risks.
It's simply which one is better for your specific needs. So, to begin, cloud security differs fundamentally from on-premises security, in that the model is almost always centralized. Now, of course, there are always exceptions, for example, organizations that are using a hybrid model, but for an organization using only cloud-based resources. From their perspective, everything is all in one place. You sign in to your provider's portal and everything you've configured is there for you. So, in terms of implementing and managing security operations, such as protecting data in other resources, maintaining regulatory compliance, and configuring authentication, anything you implement can be applied to everything you have.
Now, this may certainly be the case for on-premises organizations who only operate out of a single location, but for larger, more spread out operations, centralization alone can represent a significant improvement into managing your operations while also lowering risk, because everything can be much more consistent, you can be certain that the same measures are being applied to all resources. Another fundamental difference is the shared responsibility model of the cloud, which is due to the fact that the provider is entirely responsible for implementing and managing the security of the underlying physical infrastructure, which is never even exposed to us as cloud customers. Therefore, the provider is entirely responsible for the security of the physical infrastructure, while we as customers are responsible for the security of the resources, applications, and services we implement on that infrastructure. Now, this can be a plus or minus depending on your circumstances
but one thing that is always true of the cloud is that at the very least, there is less for an organization to concern themselves with when it comes to securing the overall environment, therefore lessening the burden on your IT staff. For example, if you consider just a single physical server hosting something like a database in an on-premises environment, security must be implemented to secure the server itself. Such as placing it in a controlled access server room, security configurations must be implemented within the operating system of that server, and security must be configured for the database. In the cloud, however, you could implement just the database, therefore removing the server component entirely. So, the only concern now is securing the database and only the database.
The physical server hosting it still exists somewhere, but it is entirely up to the provider to implement its security. However, of course, this model does come with several concerns, such as the requirement to place your trust in a third party with respect to handing over a significant degree of control over your resources. For example, any data that is stored in the cloud is no longer under your physical control. So, in some cases, this factor alone can represent a barrier to using cloud services. But cloud providers need to be able to offer exceptionally high security to their customers, or they wouldn't be in business for very long. In other words, yes, you're handing over control, but you're handing it over to security experts with almost unlimited resources at their disposal.
So, of course, it's up to you, but in many cases, the level of security that can be achieved in the cloud is often beyond what on-premises environments can achieve on their own. Another consideration, however, is that many organizations are heavily regulated and restricted by laws and other rules that determine how certain operations must be performed. So, it's especially important for those organizations to determine if the cloud provider is able to meet the compliance regulations applicable to the organization. I would say that it's likely that most major providers can meet those requirements, but there may be situations where an unmet compliance issue may entirely negate the possibility of using the cloud. And in some cases, security services might be preconfigured in a manner that does not allow or support the configuration you require.
So, you simply might not be able to secure a particular resource adequately by using that service. So, by contrast, security in the on-premises environment must be implemented at every level of your solutions, including all hardware and related equipment, and of course, all software, data, and services. So, again, this comes back to the point of having less to concern yourself with when using the cloud, because the infrastructure level security concerns are effectively entirely removed. But as mentioned, that does not always represent a plus for any given organization. In an on-premises security implementation, there is no shared responsibility model.
Everything is up to you and all control over data and other resources is retained within the organization. Now again, whether you consider that to be a plus or not is also up to you. Yes, you have more to look after now, but many people prefer to be the one in control, using the cloud inherently requires that a certain degree of control be handed to the provider. So, in some cases, that just isn't desirable or even possible. Not only does the security of the on-premises environment include all hardware and software, it must also include all networking components and even the security of the facility itself, such as the office or the building. Resulting in a multi-layered security approach that may also require a higher level of expertise within the organization. For example, a database administrator may be very adept at configuring the security measures of the database, but may not know much about configuring smart cards, security badges, or security cameras to implement physical security, such as controlling access to a server room or other secure locations.
And to extend that example, if there are very specific services that have been implemented, there may be a requirement for an equally specific tool or customized solution to ensure protection at each layer of that service. And in some cases, the location of any given service may limit the options for configuring security. For example, smaller branch locations simply might not have the infrastructure necessary nor the staff available to maintain any particular type of implementation. So, those are just some of the considerations when it comes to comparing security in the cloud to that of an on-premises environment.
And as mentioned, there is no single clear winner, so to speak. It will always come down to the specific needs of the organization. That said, as a general guideline of security in each approach, the primary consideration almost always comes down to the lack of any physical infrastructure in the cloud from the perspective of the customer. Whether that's a plus or a minus, still depends on your circumstances, but that usually is the most fundamental difference. If your organization prefers to maintain all control over all aspects of a solution from the ground up, then an on-premises implementation is likely a better option. If however, you prefer to let all of those infrastructure concerns fall to the provider, so that you can focus solely on the higher levels, then a cloud-based solution is likely the better choice. As always, when it comes to security-related decisions, due diligence is perhaps the most important aspect of any implementation.
Business Data Risks
In this video, we'll provide an overview of some of the more specific business risks associated with adopting cloud services, and thereby outsourcing your IT services to a third-party provider. Which in many cases comes down to a risk analysis that compares an on-premises approach to that of the cloud to determine the potential rewards of each one. Now that might seem like a fairly obvious statement to make, but in many cases, the appeal of using the cloud can be very attractive. But perhaps surprisingly, in some cases, the reward part of that analysis can overshadow the risk, resulting in implementations that are rushed into production with not nearly enough consideration for the security. So to a degree, the ease and speed with which solutions can be implemented in the cloud can be its own risk.
Another consideration is the inherent centralization of the cloud, not just with respect to any given solution implemented by any given organization, but the fact that any given provider hosts many organizations. So, if the provider themselves can be compromised, access to a vast amount of business data, including personally identifiable information, financial records, and passwords could be obtained, resulting in a much larger gain for the attacker with fireless effort. To perhaps put that into more context, imagine that I'm attempting to gain access to the online banking credentials of many different people. Even if I'm very adept at acquiring the credentials, it could take many attempts before I gain access to any considerable amount. But if I can compromise the entire banking system, then I have access to all accounts.
So clearly, the reward would be much higher. Now that said, it would also be much easier for me to obtain their credentials of a single user than it would be to compromise the entire bank, and the same would be true of the cloud. It would be much easier for me to compromise a single organization than it would be to compromise the entire provider. But successful attacks against even one organization can lead to successive attacks that could ultimately provide access to much more information. For example, a compromised virtual machine could provide access to the entire physical host server, thereby compromising all virtual machines on that server. So, the fact that so much information resides within the cloud and effectively one place makes it a very attractive target for attackers.
The centralization of cloud resources also makes them more of a target for malware that might be able to spread much more rapidly across the services of many organizations, representing the means to compromise many more systems. And insider threats can become more of a concern as well because now an organization must consider the fact that there could be bad actors within both their own organization and at the cloud provider. And while attackers may see cloud service providers as particularly lucrative targets, attacks aren't the only risks present when using the cloud. Again, that inherent centralization can also mean that if a disaster takes down the provider, it could impact many customers simultaneously.
Now, that said, I should point out that almost all major cloud providers implement significant redundancy measures to ensure that their services remain highly available, and even if services are disrupted as a customer myself, I may not be all that concerned about the fact that some other organization is also being affected. But the effect could be more pervasive than it might seem, because any given organization may have partnerships with or rely on the services of another organization who is also using that same provider. A widescale disaster, such as a hurricane, a flood, or an earthquake could take out the services of many organizations, and cause equally wide-scale disruptions for any given organization and those on which it depends. Once services are outsourced to the cloud, there are also staffing concerns that, like insider threats, spam both your organization and that of the provider.
