Cloud, Risks & Business Continuity: Levers for Resilience
Scenario – Where are we? Digitalization and V.U.C.A World are on stage…
At present, we live in the so-called V.U.C.A. World, i.e. a world characterized by Volatility, Uncertainty, Complexity and Ambiguity as defined by the leadership theorists Warren Bennis and Burt Nanus. An ongoing digital transformation is taking place and requires extremely "agile" and "adaptive" business processes and business rules to face the contingent challenges of the post-lockdown.
The adoption of the cloud implies a paradigm shift in order to meet business challenges: business, government, healthcare, and retail organizations need to streamline processes, increase efficiency and reduce costs, while ensuring customer safety, product quality, and data integrity. These needs combined with the benefits of the cloud technology – including rapid on-demand scalability – encourage a growing number of organizations to consider its adoption. In addition, during the Covid-19 health crisis, healthcare companies and institutions relied on the cloud to better manage the remote working mode and to cope with peak-time connectivity.
Organizations continue to adopt cloud technology; and demands are reaching unprecedented levels, becoming the post-crisis priority for many organizations. Moreover, according to Gartner, the adoption of cloud video conferencing services will grow further in the future, as the flexibility of this technology allows employees to connect to their work environments quickly and by remote.
Furthermore, those companies that were already using - before the pandemic - the cloud for a limited part of their business have, of course, continued in this direction during the lockdown and now, being more "mature", have started to move data and their workload to the cloud. Cloud flexibility and the "as-a-service" cost allow organizations to quickly adapt capacity to demand, either by infrastructure (IaaS) or software (SaaS) or application (PaaS). Therefore, it is possible to expand the organization capabilities and extend the remote work up to 90% of employees, in a short time, thanks to the flexibility of this technology.
Veeam Report 2020: Cloud vs. Data Protection
Veeam Software (a Swiss-based IT company) issued recently a report entitled "Data protection trends 2020". According to this report, many organizations are still facing problems in accomplishing the digital transformation process, mainly due to outdated data protection solutions. The contingent crisis made organizations aware of the need to evolve and adopt new paradigms in their way of working: smart working systems and cloud applications are required, thus inevitably exposing organizations to new cyber risks as they have expanded the attack surface.
Approximately 1,500 organizations were interviewed in order to understand: how data protection and management are approached; how well these organizations are prepared to address the IT challenges that arise on a daily basis; what type of “reaction” capabilities are required to cope with new needs or outages; the importance of monitoring the evolution of technology.
Big data - made available through IT infrastructures - have become more and more strategic and essential to business. Therefore, data protection must achieve a higher level of "intelligence" to support digital transformation needs related to business and the adoption of hybrid multi-cloud environments. However, the report reveals that, in terms of protection, 40% of companies still rely on legacy systems; 95% of companies are subject to system outages lasting approximately two hours (i.e. 117 minutes), which translate into economic losses. The downtime of an hour, with respect to a “high priority” application”, costs the organizations 62 dollars approximately; furthermore, the downtime of a “normal priority” application, is no less expensive i.e. about 62 dollars. Actually, “high priority” and “normal priority” applications and relevant impact costs reveal that all data are, actually, "strategic" and, as a result, downtime will be tolerated no longer.
The interviewed organizations, in order to effective and efficiently protect their data, rely on the cloud in terms of: Disaster Recovery through cloud services (50%), on-premises workloads moved to the cloud (50%) or workloads moved from one cloud to another (48%). In addition, according to 50% of the interviewed organizations, the cloud will play an increasingly and important role in terms of data protection strategies, since data protection needs a comprehensive solution to support both data management in the cloud and in physical and virtual environments.
Risks to assess before implementing the Cloud
Organizations will need to assess the following risks when considering implementing the cloud:
- Data Governance: the cloud provider should prove the existence of perimeter firewalls and access control, provide encryption services, and monitoring tools to protect data, as organization’s business security needs. It will also be fundamental to verify the compliance to GDPR regulation. In addition, as far as the data retention cycle is concerned, organizations – being the ultimate data owner responsible, need to verify data are correctly delated, since cloud providers are usually located on different storage units.
