As organisations continue to evolve their risk governance practises and pursue new market opportunities, focused and relevant information about emerging risks is at a premium. The objective of Protiviti’s PreView newsletter is to provide input for these efforts as companies focus on risks that are developing in the market. We discuss emergent issues and look back at topics we’ve covered previously to help organisations understand how these risks are evolving and anticipate their potential ramifications.
As you review the topics in this issue, we encourage you to think about your organisation and ask probing questions: How will these risks affect us? What should we do now to prepare? Is there an opportunity we should pursue?
Our framework for evaluation of risks is rooted in the global risk categories designed by the World Economic Forum (WEF). Throughout this series, we use these categories to classify macro-level topics and the challenges they present.
Inside This Issue
Cloudy With a Chance of Data Loss
Emerging Risk Category: Technological
Key Industries Impacted: All
As cloud computing globally has matured, many companies have adopted a strategy of utilising public cloud providers to run mission-critical applications. Despite periodic reports of breaches in the news, the world’s largest cloud companies are focused on providing a secure cloud, and it could be argued that, in many instances, the cloud is more secure than a traditional on-premise or co-located data center. However, organisations must be focused on managing cloud-related risks with the same attention and scrutiny with which they managed their traditional data center risks.
The reasons for cloud breaches vary — from misconfigured files to unsecured servers to weak password protections, but the effects are generally the same: Loss of data (of customers, as well as intellectual property and confidential company data), reputation erosion, legal and regulatory challenges, and financial loss.
Cloud-related risks exist, in large part, because of cloud technology’s significant benefits — including its low cost, speed of implementation, positive effects on business agility and collaborations, and more — and its widespread adoption. Twenty-one percent of files in the cloud now contain sensitive data, and the volume of sensitive data shared in the cloud has increased 53% annually, according to McAfee’s 2019 Cloud Adoption and Risk Report. Successful investments in cloud-based applications have driven more enterprises to embrace third-party technology infrastructure management models, the use of cloud-based innovation platforms, and even the development of entirely cloud-based businesses.
“Customers are increasingly adopting a hybrid cloud strategy, using various delivery models for their applications, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS),” according to CDW. Nearly half of current PaaS offerings are cloud-only, according to Gartner, which forecasts that enterprise spending on cloud-based offerings will surpass spending on non-cloud technology by 2022. The marketplace also is evolving, as is evident within industry-specific cloud markets where larger vendors are snapping up smaller cloud providers. This market shift has a number of implications, from posing concentration and data lock-in risks to increasing risk of data loss by making the cloud providers bigger, more lucrative targets for hackers.
To address these risks, company leaders must adopt a risk-savvy cloud approach that addresses strategy, implementation, service assurance and security. Failure to adopt such an approach raises the likelihood of experiencing higher cloud-related costs as well as data access and security issues that can expose organisations to data, reputational and financial losses. Below, we explore some of the key risks and considerations that have emerged as dominant in the cloud environment currently and which will continue to shape the risk profile of the cloud market in the future.
Key Implications and Considerations
- Cloud Vendor Concentration: While cloud-based technology offerings have proliferated in most industries, others, notably the financial services industry (FSI), have witnessed significant vendor consolidation. This is a growing concern for both leadership teams and global regulators. In July 2018, the European Banking Authority (EBA) Recommendations concerning the use of cloud service providers by financial institutions took effect. “The existence of still very few credible [cloud service providers] leads to a considerable concentration risk,” according to the EBA. The authority’s guidance addresses five key risk areas: the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing, and contingency plans and exit strategies.
The European Savings and Retail Banking Group (ESBG) also has documented concerns related to the risks (security, concentration, reputational, regulatory and business) to which financial institutions can be exposed because of “the lack of harmonisation in regulatory approaches across different jurisdictions.” The ESBG indicates that “the lack of clarity in supervisory expectations hinders the compliance with rules regarding the use, management and storage of customer information, and increases uncertainty in relation to the criteria for the approval of cloud projects.” The ESBG also indicates that even the largest financial institutions often find themselves at a disadvantage when negotiating terms and conditions concerning the use and protection of company data with the handful of top (U.S.-based) cloud technology providers.
