Samuel Weil
Consultant

The cloud is a revolutionary technology solution for businesses worldwide. Cloud utilization has led to a reduction in capital expenses, lessened IT department responsibilities and increased workforce access to information. Today, a considerable number of manufacturing businesses take advantage of what cloud computing has to offer. Although the cloud offers a wide array of benefits, it does not mean inherent risks do not exist. Implementing a cloud solution does not automatically protect a business from traditional IT threats and security risks. If you want to enjoy the benefits of the cloud and sleep easy at night, it is vital to fully understand what hazards exist in the world of cloud computing. This article explains cloud computing risks and the approach to take when evaluating a cloud provider.

Threat Assessment

 When choosing a cloud solution, you are ultimately putting the faith of your business in the hands of a third party vendor. What if the cloud provider, entrusted to carry out these services, does not meet your personal standards of security? The fact of the matter is not every vendor’s idea of a safe and secure environment will correlate with your expectations and, without a clear understanding of what a cloud vendor offers in regard to cloud security, your company’s assets may be at risk.

Some cloud computing providers simply do not have strict registration controls—there is no inquiry on who is registering for their services or for what reason they need the computing resources. This type of behavior by providers potentially puts your data in close proximity of dangerous entities. What if a hacker contracts with your cloud vendor and ends up sharing the same computing resources as your business?  Would you feel comfortable knowing malicious code and malware may be stored in the same infrastructure as your data?  Without strict cloud registration controls, these criminals can use cloud resources as a platform for conducting nefarious activities and, ultimately, may harm your business.

Another example of imperfect cloud computing involves encryption, specifically the encryption of application programming interfaces (APIs).  In brief, cloud solution providers need user-friendly APIs to give their clients a medium for managing their resources in the cloud, such as the graphical interface that displays and allows management of company data. As such, there is no guarantee your provider completely encrypts their APIs. Without encryption in place, your company’s data may be vulnerable as it moves from cloud storage to the application interface.  

Malicious insiders also pose a threat to any organization. If your vendor does not implement competent access controls or employee monitoring practices, your company’s data, processes and/or applications may be exposed to malicious insiders within the cloud organization. For example, if no background checks are conducted, individuals with a history of hacking or corporate espionage may be employed to monitor your company’s data.  If you decide to outsource data and/or functions to the cloud, you open the door for additional people to access your assets, including those whose backgrounds may not have been evaluated.

Not all cloud solution vendors have experience and resources that compare to the Googles and Amazons of the world—some fail to effectively maintain their own operations. Software patching, security policies, log monitoring, internal self-audits and intrusion detection tests are merely a handful of items a sound cloud vendor practices. Can you, without a doubt, be sure your vendor undertakes all of these endeavors on a regular basis? Some third parties will be tightly run ships, others will not, but at the end of the day there need to be sound security procedures surrounding the maintenance of your network, applications and data.

The Implications of a Cloud Compromise

The aforementioned threats are not all that exist and, as the cloud computing industry continues to grow, more and more potential hazards will evolve. The number one concern on the minds of most businesses is a breach of sensitive company information. A theft or loss of key data could result in major competitive, financial and legal ramifications. A migration to the cloud does not automatically alleviate this concern, so, in order to conclusively ensure the security of a company’s data and processes, a business must conduct additional due diligence.

Building Trust with Your Cloud Provider
A vendor’s security controls must be evaluated before making a leap of faith to the cloud. Cloud solution providers are service organizations. How can a potential stakeholder evaluate the security and controls of a service organization?  In 2011, the AICPA established three Service Organization Control Reports—SOC 1, SOC 2 and SOC 3—to guide an independent auditor with acceptable internal control standards of a service organization. In particular, SOC 2 is titled, “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.” When choosing a cloud solution provider, it would definitely be a best practice to see if they have a SOC 2 (Type 2) report available from their last audit.  An unqualified opinion from the auditors would indicate, at a minimum, satisfactory controls on the part of the vendor.

An in-depth evaluation of the service level agreement from the cloud vendor will better indicate if they are a secure choice. There are a number of questions that need to be answered to help determine this, including the following:

  • How is data encrypted while in transit?
  • How is data encrypted while at rest?
  • Are background checks performed on prospective employees?
  • Are employee activities logged and monitored?
  • Is there a stringent registration process limiting who can sign up for their services?
  • How many years of experience does the vendor have in the cloud computing industry?
  • Is their data center in a protected location?
  • How is client data backed up and restored in the case of a disaster?
  • Can data be migrated back to on-site hosting with relative ease?

Above all, perform your due diligence. Cloud computing technology holds vast benefits to businesses able to grasp the opportunity. Educate yourself on the risks, find a vendor you can trust, perform your due diligence and reap the rewards.

Litigation Support Services

Advisors | Auditors | Consultants | CPAs – BlumShapiro is one of the premier consulting firms in New England and a Top 100 CPA Firm in the U.S. Our professionals serve companies in Boston (MA), Hartford (CT), Cranston (RI), Shelton (CT) and Quincy (MA) with technology consulting, business valuations, litigation support, project management, process & controls and bankruptcy consulting services. We are a Intacct Partner offering accounting software including Cloud ERP solutions. Learn more about our City of the Future offerings.