Now, this doesn't necessarily apply to just insider threats, but other concerns such as training and experience, familiarity with policies and procedures that must be observed, onboarding and offboarding policies that ensure users are given the appropriate level of access to resources when hired, and that all access is removed when they leave and that all corporately supplied devices are reclaimed. Clearly, we have control over these types of processes in our own organization, but no control over those at the provider. So, a reasonable amount of trust must be extended to the provider with respect to these concerns as soon as you decide to use their services. Now that all said, it's not as though the risks posed by using cloud services can't be mitigated. Features such as password policies, single sign-on, and multi-factor authentication can be implemented.
Along with IP whitelisting to control the locations from which services can be accessed and monitoring services that can be configured to alert us in the event of suspicious or unusual activity. All of which can be implemented to prevent or at least limit unauthorized access to your resources, and these are all measures that we as customers certainly can control in terms of their implementation and configuration. So again, it's not as though we just have to take our chances, when outsourcing to the cloud. It's simply a matter of recognizing some of the different types of threats and or their scope when it comes to using the cloud.
Then of course taking the steps necessary to mitigate those risks as much as possible, and in some cases, the risks will outweigh the rewards, while in others the rewards will outweigh the risks. Regardless of where and or how your security measures are implemented, one certain consideration is that no security solution is 100% effective, so the ultimate decision should generally be based on, which approach can get you as close to 100% as possible.
Cloud Service Vendor Risks
In this video, we'll describe some of the risks associated with using a cloud services provider for critical business services, such as handling payment data, mailing lists, health information, or anything else that either an individual or an organization would want to keep especially secure. In short, when you use cloud services for handling this type of information, you effectively place the integrity of your business into someone else's hands, so it becomes particularly important to learn as much as possible about the technology being used by that provider. The level of accessibility to the data itself in terms of who might be able to gain physical access to the storage devices. And of course the people themselves at the provider. Now clearly the provider can't reveal confidential employee information, any more than we as customers would want them to reveal the confidential data we store with them.
But as customers, we can typically investigate their hiring policies with respect to considerations such as background checks, onboarding and offboarding processes, and employee training. At the simplest level, once you are reliant upon a third-party provider to conduct your business operations, you simply have to place a certain amount of trust in that provider, and again, not just with respect to the technology they use, but with the people employed by the provider and the quality of their work. Now, that might sound rather risky, but all things considered, this really isn't anything new. We trust banks and financial institutions to manage our money and keep it safe. We trust doctors and nurses with their health.
We trust mechanics with their vehicles, pilots to land our planes, lawyers to handle our estates, and many others with many other things that are important to us. And the reason that most of us are comfortable with this is because those people are experts in their associated fields. It's simply what they do best. Likewise, cloud service providers are not just technology experts, they realize that there are many aspects of doing business. Security and trust foremost among them, and they have to be worthy of the trust we place in them. Or they simply wouldn't stay in business just like there are always a few bad apples, so to speak. Word of betrayed trust gets around quickly, and no entity that continually does so will remain in business for very long.
So, when choosing a provider, or even just choosing to use cloud services in general, an organization must realize that their own reputation will be as dependent on the provider as it will be on their own integrity as a business. So, an important task before choosing any provider is simply due diligence. Providers should be investigated as thoroughly as possible, and those who are reputable should have no issues with disclosing as much as they're able to in terms of their own operations to allay the concerns of the customer. Just as the organization itself would if they're providing trusted services to any of their customers. Now, particularly with respect to very confidential information such as payment data, there are of course significant risks to be addressed, such as the data being lost. Perhaps due to hardware failure, stolen either through external attacks or internal bad actors.
Accidental loss, such as storage devices being wiped or corruption due to malware, incorrect management processes, hardware failure, human error, and many other reasons. So, the default assumption of an organization should be that anyone or even all of these events will occur. So, then the considerations should focus on what preventative of measures are in place and what corrective and or reactive measures can be taken if they can't be entirely prevented. For example, regular backups that implement multiple copies in multiple locations can prevent data loss due to hardware failure. Theft can be thwarted by implementing encryption so that even if the data is obtained, it can't be accessed.
Redundant copies can also protect against complete loss due to wiped storage devices and various forms of anti-malware applications can help to protect against corruption, as can the backups just mentioned. Now I should point out that given the nature of the cloud, in that we as customers only use the services of the provider and the provider implements the physical infrastructure. Some of these preventative measures are up to us to implement. Now that's dependent on how the services are implemented. But if, for example, we create our own payment processing service that includes a database to store customer payment information, it's up to us to ensure the security of that database. But it's up to the provider to ensure the security of the physical devices that actually store the data. Since we have no access to those physical devices. If however, we outsource the entire payment service including the database, then it's up to the provider to implement and manage the security of the entire service.
And just as a final note with respect to highly secure data, as mentioned just a moment ago, implementing encryption is perhaps one of the best ways to protect data against it, falling into the wrong hands. But encrypting data requires the use of encryption keys. Now, this can certainly be done entirely within the cloud, but if so, that places both the data and the encryption keys in the hands of the provider. Now I don't mean to suggest that this isn't safe or that the provider shouldn't be trusted with both, but for the most secure information, most cloud providers allow customers to manage their own encryption keys. Meaning that you can either store the encryption keys used in the cloud within your own on-premises environment, or you can generate your own keys on-premises, encrypt the data locally, then store it in the cloud.
In either case, this prevents even the internal staff of the cloud provider from being able to gain access to the data, even if they have complete physical access to the storage devices themselves. Without the associated keys which you retain, the data cannot be accessed. Again, when it comes to relying on cloud providers for such critical services, it simply comes down to whether you're satisfied with what the provider can offer in terms of protecting your resources and ultimately your business integrity. There really is no right or wrong approach that is applicable across the board, it's what you feel is best for your needs.
Legal Risks
In this video, we'll take a look at several legal and compliance issues that may apply to your organization, particularly if you're involved with healthcare, banking, or governmental operations. Now, these concerns would be applicable to an organization using the cloud, and one that might only be using on-premises solutions. But when it comes to the cloud, you'll also need to ensure that your provider is capable of offering services and infrastructure that do meet these requirements, because if they don't and you build your own solutions using those services and infrastructure, then your solutions are inherently non-compliant. Now, there are many regulations that apply to a wide variety of industries, but two common examples include the Health Insurance Portability and Accountability Act, which requires that patient data be kept secure and the Payment Card Industry Data Security Standard
which applies to any organization who accepts and stores payment card information and requires that the card holder data remain protected. Now, regardless of the specific regulation that might be applicable to your business. Most of them are centered around the ability to protect data in terms of who is able to access that data, which methods of protection have been implemented, and where does the data physically reside. Now, with respect to data access, this ensures that only the right people have the right access to the data. For example, in a medical facility, clearly, a doctor should have access to your patient records, but a security guard should not.
Now, this may also include physical access to the storage devices themselves, but in the case of the cloud, we as customers never have access to the physical devices, so this is where the cloud provider themselves must also be compliant with any and all regulations that oversee their customers operations. So, as a decision maker, it's particularly important to verify that your provider can offer services that are compliant with the regulations you have to observe. The protection measures typically refer to features such as encryption and regular backups with multiple copies to prevent loss, and residence refers to data sovereignty, which typically means that the data must physically reside in the same country as the entity who owns it. This can be especially important to verify if the provider does implement multiple backups in multiple locations to ensure that one of those copies does not cross a border that would violate data sovereignty laws.
Compliance then has to be considered across the board, so to speak, with respect to data processing and data storage, which refers to all processes that might involve that data from the moment it is originally created through to its storage, including any archive periods, which may dictate that it must be stored for a certain amount of time and or that it must be deleted after a certain amount of time. And these considerations could become even more convoluted, if you are using a third-party application or process that is made available through the provider as a software, as a service solution. In other words, you're using cloud provider A for your overall cloud services, but they in turn offer the software services of a completely separate entity for some solutions.