Companies of all industries can be exposed to increased concentration risks as a result of ending relationships with cloud vendors for sound reasons. Vendor risk management research, conducted annually by The Shared Assessments Programme and Protiviti, shows that most companies exit third-party vendor relationships that pose high risks. Regardless of whether this de-risking is driven by high costs or other issues with the vendor, such as inability to sufficiently assess and improve vendor controls, these decisions typically result in the sharing of more organisational data with fewer external partners. Any service level agreement (SLA) changes, outages or other issues that occur among that smaller set of large cloud providers tend to have significantly larger impacts on the companies using those providers. To address concentration risks, organisations should ensure that vendors are selected and monitored in accordance with the company’s cloud strategy and vendor risk management policies, sufficient vendor diversification is maintained, and SLAs are well-designed and actively managed.
- Unsanctioned Cloud Services: Employee use of cloud services that are not sanctioned by the information technology (IT) function has grown steadily in the five years since CSO Online posted an article warning IT leaders to “Forget BYOD — it's now BYOC.” Three years ago, an NTT Communications Corporation survey of 500 IT decision-makers determined that 77% of companies commissioned a cloud service without the IT department’s involvement. The practise is so common and pervasive, that the news of White House adviser Jared Kushner using unsanctioned, insecure cloud-based messaging service WhatsApp to communicate with foreign contacts elicited either a shrug or an outrage determined only by the political leanings of the reader. By year 2020, Gartner expects “shadow” IT resources to be the root cause of one-third of successful cyberattacks on enterprises. In addition to the security risks, shadow IT poses a potential unrelated legal risk, for example, when a legal hold is placed on company or customer data or it is requested for investigative support (see “Legal Holds” below). When employees use shadow cloud services that are not subjected to IT oversight and governance, considerations regarding legal holds are almost always neglected. To limit “bring your own cloud” (BYOC) risks, organisations should continually educate the workforce on IT governance policies (and the risks of all forms of shadow IT) and perform regularly scheduled penetration testing to understand the use of unauthorised cloud services and how these risks can be remediated.
- Data Location — and Data Ownership: To make their offerings competitively priced, some cloud vendors have deployed creative ways to keep costs — or the appearance of costs — low. In some arrangements, vendors treat customer data stored on their servers as an asset to be aggregated and sold to retailers, search engines and other third parties. Language concerning data ownership and data location may be buried in the contract or addressed in vague terms. These vendor tactics bring into focus the need for clear, well-defined and well-understood SLAs.
Imprecise data ownership stipulations should be identified and challenged by cloud customers prior to entering into a vendor relationship. Often, however, the teams procuring cloud offerings are not sufficiently educated on data ownership risks, which can result in cloud providers negotiating outright ownership of the customer data on their servers. If customer data includes regulated information under, for example, the General Data Protection Regulation (GDPR), and the cloud provider fails the GDPR-specified data privacy provisions by reselling the data down the line, the customer with whom the data originates faces the GDPR compliance violations.
To limit risks associated with data ownership and location, organisational cloud strategies and governance should emphasise ongoing education concerning these issues. These strategies also should contain specific policies regarding data ownership and location.
- Legal Holds and Investigative Support: How data is stored and controlled by cloud providers also affects the ease and speed with which cloud customers can respond to pending litigation that generates legal holds involving that data. A legal hold requires an organisation to preserve records and information related to the legal matter. While cloud vendors should have tools and processes in place to respond swiftly to legal holds issued to their customers, this capability is frequently overlooked during the due diligence and provider selection process and the finalisation of SLAs and contracts.
Some vendors offer additional investigative support for legal holds; this support typically involves the vendor helping the client secure and process relevant data. The legal hold risks should also be considered when negotiating data ownership (as discussed above). Legal holds issued to a cloud provider could involve customer data, locking it up or making it available in violation of the customer’s policy. To address risks associated with legal holds, vendor selection processes should include mechanisms for determining prospective cloud vendors’ ability to respond quickly to legal hold notices, preserve data and information in accordance with these types of requirements, and provide additional investigative support.
