For the vast majority of businesses, reliance upon cloud providers is inescapable, with the in-house hosting of applications rapidly becoming a vestige of a bygone computing era. The reasons for going to a cloud solution are many, including ease of sharing information, scalability, cost savings, and support. Whereas servers hosted in a traditional server room need to be secured, supported, patched, and upgraded, a cloud provider seamlessly handles all of these functions for a business. While their advantages seem to provide a technological panacea for businesses, cloud solutions are not without risk. Dark clouds of a different type, such as unexpected outages and cyber-attacks, can quickly rain on a businesses ability to provide services.
As more and more businesses see the rewards of migrating away from onsite applications, cyber criminals have taken notice of the cloud and are seeing benefits of a far more sinister nature. Cloud providers and, in turn, their customers can be severely affected by cyber-attacks. One of the largest providers of electronic medical records (EMR) was victimized by a sophisticated malware attack that took their systems offline, leaving their customers without access to critical business processes for several weeks. One of the world’s largest providers of financial and fundraising technology to nonprofit organizations was compromised and extorted into paying a sizable ransom to restore the hijacked data destroyed by the cybercriminals.
And while cyber criminals account for much of the downtime experienced by cloud providers, other outages can also occur without warning. The premier provider of hotel accounting software across North America recently went down for several agonizing days. As their team scrambled to restore operations, their customers were forced to revert to contingency plans and manual procedures in the interim. Even the venerable behemoths Microsoft and Amazon are not immune to experiencing issues with their cloud-based products. Earlier this year, Microsoft Teams customers’ calls were routed directly to voicemail after they implemented a change, causing a good deal of frustration. In December, a much more sizable outage was experienced by Amazon Web Services (AWS), which cascaded downstream to many businesses that rely upon its cloud infrastructure technology to maintain their operations. During the seemingly interminable downtime, the impact ranged from Amazon fulfillment centers screeching to a halt to automated Roomba vacuums becoming unresponsive due to their reliance on AWS.
So while the cloud is by and large a safe haven for a business’ data, the technology is not infallible. Taking a “set it and forget it” approach is a risk that could result in considerable downtime. To minimize the risk of an unfortunate outcome originating from your cloud providers, here are some steps to consider:
- Obtain and review SOC (service organization control) reports on a regular basis for both current and future cloud providers to determine whether they have the necessary resources in place to mitigate downstream disruption. These reports are free for customers of the cloud provider and detail the controls that are in place related to data security, availability, processing integrity, confidentiality and/or privacy.
- Develop and periodically test contingency plans and workarounds to withstand disruption to a cloud provider’s services. A business should identify what cloud-dependent services are critical to their operations and then determine if and how they could operate if those services were unavailable for an extended amount of time.
- Obtain a clear understanding of the backup capabilities offered by each cloud provider. It is very important to know if a business can roll back the data in a cloud application to an earlier date in the event information was accidentally or intentionally deleted or corrupted. Performing a periodic viability test of this capability is very important to ensure a business can quickly recover in the event of tainted or missing data.
- Determine whether a copy of the data can be downloaded from the cloud provider. Should a business determine they want to move to another cloud solution, they may be facing an exceptionally time-consuming process. If a download of the data can be received upon demand, this data entry process could be significantly reduced.
So while the cloud offers many advantages, there will always be a chance for rain. By taking a few precautions, a business can protect itself and increase its chance to weather any storms they may encounter.
Citrin Cooperman is one of the nation’s largest professional services firms, providing assurance, tax and business advisory services to companies in a variety of industries. Our daily mission is to help our clients “focus on what counts.”
Kevin Ricci is a partner in the firm’s Technology, Risk Advisory, and Cybersecurity (TRAC) practice with more than 20 years of experience. He offers clients specialized technology expertise and cybersecurity solutions, including consulting, IT auditing, Sarbanes-Oxley IT support, security training, database development, data analysis, and compliance services including PCI DSS.
500 Exchange Street, Suite 9-100 | Providence, RI 02903 | 401-421-4800 | citrincooperman.com