In that event, you may also need to verify the compliance state of that separate entity as well, but no matter which approach you take to processing and storing the data, compliance must be observed at every point of the lifecycle of that data. And since multiple entities may be involved throughout that lifecycle, liability of course, deals with who is ultimately responsible, if a security breach does occur. And this will depend on the nature of the implementation and the nature of the breach. But when using the cloud, there is an inherent shared responsibility model whereby the provider is responsible for the security of the infrastructure and the services they offer. But it's up to us as customers to implement security for the solutions we build.
For example, if we store data in a storage container, the provider will ensure that it's backed up and that the ability to encrypt that data is there, as is the ability to enable and configure permissions and access control. But if we as customers fail to implement those protective measures and leave that container entirely unprotected, and a breach does occur, that is not the fault of the provider. Conversely, if we do everything we can to protect that data, but then it's breached by an internal employee of the provider, then clearly that is their responsibility. So, you have to determine for yourself if you feel that you can trust the security measures of the provider and that they are able to maintain compliance before making the choice to use their services. Additional considerations with respect to compliance and liability include the use of auditor reports which indicate a provider's compliance with any particular regulation.
These reports are usually readily available from the provider through their website, but you should always verify the date of the most recent report and verify that any changes or updates to the compliance requirements have been observed. In some cases, there may be a specific service being used that cannot be certified as being compliant with any given regulation. In such cases, there may be legally accepted substitutes, so be sure to determine if that is the case for any solution you deploy. Compliance may also involve your ability to respond to any incident that might occur, so be sure to consider features such as alerts and notifications, and how quickly they can be generated and received.
And E-discovery is a process that may be required if you do end up in any kind of litigation and it refers to your ability to find any and all events that may pertain to any given incident. For example, you may be required to show all access attempts to a file or all email communication regarding a particular subject. Lastly, compliance may also define what kind of disaster recovery requirements are necessary the frequency with which due diligence has to be applied in terms of examining existing requirements and ensuring that any changes haven't resulted in a breach of compliance. And you may also want to consider the information resources made available by the provider to help you remain in compliance.
Most major providers offer significant documentation, including guidelines and best practices to help you meet your compliance needs, and also verify the ability to generate compliance reports so that you can present that information to your customers or to your stakeholders. When it comes to compliance, perhaps your best tools are in fact, due diligence and continual vigilance. Things can change frequently in the cloud, and it can be very easy to implement to change that might inadvertently result in falling out of compliance. So, for any organization with compliance concerns, compliance officers should be appointed to ensure that your requirements are met and maintained on an ongoing basis.
Lack of Control Risks
In this presentation, we'll provide an overview of some of the common risks and concerns that are related to a lack of control that is often inherently present when using the cloud. Now, many people may already be aware of the fact that when using the cloud, it's up to the provider to implement and maintain all physical equipment. So clearly, we as customers have no control over what the provider does in that regard. And well, that can often present challenges, it's not the only risk associated with the lack of control in the cloud. For example, simply storing data in the cloud, inherently means that you have given up a certain degree of control over that data. It is of course, your data and it's up to you to upload it in the first place, move it, copy it, archive it, delete it, or anything else.
But of course, the internal employees of the provider are the ones with actual physical access to the storage devices on which that data resides, and they ultimately determine where it is physically stored. So, it's important to determine whether you feel that this type of loss of control is acceptable. You also need to consider what might happen if the price of your services fluctuates, and of course, how severely, and what would happen to your data if you were to fall behind on your payments. A provider may prevent access to your subscription and all associated resources until payment is made, therefore rendering your data inaccessible. Related to concerns about price is another situation that may arise known as vendor lock-in. Now to clarify, this does not refer to signing any kind of a contract to use a particular service.
Almost every provider allows you to stop your services at any time. Rather, it refers to the discovery that a better option might exist. But the cost of moving away from what you have already implemented might be so high that it simply doesn't make sense to make the switch even if the newly discovered option is a significantly better option. In other words, you're left using an inferior product or service, which could result in a lower degree of productivity or possibly falling behind your competitors. Now there are ways to avoid a vendor lock-in situation including the use of more than one cloud provider, because with a single provider, all services are contained within that provider and you effectively have no choice for the services you implement. You have to use what the provider offers for all services, such as storage, applications, such as customer management platforms, and services such as email.
But by using multiple cloud providers, you can pick and choose among them based on several factors such as the price, the level of service, or the level of performance and reliability. And if one provider starts to fall behind any other, a change can more easily be made. Now, that said, it's also worth mentioning that using multiple providers will also result in a more complicated management process. Having everything centralized within a single provider and only having to manage one subscription is certainly less complicated than managing many separate subscriptions, but again, it does provide more flexibility. Other measures to avoid vendor lock-in include ensuring that you have multiple copies of data,
at least one of which is not stored with the cloud provider being used and ensuring that it can be easily moved from one provider to another by using formats that are portable and not proprietary to one provider or another. And as just mentioned, the use of multiple cloud providers can reduce the chance of getting locked in, as can the use of hybrid cloud configurations, whereby services are implemented in both your on-premises environment and the cloud. And simply scrutinizing your choices a little more closely before making the decision can help to avoid a lock-in situation from occurring in the first place. Other considerations with respect to control or the loss thereof are centered around functionality, with respect to an organization's need or perceived need for specialized or custom design solutions.
And I say perceived need here because organizations who are new to the cloud, or perhaps only still in the consideration stages, may be operating under the impression that their existing on-premises solutions may not be able to be recreated or reconstructed in the cloud. But given the wide array of services and solutions that are already available in the cloud, customization is often no longer required by many organizations. In other words, giving up control over design and architecture to focus solely on the results may be beneficial in many cases. Similarly, many organizations still using on-premises solutions may cling to the need to maintain control over physical assets, which of course, is lost when using the cloud.
Physical assets belong to the provider, but in the cloud, your assets are the solutions you implement not the hardware on which they're implemented. So again, a fundamental shift in thinking has to occur where asset control is concerned, but this can also lead to concerns regarding control over ownership. Again, due to the fact that the solutions you implement are yours, but they reside on physical hardware that isn't yours. So, the boundary for ownership and responsibility can sometimes be problematic in the cloud. Lastly, there may also be risks and concerns with respect to the level of control, including operational control, financial control, solution control, and governance. Operational refers to considerations such as automation and availability. While cloud services tend to be highly automated and highly available, control measures still need to be put into place to deal with inevitable outages and disruptions to services by both the provider and the customer.
But we as customers have no real control over the measures implemented by the provider, and the providers have no real control over the measures taken by their customers. It is quite simply up to each one to implement the measures that are necessary, but there can sometimes still be issues with determining which entity is ultimately responsible for which aspects of a solution. Financial control issues are typically centered around an inability to verify overall consumption of resources, not necessarily with respect to the provider's ability or lack of ability to present us with consumption details on their reports and invoices. Rather, that an organization can often have difficulty pinpointing where and or why those resources and services were implemented and consumed.
The ease with which new services and resources can be created in the cloud can often result in many test systems or trial services that end up remaining functional, resulting in consumption charges that can't be accounted for in terms of useful or production level services. Similarly, solution control refers to situations whereby users are able to subscribe to services without the knowledge of IT departments or any other controlling entity. This is sometimes referred to as shadow IT scenarios, so control measures need to be put into place to avoid this possibility. And finally, governance refers to ensuring that the provider meets and complies with basic standards of capability, reliability, and trustworthiness.