- Vendor Lock-In: A startling cloud-related note was nestled in Snapchat parent company Snap’s IPO filing announcement a couple of years ago. Snap reported that it was bound by contract to “spend $2 billion with Google Cloud over the next five years and have built [its] software and computer systems to use computing, storage capabilities, bandwidth, and other services provided by Google.” Snap also reported that Snapchat uses some Google services “which do not have an alternative in the market.” As Mesosphere CMO Peter Guagenti noted in a post at the time, “Google now has them in handcuffs, and there’s little Snap can do to change that without having to invest a tremendous amount of money to free themselves.” Snap is hardly alone. Many companies find themselves bolted to a cloud provider due to complex technical arrangements (e.g., storing data in proprietary formats), specific contractual terms and other dependencies. “Cloud providers also often make the movement of data from the cloud to an on-premise center or another cloud vendor difficult, complex, and expensive,” according to Forbes contributor Dan Woods. “The reason for this is clear — it’s in their interest for you to keep your data with them, as they want their customers to “stick” to them in perpetuity.” When vendor lock-in exists, companies can be exposed to significant maintenance and service price increases while their performance, to varying degrees, is wedded to the performance of their cloud vendor. As with other cloud risks, vendor lock-in should be addressed through effective vendor selection processes, SLAs and ongoing performance monitoring.
Areas of Focus to Mitigate Cloud Risk
The risks highlighted above should not suggest that cloud is an unsafe choice for companies. For many companies, the move to a well-man-aged cloud platform actually decreases risk. Appropriate vendor selection criteria, well-crafted SLAs and effective IT and vendor risk management governance and controls go a long way toward mitigating the risks discussed above.
These processes should be part of a comprehensive, methodical approach to cloud adoption and ongoing cloud risk management that also includes architecture considerations, ongoing monitoring, change management protocols and other mechanisms. Although these approaches vary, an effective framework addresses the following four areas:
Considerations for Cloud Computing
Source: "Cloud Adoption: Putting the cloud at the Heart of Business and IT Strategy," Protiviti, 2017.
Spotlight: Tape Wars, and Why Cloud Storage Costs May Soar
Just as cloud customers strive to mitigate vendor concentration risks, so do cloud providers. Concentration risks for cloud vendors stem from their suppliers of cloud storage backup. The number of manufacturers that produce the magnetic tape used to securely store back-up data has shrunk from six to two, Sony and Fujifilm, during the past several years. What’s more, the two manufacturers are trying aggressively to reduce their market down to a single provider. Each company has spent heavily in attempts to ban the other from importing tapes to the U.S., according to Bloomberg Businessweek.
The two corporations also have squared off against each other over claims of patent infringement. This heated battle may be bad news for cloud vendors and their enterprise customers. Although the magnetic tape was invented a century ago, it remains the standard for back-up data storage because it can endure for three decades and, thanks to comparatively recent improvements, can store vast amounts of data. If the number of global manufacturers of magnetic tape declines to one, that company could levy massive price increases. This would translate to much higher costs for cloud providers that they would likely pass on to their customers.
Download the detailed PDF to learn more about the escalating cloud costs.
“Cloud computing is now an intrinsic part of the enterprise landscape. As cloud adoption is driven increasingly by business transformation needs and as businesses respond to demands levied by rapidly evolving consumer behaviors, changing business models and the need to respond to opportunities and risks arising from new market entrants, the processes and practises for managing cloud-related risks must mature.”
— Eric Winton, Managing Director, Protiviti
About Our Risk Management Solutions
Protiviti’s risk management professionals partner with management to ensure that risk is appropriately considered in the strategy-setting process and is integrated with performance management. We work with companies to design, implement and maintain effective capabilities to manage and respond to their most critical risks and address cultural and other organisational issues that can compromise those capabilities. We help organisations evaluate technology solutions for reliable monitoring and reporting, and implement new processes successfully over time.