As the pace of innovation pushes business to move faster, companies are increasingly moving more of their information technology (IT) infrastructure into the cloud. Cloud services allow IT departments to scale and leverage specialized software as a service (SaaS) offerings. But what does this mean for security?

In a recent report from Gartner, executives cite cloud computing as a leading concern for risk. The executives surveyed fear data loss and data breach due to unauthorized access or downtime on the part of providers. However, business leaders also find the benefits of the cloud far outweigh any perceived disadvantages, contributing to double-digit year-to-year growth in cloud services, according to Gartner. Indeed, for some companies, a move to the cloud is integral to staying competitive.

Keeping the benefits and challenges of the cloud in mind will help board members best prepare relevant questions for chief information security officers (CISOs). This, in turn, will ensure that your company maintains a strong security posture around cloud services.

Benefits of the Cloud

Economies of scale, specialized expertise around particular solutions, speed to market, and many other benefits have contributed to the cloud’s rapid growth. The benefits include:

  • Flexibility. The cloud offers the ability to scale infrastructure according to need without large capital and operational expenditures. In other words, companies don’t have to buy new servers and maintain them and their environment to increase capacity, or keep them around when they aren’t needed anymore.
  • Affordability. Cloud services provide a low cost of entry for new functions, making it possible for companies to try new processes and business models, running experiments with a smaller upfront investment.
  • Talent. The hardware and security components of the IT stack used by cloud service providers are often maintained by top talent in the industry. For example, Amazon Web Services (on which many providers depend) recruits some of the best talent in the world for its data centers and security operations centers.
  • Speed. This includes both quicker implementation and quicker updates. New functionality gets rolled out through SaaS solutions faster using fewer internal resources. The software update process is also handled by the vendor, requiring little to no effort from the customer.
  • Interoperability. Integrating disparate SaaS solutions is usually simpler than integrating on-premises solutions.
  • Protection. Because cloud services reside in remote locations—and have backups—separate from the companies using them, they help protect data from natural disasters and other local events.

Challenges of the Cloud

Despite the advantages, however, cloud services do come with risks. These spring from services being hosted separately from a customer company’s own IT and security infrastructure. The risk factors include:

  • Shadow IT. The very ease and speed of implementation for cloud services lead to one of the risk factors. Software acquired by groups making their own purchases via credit card runs the risk of bypassing the security team, as do cloud-based apps created by those groups.
  • Black box syndrome. Services using proprietary systems may or may not meet best security standards while remaining opaque to scrutiny by in-house security teams.
  • Outages. Cloud services may also go down, rendering data and important functions unavailable at crucial times with no control over corrective measures.
  • Fragmentation. More systems, applications, and instances mean less expertise for any individual system, thereby increasing management complexity.

Managing the Risks

Companies can mitigate the risks associated with moving to the cloud with the right approach. Ask your CISO: “Are these in place at our company?”

  • Vendor assessments. Are we interviewing cloud vendors to ensure robust security on their end? Are we interviewing a representative sampling of some of their customers to verify past performance?
  • Hybrid cloud-and-premises systems. Cloud services may go down, but local redundancy can help. Do we use hybrid systems that maintain local backups and functionality for critical systems?
  • Checks and balances for the shadow IT. Are we flagging or preventing purchases of cloud services so security staff can evaluate them before trusting important data and functions to them?
  • Regulatory compliance. Are we taking full responsibility for and ensuring compliance with regulations even when using outside systems (for example, through enforceable language in our contracts with vendors)?
  • Trust maintenance. Are we prioritizing our relationships with customers and suppliers rather than letting these relationships suffer at the expense of moving quickly?

Cloud services offer many benefits. As Gartner reports, the cloud “has become a solution for issues that have plagued organizations and overtaxed IT departments for years.” If boards ask their CISOs the right types of questions in the evaluation process, they can consider and mitigate the risks and address any concerns. This will allow their companies to move functions and data to the cloud as securely as possible.


Corey E. Thomas is CEO of Rapid7. Read more of his insights here