Particularly, if your organization is highly regulated by compliant standards that must be observed. Failure of the provider to meet those standards transiently means that your organization cannot meet them either. Maintaining control is, of course, a significant concern for many organizations, and rightly so. But using the cloud shouldn't necessarily be regarded as a complete loss of control, rather as a shift. The provider may now be the entity that is in control of some aspects of your business operations, but they're very capable at what they do, and once services start to mature, many organizations find that by being able to offload a certain level of control, the resulting lowered level of responsibility on the organization can result in many benefits, including better productivity, better efficiency, better security and reliability, and an overall improvement to their operations.
Availability Risks
In this video, we'll examine some risks and concerns associated with availability and uptime, when it comes to using the cloud. Beginning with the fact that while cloud service providers generally offer exceptionally high levels of availability, virtually no service of any description can guarantee 100% uptime. But the goal is of course, to get as close to 100% as possible. But when considering overall availability, it can sometimes be overlooked that for any service to be available in the cloud, it requires that the Cloud Service Provider be available as well as the Internet Service Provider. Clearly, if your own Internet service is out, so is your ability to access your cloud subscription.
So, depending on how critical it is to be able to access your services, you may need to consider additional measures to increase availability. Now, with respect to uptime, most providers will offer a guaranteed amount of uptime, and clearly the more, the better. But that could also cost more. So, the question can then become how much is enough or at least how much is necessary? Now, that said, if you're currently comparing providers, I'd say that it's likely that you're going to find fairly similar values, and prices will usually vary based on the type of service, not so much the level of availability. And with respect to the uptime values themselves, most major providers offer surprisingly high levels of availability, in some cases, as high as 99.99% of the time.
Now that might vary a little bit depending on which specific service you're considering, but to put that into context, that's only about 53 minutes of downtime per year. But recall that accessing your services is also dependent on your Internet connection, and they may not offer the same level of availability. Now that's not to suggest that they can't match that level, but of course, both have to be taken into account. So, let's say for example, that both the Cloud Service Provider and the Internet Service Provider offer 99.9% availability. Both sound like very reasonable levels, but 99.9% translates into 8 hours and 45 minutes of downtime per year, but of course, that's for both providers and the chances that both of their services would experience an outage at exactly the same time are almost non-existent.
So together, that value translates into 17 hours and 30 minutes of possible downtime or twice the possible downtime. If that value were only 99% for each, which again sounds relatively high, then you could be facing as much as a week of downtime per year. Now that's just an example to illustrate the point, but always remember that both providers must be up for services to be accessible. So, for any mission critical services that can't really endure extended outages, additional means of increasing their availability may need to be considered, such as increasing the redundancy levels within the cloud provider and implementing a secondary connection with a separate Internet provider. And on the topic of Internet connections, uptime is not the only consideration,
some cloud solutions may require significantly higher bandwidth than what you might currently have in place. So it might also be worth considering dedicated connections to your cloud provider, which may be available through your current ISP. Or you might also be able to use a separate telecommunications provider, which might also serve as a redundant connection in the event that your ISP goes down. But dedicated connections, as the name indicates, are not accessible by anyone else on the public Internet. So, much higher bandwidth can be achieved, thereby increasing performance while also likely increasing reliability. Power outages can of course, take services offline for anyone and for a multitude of reasons, including severe storms, such as hurricanes, fire, earthquakes, or heavy snow.
Now, while we don't get to choose where any given provider sets up a data center, most major providers do have many service regions from which we can choose in terms of locating the services we want to implement. Now, of course, there are no guarantees when it comes to these types of events. And the location of your own operations or those of your customers should also be taken into consideration, in that typically services should be located as close as possible to those who consume them. But just as a few examples, a data center located on the Southeast coast of the United States is more likely to experience a hurricane than one in California, but the one in California is more likely to be impacted by forest fires or earthquakes.
Now, I should also mention that cloud providers themselves are certainly very aware of these concerns, and to address them they offer availability zones whereby services that might be lost in one data center can be assumed by another data center within the same general region, such as the Eastern United States. But they're usually geographically separated enough so that they aren't both affected by the same event. Most major providers also have their own power generating capabilities, so that they aren't solely reliant on the regular power grid, but power outages should still be considered when comparing or choosing providers. Lastly, if you've ever been taken off of a flight or if you weren't able to get a hotel room because it was overbooked, then you're already familiar with the frustrations of over subscribing. In terms of the cloud, this takes the form of virtual services being over implemented on the hardware that hosts them,
on the assumption that not all services will be running at full capacity at all times, which may well be true most of the time. Just like airlines and hotels oversell their availability on the assumption that not everyone will show up. But if and or when it does happen, the systems may not be able to handle the workload, which can in turn result in more downtime. So, decision makers should verify with the provider if over subscribing is something they practice, and if so, it can be avoided by choosing a Private Cloud model instead of a public, because you can entirely control how resources are managed in a private cloud and no one in the general public has access to your cloud. But private clouds are substantially more expensive, especially for organizations who currently have little or no infrastructure, and they can be much more demanding to implement and manage.
Many providers do, however, offer a middle ground, so to speak, whereby you can request dedicated physical resources for your services. This is generally referred to as a virtual private cloud, and while it will cost more than standard public cloud services, you can be selective as to which services are placed on those dedicated resources, and it would still be far less expensive and demanding than implementing a fully private cloud. Ultimately, all of these considerations should be taken into account when it comes to availability, but if the right choices are made, you can at least be confident that you are as close as you can possibly be to 100% uptime.
Lack of Training Risks
In this presentation, we'll discuss how a lack of training and or an inexperienced staff can pose a security risk. And this is especially important when considering a move to the cloud, as security should be one of the first considerations before a move is undertaken. The number of organizations moving to the cloud is most certainly on the rise, but as such, so are data breaches, and quite simply, the cloud is a different type of environment that is largely self-service. So, implementing and maintaining security is the responsibility of the entire staff, not just the technical personnel who might initially configure everything, but also the users who access resources and services on a daily basis. They must be made aware of the proper methods and the required behaviors to ensure security is observed on an ongoing basis.
So, of course, this can be accomplished by ensuring that all personnel are educated about the cloud and security in particular, which can take many forms, including specific courses, webinars, and videos such as these. But like most things, initial education is only a part of the process. On-the-job training and actual hands-on implementations also need to occur so that technical personnel and standard users alike become familiar with the new processes, services, and applications. And of course, this simply takes time, so be sure to factor a proper learning curve into your cloud migration strategy for all users. Now, for those who are among the technical personnel, more advanced training might be necessary in the form of certifications, which will also vary in their type and degree.
But if you're looking to find a good entry-level certification, that might serve as the groundwork for all your technical staff, provider-neutral certifications are available through the Computer Industry Technical Association or CompTIA, such as Cloud Essentials+ and Cloud+. These types of certifications are generally focused on the nature of all cloud services and would be applicable to most any provider. But there are also certifications available through specific vendors such as Microsoft and Amazon Web Services, that you might want to consider once you have selected a provider and if you require a more targeted learning. For non-technical staff, internal training should be made available with respect to cloud security best practices and the cloud security management processes that have been or will be implemented.
For example, users may have additional authentication mechanisms in place on their mobile devices that weren't previously required, at least when they attempt to access cloud-based resources. In addition, their devices may now be managed through a cloud-based management service to ensure the proper configuration with respect to security settings. For instance, administration may now be able to lock and wipe their devices if they're lost or stolen, so users should be made aware of all of these changes and they should understand why they've been implemented. Documentation should also be made available through a company intranet site or a knowledge base so that everyone has easy access to the structure of the existing implementation, as well as announcements for new features and services that are going to be implemented.