- Management complexity and lack of adequate training– Migrating from an on-premises environment to a cloud results in a higher level of operational complexity for the IT function, and in some cases, IT staff may not have adequate experience in managing and assisting cloud services as well as not having specific and adequate training to manage the security of these implementations. It is also advisable to have an effective operational policy in place.
- Lack of data connectivity and availability: The virtual service requires adequate connectivity quality, considering that it may suffer from outages and failure due to large peak spikes and, consequently, data store in the cloud may be temporary inaccessible and cloud performance jeopardized.
- Configuration errors – Improper technical understanding can cause errors or omissions. This problem can be avoided by planning security measures before deployment and requesting the cloud provider ad hoc design and deployment assistance. In addition, it is highly recommended to periodically audit and test the cloud to identify possible security gaps and guarantee the proper performance of the same.
- Multi-Tenant: Cloud providers offer different types of architectures, i.e. private clouds, hybrid clouds, or multi-cloud clouds and, therefore, they have multiple in-hosts clients located all in a single physical cloud architecture, or in data centers located in different places. Usually, considering the fact that clouds are shared structures and based on the concept of resources rented to multiple users, cloud providers try to confine tenants to their “enclave” in order to avoid the use of common resources impacts the others. Actually, cloud providers hold data from individuals and organizations that may have different interests and needs or, in some cases, having conflicting goals/objectives. It is virtually impossible to draw a clear boundary between technical and business aspects, therefore the "failure" of one tenant can cause a "domino" effect on the others. For this reason, cloud service providers should guarantee all the logical and physical security controls are in place to ensure a secure enclave for each tenant in addition to multiple domains to mitigate these risks. However, it is advisable to perform periodically a due diligence to measure the potential impact of a multi-tenant environment on the organization and verify the risk mitigation strategies offered by the provider.
- Crypto-jacking: This is an increasing threat that exploits computing resources, erodes the security boundaries of the cloud and allows hackers to enter malicious codes that open the door to other similar and potentially malicious attacks. Incorrect configurations and social engineering are the two methods used by cyber criminals to transfer code for crypto-jacking.
Cloud vs. Business Continuity
The above described scenarios highlight how, in order to enable a true digital transformation, the implementation of both Risk Management & Business Continuity principles and the modernization of data protection are required, thus ensuring the resiliency of the entire organization.
Cloud solutions contribute to meet Business Continuity needs in terms of critical and less critical application availability, data centers, back-up services, and disaster recovery. In addition, back-up and disaster recovery services are becoming the main "levers" driving organizations to move to the cloud. Many cloud service providers guarantee sophisticated frameworks for disaster recovery planning according to business continuity and crisis management models based on the organizational resiliency. In addition, the cloud provides access to a number of services, including Infrastructure as a Service (IaaS), PaaS (Platform as a Service), and SaaS (Software as a Service) and guarantees benefits in terms of : reducing IT and IT infrastructure spending; rapid implementation; flexible pricing and high scalability; back-up of business data and information, operating systems and faster applications; downloading and uploading many processing capabilities that guarantee reduced recovery times and business continuity.
The so-called next-generation clouds will guarantee the replication of Disaster Recovery & Business Continuity plans, thus providing greater organizational resilience and lower management costs. Traditional Disaster Recovery & Business Continuity solutions are expensive; furthermore, they involve purchasing and supporting hardware and storage to hold large copies of corporate data. The cloud has become a cost-effective choice compared remote data centers.
Organizations will also be able to: customize their Business Continuity & Disaster Recovery plan, subscribe to services they 'really' need and, over time, modify their subscription to suit better their needs.
However, few things still need to be checked to guarantee a successful cloud deployment and business continuity, namely:
- Provisioning of adequate budgets to the necessary technological investments.
- Verifying the reliability of the cloud provider in terms of robustness of the infrastructure used and its level of security.
- Creating a digital culture that allows people to evolve together with the organization, thus overcoming the lack of skills and staff shortage for the correct implementation of cloud technologies.