It's not always enough for the technical staff to implement security settings. The day-to-day users should understand why those settings have been implemented to ensure they observe the proper processes. Now, most security settings can be enforced, but some do rely on the users to simply act in accordance with policies. So, the more they understand about the security model, the more likely they'll be to comply. As for the technical personnel, they'll need to be able to adjust their existing roles and responsibilities to fit those same or similar roles in the cloud. For example, database administrators might have to adjust to using different tools or services to back up and protect data if the cloud platform is different than what was being used in-house.
And software developers may need to adjust to a security-first model of development as opposed to a functionality-first model. Now, if your technical staff is already very proficient in the on-premises environment, they can certainly rely on much of their existing skill set in terms of applying those skills to the cloud. It's not as though the cloud is a completely different world, but the inherent lack of infrastructure alone represents a significant shift as to how security is implemented and managed. So, many of the tools with which your current staff may be familiar to manage and monitor infrastructure, simply aren't applicable in the cloud. So, it will take some time for the personnel to settle into their roles, so to speak, which again will simply take some time. And given that lack of infrastructure, data often becomes the focus because of course, that's the information that actually has any inherent value.
A service, of course, is valuable to an organization, but it's not as though an attacker can breach your environment and just walk off with a service. Even if they can, that's not what they're after, it's the data on which that service operates. They might corrupt the service but it would be for the purposes of gaining access to the data. So, all data stored in the cloud must be kept secure, it must remain accurate, and it must also be made accessible to those who need it. But again, because there is no infrastructure to manage, the focus shifts to securing the processes and services themselves, as well as user, device, and application authentication and other means of access control.
But almost all security measures in the cloud are logical as opposed to physical, so there is simply a different approach to which security administrators must adjust. So again, without the proper understanding of this new approach, new and unforeseen risks could appear. So, when a move to the cloud ultimately does occur, part of the process must also involve ensuring that the proper tools have been made available to those who actually will perform the move and that they've been properly trained on their use, along with a clearly defined process for how the move should take place. Simply trying to move everything all at once will undoubtedly result in significant issues, so planning the process also needs to be a part of your security strategy to ensure that nothing is missed. In short, the more you prepare and the more education and training is part of that preparation, the more easily your migration will progress and the more secure your implementation will be after the fact.
Risk of Overspending
A prevailing mindset when it comes to using the cloud is that it can help to lower costs. Now, while this is often the case, it doesn't mean that an organization still might not spend more than it intended on its cloud solution. So, in this video, we'll take a look at several factors that can result in overspending on a cloud migration or implementation. Beginning with a simple lack of insight into the ways by which costs can be optimized in the cloud, which is often due to a lack of proper management tools, or at least a lack of an understanding as to how they can be used. A lack of understanding with respect to security and compliance, and which measures should be implemented to address which concerns, and inflexible pricing plans or vendor lock-in scenarios that simply don't meet the needs of the organization.
Now, those are only a few examples of course, and the specific reasons as to why overspending might be occurring in any given organization will undoubtedly vary, but one of the primary reasons for most organizations to move to the cloud in the first place is to help keep costs under control. But some studies have revealed that for most organizations, who are overspending, the three most common areas of concern include implementing and maintaining data security. Ensuring that the cloud infrastructure is future-proofed in terms of being able to scale solutions to meet growing demands and managing data for purposes such as analytics and decision-making. But while an inherent lack of understanding of certain services and implementations can certainly contribute to overspending an attribute that can apply to all aspects of the cloud, regardless of the service type, is what's referred to as cloud wastage.
Which quite simply means that resources are being overprovisioned. Common examples include more processing and memory than what might be required on resources such as virtual machines, but almost any resource in the cloud can be overprovisioned. Now, this issue is at least something that can be addressed with more effective monitoring. Implementing services that can scale back on resources automatically and features such as spot instances for workloads that only need to be active for short periods of time. But overprovisioning has been a practice in many organizations, regardless of whether their solutions are implemented in-house or in the cloud, because most will approach the solution from the perspective of too much is better than not enough. Which again is likely true, but of course, too much in terms of resources also costs too much.
But it's not just physical resources or service configuration that can result in overspending. Problems can also arise due to a simple underestimation of cloud operations overall, with respect to the costs, time, and resources required to manage the cloud on a day-to-day basis. For example, while the pricing model of almost all cloud services is based on a pay-as-you-go model, the assumption that this will immediately reduce costs is often incorrect. Some services can be very costly depending on what they are and how much they're used. This can lead to a variety of trade-offs, whereby certain services in the cloud are sacrificed in favor of either a cheaper solution or a service that remains in-house, but the decisions involved with all of that can also be time-consuming, particularly if changes have to be made after the fact.
And of course, in the world of business, time is money. So, the more time spent on trying to figure everything out, the more it will cost. Organizations also often look to the cloud because they believe that it will be able to much more effectively drive innovation, and speed up the delivery of new products and services, which again may well be true in many cases. But it can also backfire at times because there are so many new services and features that appear almost daily that organizations can become paralyzed with indecision or they can end up constantly changing direction as new and better solutions appear. Cost control issues can also arise due to organizations not having a good handle on who is actually handling the budgets and for what reasons. In other words, it's likely that the cloud is being handled by technical staff and that the budgets are being handled by the financial and or executive staff.
Now, of course, this is nothing new, nor is this a scenario unique to the cloud, but the costs can often be confusing for the financial teams due to the variable pricing and payment options in conjunction with the pay-as-you-go model. For example, in an on-premises environment, if a piece of equipment is purchased, that's an immediate asset, and financial personnel know how to work with that. But in the cloud, everything is a service. Now, while a service can also be an asset to the organization and financial staff are fully capable of dealing with services, there may be resources appearing and disappearing in the cloud that don't seem to apply to any particular service or the services themselves might constantly be changing. So, all of this can go back to the point of underestimating the management requirements, not just from a technical perspective, but a financial one as well.
And the more time spent managing anything, the more that management process will cost. So then, in terms of helping to reduce the chances of overspending, organizations should strive to implement policies that need to be observed before any new resources or services are configured. Training programs should be implemented to help all personnel better understand cloud technologies and their associated costs. And vendor contracts should be monitored as closely as possible. Any idle resources should always be decommissioned, and for whichever resources are provisioned, steps should be taken to avoid overprovisioning them. Again, the cloud is not unique in terms of its ability to cause overspending. It can certainly happen in an on-premises environment as well, but due to the ease with which new services and solutions can be implemented in the cloud, a little more vigilance is often required to keep expenses under control.
Lack of Due Diligence
In this video, we'll examine how a lack of due diligence when considering a move to the cloud, could result in security or privacy risks, and that lack of due diligence is not as surprising as one might expect, which may in part be due to the fact that cloud services do offer many benefits, and because of the lack of physical infrastructure, many people might perceive a move to the cloud as being an easier process than it often turns out to be. In short, people simply underestimate the work that is often required to successfully transition to the cloud. So, due diligence will help to understand the scope of work that is required and help to ensure that all factors are being considered, so that elements such as security and privacy are not overlooked. So, due to the lack of infrastructure just mentioned, a significant part of an organization's due diligence should include a determination of the division of responsibility.
The basic model of the cloud is that the provider is certainly responsible for managing and maintaining all physical infrastructure. But of course, the organization builds its solutions on that infrastructure, which can in some cases create a bit of a gray area, so to speak, in terms of who is responsible for what. Particularly in the event of a security breach. For example, if an organization stores data in a cloud storage account, it's up to the organization to set the appropriate security settings on that account, but it's up to the provider to ensure the security of the physical disk that actually stores the data. But where would the responsibility lie, if an attacker gained access through an unprotected storage account but subsequently obtained data from an improperly protected physical disk.
Both would seem to be at fault in this case, but determining the ultimate division of responsibility could be challenging. Due diligence can also help an organization to better understand the actual requirements of their solutions, which can help to avoid wasting resources and keep budgets more on track by not over-spending on resources. New services in the cloud can be created very easily, and additional resources can be allocated to any existing service or solution just as easily, and resource availability is effectively unlimited for any given organization. So, it can be challenging at times to keep things in check for lack of a better description, but again, by applying the proper diligence, not only during the planning stages but to the implementation and post-production stages as well, it can be easier to stick to the budgeted amounts.
Other benefits include the ability to identify key information, such as who will oversee actions, such as security implementation, monitoring, and responding to incidents. Establish and ensure observance of regulations, and compliance requirements, perform risk assessments and identify vulnerabilities or other areas of concern, determine the identities of all participants, meaning which specific users will be making use of cloud services, in many cases, a move to the cloud does not affect everyone in the organization, and promote adoption and acceptance for those who will be affected the most. Now as far as what due diligence actually involves for any given organization, it will most certainly depend on the specific needs of the organization, but in most cases, the services and resources available with most providers will likely provide the services necessary. But due diligence should involve setting up a trial subscription to evaluate different providers to ensure that their services are scalable and flexible enough to meet the current and anticipated needs
along with the ability to monitor and audit the use of those services so that everything can be accounted for. Afterward, findings should be reviewed with stakeholders, which can refer to anyone with anything at stake with respect to the move, including standard users, and also reviewed with decision-makers who aren't necessarily the same people as the stakeholders. But in short, all parties concerned should know as much as possible about the provider and the services being considered before any decisions are made. Conversely, a lack of due diligence can result in the presence of an untold number of unknowns, which can immediately translate into increased risk and greater vulnerabilities, which themselves can represent a bigger threat than even new viruses or other forms of malware,
because you are likely leaving yourself exposed, to begin with. So, attacks might not even have to rely on sophisticated malware. It would be like leaving your door unlocked all the time in a dangerous neighborhood, an intruder need only walk in the unlocked door. So, some common factors to be mindful for with respect to a lack of due diligence, include inadequate levels of attention when implementing solutions, poor communication among those involved, a lack of resources, not usually on the part of the provider but within the organization such as time, money, and personnel, a lack of knowledge as to the technology itself, and or a lack of experience and expertise with particular products or services.
All of which can lead to a situation whereby organizations are fumbling to create solutions with no real direction or goals which will undoubtedly lead to a poor experience with the cloud overall. Like any project or undertaking, planning and due diligence should be considered every bit as important as implementation. Otherwise, you can end up trying to build without any solid foundation, which of course, is not the way to create the stable and reliable solutions that will actually address the needs of your organization.
Risk Management Framework
In this presentation, we'll provide an overview of how a Risk Management Framework can help to manage and mitigate risk in the cloud. Now, to begin, when the word risk is used in any context, in many cases, security risks tend to come to mind, such as attackers, malware, and other types of malicious activities. But risks are present in many areas of operation, including budgetary, legal, and liability, safety, policies and procedures, and many others. And these risks can sometimes be magnified when it comes to using the cloud, because in terms of security, the cloud itself, for lack of a better word, provides a much larger target for attackers. For example, if an attacker can compromise the provider themselves, they may be able to gain access to information and resources from all of its customers.
In terms of budget, the cloud does not necessarily mean a lower cost of operating. And because resources and services can appear and disappear so quickly in the cloud, budgeting can sometimes become more difficult to manage. Legal and operational safety concerns can become more convoluted because it's not just the operations of your own organization that need to be taken into account anymore. Because you're using the services of a third party to host your operations, and policies and procedures may be especially difficult to maintain, particularly if you're still working out of an on-premises environment in addition to the cloud. On-premises policies and procedures may be entirely different from those in the cloud.
Now, risks are of course, present within any organization, regardless of how they operate. So, risk management is the process of dealing with risk, which typically begins with assessing the likelihood of any given risk actually happening and determining the magnitude or severity of the outcome if it does. Clearly, some things are more likely to happen than others, and some things that do happen have consequences that are more severe than others. For example, if you have a very high storage requirement, then it's likely that you have many hard drives, so it's fairly likely then that one of them will fail. But while that's likely, a simple backup can restore the data, so the consequences aren't particularly severe. Conversely, an attack from an outside intruder might be less likely to happen, but if it succeeds, the consequences could be disastrous.
So, risk management essentially comes down to prioritization. Risk management might also involve determining the level of risk, not in terms of severity, rather the level of your operations at which risk is addressed, including the entire organization, the business process level, and the information systems level. Now, this doesn't necessarily mean that any given risk is always going to be contained within its associated level. There can certainly be cases where one overlaps with one or all other levels. For example, a failure of a critical information system could work its way up to affecting the entire organization, but identifying the level more so refers to where the risk originates and or where it will be initially addressed. So then a risk management framework is simply a set of processes, policies, guidelines, and best practices to help you organize your risk management activities and provides a blueprint or at least a checklist to help ensure that risks can be minimized in terms of their likelihood and mitigated in terms of their severity.
Now, there might be a number of published or well known Risk Management Frameworks available for various circumstances, but for cloud-based operations, most will contain six key elements beginning with categorization. Which typically applies to the information systems in use and an impact analysis of what would happen in the event that any given system were to fail, and a categorization of the information system in terms of how it will be affected, such as its overall functionality, its performance, or its security. Based on the impact analysis and categorization of the risk, an initial set of controls often referred to as baseline controls, should be identified to address risks, but it should also be assumed that any given baseline control will not entirely cover the risk, so supplemental controls should also be identified to improve risk mitigation.
And even after both baseline and supplemental controls have been identified, a strategy for monitoring them should be developed to determine their effectiveness. Just as a simple example, earlier I mentioned the possibility of a failed hard drive, so for that potential risk, backups can be configured as a baseline control. Multiple and isolated copies could be maintained as a supplemental control, and reviewing logs of the backup and any associated restore operations would represent monitoring those controls. With the appropriate controls identified, of course, they can then be implemented, which should be accompanied by documentation that describes how they were deployed with respect to the overall environment and or the specific information systems for which they were deployed.
After implementation, all controls should be evaluated to ensure they were implemented correctly and they should be monitored regularly to ensure they are producing the results as expected. And of course, if they aren't, then new controls should be considered. With the evaluation complete, if the risk level has been deemed to be acceptable, then the systems and the controls that have been put into place can be authorized for use. But be sure to consider the level of risk from all perspectives, including the risk posed to individuals, the operations of the organization, assets, and even other organizations such as your customers or partnerships.
Finally, ongoing monitoring of the entire framework should be conducted, including the monitoring process itself to determine the overall effectiveness of the framework, not just any given control. By doing so, any necessary changes can be identified and implemented as quickly as possible. But then the impact of those changes also needs to be assessed, and any and all changes should always be documented and reported so that there is a complete history of revisions, which can facilitate a better understanding of how risk management has evolved in accordance with any changes to your business operations. Like most things, the more planning, preparation, and foresight that goes into creating a Risk Management Framework, the more effective it will be at mitigating whatever risks are present within your environment.
Compliance in the Cloud Era
In this video, we'll provide an overview of compliance in the cloud era and compare some compliance considerations with those of earlier times before the cloud really became an option. Now, compliance itself exists primarily because the very nature of doing business, at least for businesses who want to consider themselves to be responsible and ethical, requires that operations be conducted in a particular manner. In other words, there are guidelines, local laws, national laws, and even international laws that must be observed in order for an organization to actually be responsible and ethical in its operations. Now that's all well and good, but for an organization operating out of the cloud, it's not just the organization that is involved with conducting those operations.