- Improving personnel’s digital skills to expedite the access of data information and the use of new technologies by employees.
- Testing cloud providers’ continuity plans and including business continuity clauses in the SLAs and extend those clauses to their sub-vendors.
- Testing connectivity services and power in data centers in the event of a disaster/disruption.
- Checking hardware failure management and include recovery/resolution modalities into the contract.
- Checking data replication process and identify where data are stored in order to be compliant to GDPR regulation.
- Verifying data center specifications used by the cloud provider.
- Checking downtime occurred during the last 18 months.
- Checking planning in terms of recovery, disaster, and availability tests and availability of relevant reports.
The increased use of cloud implies a new approach to internet since it becomes a gateway to the processing and storage resources of remote service providers. In addition, the migration of data - from on-premises, company-controlled systems to remote cloud provider’s systems - necessarily urges security measures by the organizations in order to comply with their responsibilities and GDPR regulation in terms of personal data protection. Therefore, organizations should closely monitor the services offered by the cloud provider and identify potential risks and adopt effective and specific prevention measures. Furthermore, before adopting a cloud system it is fundamental to carefully evaluate risk-benefit ratio in order minimize the former by verifying the cloud provider’s reliability.
The involvement of the entire organization is the condition sine qua non to guarantee both the success of the implementation of the cloud and the organizational resilience. Adequate reskilling and upskilling, through ad hoc training will be beneficial for the organizations and contribute to the development of digital culture also at country level. The buzzword of the moment is to strengthen personnel’ s digital skills and make technology an asset: technological innovation remains the main engine for development and the basis for building safer contexts/infrastructures. Innovation is not free: time, money and people need to be allocated. Innovation can lead to powerful competitive advantage; however, it implies the involvement of Risk Management & Business Continuity professionals to prevent risks and threats, and support organizations in the preparation of relevant plans to ensure organizational resilience.
Federica M.R. Livelli
Business Continuity & Risk Management Consultant
About the author
Business Continuity & Risk Management Consultant
In possesso della certificazione Business Continuity - AMBCI BCI, UK e Risk Management FERMA Rimap ® è consulente di Business Continuity & Risk Management. Svolge attività di diffusione e di sviluppo della cultura della resilienza presso varie istituzioni ed università.
Socia AIPSA ed UNI.
· Board del BCI Italy Chapter
· Board ANRA
· Advisory Board di LIUC-ODES Project
· Advisory Board EU SIMARGL Project
· Comitato Scientifico di CLUSIT
· Comitato CLUSIT-Artificial Intelligence/Risk Management
· Conduct Professional Committee – BCI, UK
· Judge at the International Organizational Resilience Awards
· UNI/CT 016/GL 02 "Sistemi di gestione per la qualità" (ISO/TC 176/SC 2), UNI/CT 016/GL 09 "Governance delle organizzazioni" (ISO/TC 309) e UNI/CT 016/GL 89 "Gestione dell'innovazione" (ISO/TC 279) (Commissione Tecnica UNI/CT 016 "Gestione per la qualità e metodi statistici")
Membro de: Associazione Donne 4.0 (Coordinatrice Commissione Reti) e Women for Cyber Security (Comitato Tecnico)
Docente di moduli di introduzione di: ISO 22301 - Business Continuity & Resilience (Università POLIMI–BOCCONI e Università di Verona, Università di Cagliari, Master Ambientale Università di Padova); ISO 31000 - Risk Management (Università Statale di Milano)
Relatrice e moderatrice in diversi seminari, conferenze nazionali ed internazionali.
Autrice di numerosi articoli su diverse riviste online, (i.e.: AgendaDigitale, Cybersecurity360, AI4Business, Risk Management360, EnergyUp, Blockchain4Innovation, Internet4Things, Industry4Business, ANRA - RM Magazine, ISPI online, Insurance Review, INsurzine, UNI Magazine online, The BCI Blog, Data Manager).
Partecipato, in qualità di co-autrice, alle edizioni 2020 e 2021 del Rapporto Clusit - Cyber Security.