The cloud services provider must be included in all compliance considerations as well. Now that said, such a statement should not be taken to mean that the cloud services provider is responsible for the way any given organization conducts business in terms of compliance. But they do need to provide us with the means to remain in compliance if we're going to use them as a provider. Just as a simple example, for an organization that stores data about a separate entity, such as a customer, in many cases measures must be taken to ensure the security and privacy of that information, such as by encrypting it. So, it's up to us as the organization that hosts that data to implement the encryption, but it's up to the provider to ensure that data encryption services are available for us to use.
If the provider cannot accommodate those needs, then the organization cannot remain compliant. Now, to ensure that compliance is maintained within the organization, there typically needs to be some kind of governing body that oversees the operations of the organization. Now that in itself is not particularly new, nor is the requirement to remain compliant with laws and other regulations. But with the advent of cloud services, many organizations also need to adopt the practice of governance specifically in the cloud, which involves, among other things, enhancing the security of data stored in the cloud, managing cloud-specific risks, and generally ensuring that compliance is maintained through monitoring and auditing cloud activities.
Again, these tasks also needed to be performed within an on-premises environment, but the approach can often require additional attention in the cloud because it's not just your own organization that needs to be considered. The cloud provider themselves also needs to be considered with respect to the services they provide and whether they can help to ensure that organizations do remain compliant. With respect to some of the laws that oversee many organizations, of course, this goes beyond the organization simply wanting to be responsible and ethical. When it comes to laws, an organization is either operating legally or illegally and cloud computing is certainly not governed by any single law.
There are many laws that have been defined not just with respect to cloud computing, but I'll come back to that in just a moment, including the General Data Protection Regulation, which was originally defined and implemented by the European Union but is now widely observed around the world, the Health Insurance Portability and Accountability Act in the United States and the Payment Card Industry Data Security Standard. Again, these are only some examples, so for any organization operating out of the cloud, decision-makers should consult with legal experts to ensure that they are aware of exactly which laws govern their operations and technical experts to verify that the appropriate features and services are available from the provider to remain compliant with those laws. Since many of those and other laws require specific methods of implementing and managing security, many organizations also adhere to defined standards such as the National Institute of Standards and Technology, or NIST Special Publication 800-53, which provides a catalog of security and privacy controls for all federal information systems in the United States used for general business operations.
And the International Organization for Standardization or ISO specification 27001, which is an internationally observed standard on how to protect and manage information security. Now both of these standards were defined prior to the advent of cloud computing and many organizations still use them as the basis for maintaining compliance within their on-premises environments. But both standards have been revised to specifically include provisions for maintaining security and compliance in the cloud. In fact, ISO 27001 was redefined and published separately as specification 27017, focusing solely on the protection of information in the cloud.
So, if these standards were previously observed in your organization for on-premises operations, they should be revisited to ensure ongoing compliance in the cloud. So then, particularly with respect to cloud-based operations, maintaining security and compliance is no longer solely controlled internally. Since the cloud services provider maintains the physical infrastructure and provides the means for us to implement the measures necessary to remain compliant, it's not uncommon for contracts to be put into place, which in the cloud commonly take the form of a Service Level Agreement or an SLA. Now SLAs often define parameters such as the level of performance that can be expected from the provider and likely the amount of uptime.
But for organizations who need to remain compliant, there will most likely be aspects of the SLA specifically dedicated to how security and compliance can be implemented and maintained. But recall that services in the cloud can be very dynamic, so it's not uncommon for things to change. And of course, has just mentioned the standards and regulations themselves are also updated frequently, so it's important for organizations to regularly review any SLAs or any other type of contract to ensure that any changes don't impact the compliance measures that are already in place. And toward that end, compliance itself is not something that is simply implemented once and can then be forgotten. Quite simply, things change sometimes frequently, so the ability to perform audits and to generate audit reports should be considered when selecting a cloud services provider.
Many providers do offer the ability to audit cloud activities, but you may need to verify that the auditing capabilities are able to satisfy the requirements of any given law or regulation. In other words, it's not uncommon for any given law to include the ability to audit the implementation of compliance in the specification of the laws themselves. In short, in order to be compliant, you may have to periodically prove that you are compliant. Now to finish up, I'd like to reiterate that compliance itself is nothing new. Organizations have had to be in compliance with many regulations for a very long time, but when it comes to compliance in the cloud, you must always consider your own operations and the resources and services available through your cloud provider.
So, if the cloud provider is not able to provide a service that meets the requirements of any given law or regulation, then the moment you start to use that service, you are immediately no longer compliant, and your organization could face significant or severe penalties. So, it's simply a different approach with different considerations than it used to be prior to the cloud. But that said, most major providers are, of course, well aware of many compliance standards and can in fact provide the means for most any organization to remain compliant. But it's of key importance for all of these and other considerations to be verified and re-verified regularly to ensure compliance is maintained on an ongoing basis.
Cloud Compliance Standards
In this video, we'll examine ways by which cloud computing can help to ensure that your organization remains in compliance with any laws or regulations that might oversee your business operations which can be a challenge for any organization simply due to the fact that the regulations themselves are often redefined, which can in turn require significant changes to be made to your solutions. But in an on-premises environment, changing any given solution might not be particularly feasible due to any number of constraints such as budgets, time, personnel, or resource shortages, and many others. But in the cloud, changes to a solution may be much easier to implement simply due to the much more flexible and agile nature of cloud computing. Just as a basic example for a service such as a database, a compliance regulation might be updated to require redundant instances.
But again, due to internal constraints, an organization might not be in a position to implement redundancy, at least not quickly or easily. But that type of configuration can be done very easily in the cloud in very little time and with no upfront cost required. So, in many cases, the cloud may in fact make compliance easier to manage. Other considerations include the level of control that can be attained over certain services, such as software implementations and their associated upkeep. For example, in the cloud, built-in controls can help to ensure that only approved software can be accessed and or installed on user devices, and updates and maintenance can be effectively removed in some cases if for example, the application being used is one that is provided through a Software as a Service model.
In such cases, maintenance and upkeep is the responsibility of the provider, but in an on-premises environment, it can be very difficult to control which software ends up on user devices in the first place, and even very effectively controlled software still needs continual upkeep and maintenance, which can be especially time consuming. In addition, the cloud typically offers built-in monitoring capabilities for those applications, which can help to identify vulnerabilities and potential security breaches. Now, similar mechanisms may be implemented in on-premises environments as well, but they typically aren't built into the applications, so they would represent an additional cost, both in terms of time and effort.
And while in some cases, there is a persistent perception that the cloud isn't as secure as an on-premises environment, this is often not the case. Security is often the most prevalent concern when it comes to ensuring compliance, and cloud providers are fully aware that they must be able to provide a secure environment to their clients, otherwise, they wouldn't have any clients. So, cloud providers invest tremendous resources into being able to provide that security at both the physical level such as the security measures implemented within their data centers and the digital level, such as the security services they provide. And bear in mind that major cloud providers include companies such as Amazon, Microsoft, and Google, all of whom have resources well beyond what most organizations might have on their own, including firewall services, multi-factor authentication services, digital key management for encryption, just to name a few, and many other features that might not be so easily implemented within an on-premises environment.
But they're readily available through most cloud providers, so in many cases, security is or at least can be much higher in the cloud than it might be in an on-premises environment, particularly one with very limited resources. And ultimately, change itself is one of the driving forces behind compliance. Changes in technology, new and emerging security threats, and the updates and revisions to the regulations themselves that I mentioned earlier, are almost always competing with each other,
so to speak, in that if a technology improves, a compliance standard may be updated to require the use of the new and improved technology. And if a compliance standard change is due to a new security threat, technology might have to catch up to address the threat, so any one element can drive the advancement of the others. But again, it's the inherent flexibility offered by cloud solutions that can in fact help an organization to remain in compliance more easily. So, as a decision maker, if compliance is a primary concern for your organization, the cloud might be the ideal solution.
Compliance and Enforcement
In this presentation, we'll take a look at how the cloud has expanded the scope of compliance and enforcement with respect to the reach of compliance across more areas of your operations, including increased exposure to threats, more distributed data and identities, misconfigurations, and security policy enforcement. Now, this is likely more of a consideration for organizations who are using both on-premises services and cloud-based services in a hybrid configuration and/or those using multiple cloud providers. But the scope of compliance and enforcement now has to include all operating environments.
But even for organizations operating entirely within the cloud, the greater flexibility and scalability of the cloud itself often promotes much more rapid growth and facilitates new business opportunities that could also make compliance and enforcement more difficult to implement and manage. Now enforcement itself can be implemented through both manual and automated tasks, and generally speaking, the more automated the better because automated tasks occur in response to something else, such as a compliance-related issue that has been detected. But no matter how enforcement is implemented, its goal is to reduce errors, reduce compliance violations, and reduce inconsistencies across all of your operations.
And due to the inherently dynamic nature of the cloud and the pace of technological evolution, continuous enforcement of security and compliance is especially critical. A common issue that can make enforcement and compliance more difficult is the lack of an adequate security framework to drive the design of your security implementation and define the security controls to be used. Without such a framework, an organization might struggle with inconsistent enforcement of policies, a lack of visibility into the cloud resources that have been deployed, and a lack of standardization and overall governance across their operations, which can, in turn, lead to the errors, violations, and inconsistencies just mentioned.
So, to avoid such a scenario and enhance your security compliance and enforcement, organizations should implement operational controls that define monitoring, detection, and remediation techniques to facilitate fast and effective responses that can be measured and compared against compliance requirements or other industry standards. Process-oriented controls that define security baselines across all services and automated enforcement methods and include a well-defined security framework. And of course, the technical controls to implement a secure operating posture, including solutions for managing security and identity, policy enforcement, and operational governance. And most notable among the security aspects of compliance and enforcement is the prevention of breaches, which themselves, of course, can represent the most severe or significant failures of your compliance and enforcement efforts.
And again, the more automation that can be applied to your security measures, the more likely they will be to detect a breach and prevent it from occurring in the first place. It's very unlikely that a particular resource is being monitored 100% of the time by human operators. So, the more reliance on automation in this regard, the less likely breaches are to occur and this is especially important to consider for organizations who are using hybrid or multi-cloud models because your efforts have to be implemented consistently across all environments to ensure the highest level of security and enforcement.
And for any types of violations that do occur, regardless of whether they were malicious attacks or unintentional errors, the ability to detect those violations and to remediate them as quickly as possible is the key to maintaining and enforcing your compliance efforts. Toward that end, automation and continuous discovery of new services and resources can ensure the highest levels of visibility, which simply ensures that nothing is missed. And consistent configurations with respect to established baselines can help to ensure that monitoring tools can discover deviations from those baselines which could be indicative of a violation.
Should a violation be detected, your security framework should include orchestration and automation tools and/or DevOps processes that can remediate the issue as effectively as possible to prevent it entirely or at least from escalating into a much larger issue. In short, the cloud itself is allowing more and more organizations to expand their operations across multiple environments or into new areas of business. Which in itself is certainly a benefit, but it also requires a commensurate growth in your efforts to enforce security and maintain compliance.
Decision Making and Compliance
For our final video of this course, we'll provide an overview of some of the major areas of concern with respect to compliance and cloud operations, along with some of the common methods used to address those concerns. Beginning with why compliance itself is important in the cloud, and perhaps the best way to examine that is to consider an organization that is non-compliant with whatever laws and regulations oversee their business. In short, failure to meet compliance requirements can permanently or at least severely damage an organization's reputation, particularly if the organization has a high profile and something such as a security breach due to non-compliance was equally high profile. Customers simply may no longer trust your organization and go elsewhere.
Depending on the severity an organization could also face damaging lawsuits or possibly fines from which they might not be able to recover. Now that said, there are certainly varying degrees of non-compliance, and failure to meet any given requirement may not spell the end of your business, but the possibility is there. So, matters of compliance should not be taken lightly in any situation. So, some common factors that can affect compliance include the growing diversity of cloud implementations. The sheer number of services and resources offered by any given provider grows very rapidly these days and many organizations are in fact using multiple providers to maximize their service offerings.
But this, of course, means even greater diversity and communications occurring among services that are hosted with different providers complicating the matter even further. Effective ways to mitigate compliance concerns in these situations include ensuring that all data in all environments is encrypted both while at rest and in transit. Different services within the same provider and even different services across providers usually operate on centralized data. So, by simply encrypting all data, maintaining security and compliance can be more effectively accomplished. And implementing a consistent cloud monitoring tool that is capable of operating across all environments can help to increase resource visibility and ensure that no resources are overlooked.
The ease and speed with which new services and resources can be created in the cloud makes it especially easy for something to be missed. So, effective monitoring can go a long way toward enhancing security and compliance. And on a related note, to monitoring and visibility, simply being aware of your responsibilities is often an issue with compliance. Now, this can be true of any organization in any circumstances. But when it comes to cloud computing, things can be more complicated because while an organization is certainly responsible for ensuring its own services and solutions are compliant, the provider also plays a part because we are using the infrastructure and services of that provider to create our own solutions. So, there is a shared responsibility model whereby the provider is responsible for maintaining the physical infrastructure and providing us with the means to ensure that we can create solutions that are compliant.
But we as customers have to ensure that we do exactly that. In other words, if the provider does in fact give us the means to ensure the compliance of a resource of a service, but we then fail to implement those measures or implement them improperly, we cannot place blame on the provider simply because it's a shared responsibility model. So, decision-makers must not only be made aware of which compliance factors must be observed, they must also be made aware of where the division of responsibility lies. From that point, proper planning can ensure that solutions are implemented with the responsibility placed accordingly.
And as mentioned, a moment ago, new resources in the cloud can be created very quickly and easily, which cannot only lead to visibility issues but also access control issues, whereby resources are simply too accessible to too many individuals or services. Now again, this can be an issue for any organization, but cloud implementations often make it easier for something to be overlooked due to the dynamic nature of the cloud itself. So, controlling access to resources should be managed with robust and effective platforms, such as privileged access management and Identity and Access Management solutions. Privileged access management refers to controlling the accounts that have the highest level of access to resources, such as administrative accounts, by implementing features that only provide the necessary level of access when it's needed.
These features are sometimes referred to as just enough administration and just-in-time administration. And Identity and Access Management refers to centralizing and controlling all user and device identities so that all access to resources can be authenticated and authorized accordingly. Now it might seem somewhat obvious to state that services such as these should be implemented, but again, new solutions in the cloud can be created so easily and quickly that it's not at all uncommon for solutions to be implemented with functionality as the only consideration. Security and compliance, therefore, is implemented almost as an afterthought, so to speak. So, tighter control over resource access can help shift thought processes to one of security and compliance first. Final considerations include difficulty with overlap and ambiguity.
Overlap refers to situations whereby multiple regulations apply to the same resource, service, or feature and therefore requires compliance from multiple aspects. An ambiguity can result from the opposite situation, whereby an organization simply isn't sure which compliance measures should apply. Both situations can lead to compliance misconfigurations, but they can typically be addressed by limiting the scope of any given solution and isolating and separating resources as much as possible. For example, for large and complex multi-cloud environments, compliance will likely be easier to maintain if sensitive information is accessed by smaller, more specific systems and stored in fewer locations. Ultimately, compliance or a lack thereof can make or break a business. So, as a decision-maker, be sure that due diligence is applied to all areas of your operations to ensure that compliance concerns are being addressed before solutions are implemented into production.