Cloud Risk: You Can’t Ignore The Vulnerabilities
An Interview With Ernst & Young’s Paul Sussex And Carl Freeman
As enterprises migrate to the cloud, they should remember that the cloud has numerous vulnerabilities that hackers could easily exploit. In particular, the public cloud represents one of the fastest growing data management risks in the enterprise.
To understand more about cloud risk, we spoke with Ernst & Young’s Paul Sussex (Digital U.S. Cloud Leader) and Carl Freeman (Executive Director, Digital Cloud, Financial Services).
Enterprise Digitalization: What are the biggest current trends with cloud risk?
Paul Sussex: In terms of big trends in cloud risk, it continues to be the management of data and how to protect data. All of those legal and regulatory constraints continue to put pressure on proper management of data. What we see in highly-regulatory regulated sectors is the need to keep your infrastructure up and running is always been critically important. If your organization is a hospital or an air traffic control center, or an infectious disease control center or a financial services organization, or anything that deals with very significant transaction data, or life and death situations, your systems that support those protections need to always be up and running. When you look at the cloud, there are a number of control points. Since it's a public cloud, you don't typically have the right to inspect it. You just have to take for granted that these things will continue to be up and running and available. Historically, organizations have architected their systems so that they could survive and be resilient against not just the large events, but the small changes that could potentially take down an infrastructure and cause disruption. With the public cloud, the big question that we get a lot is, you know, "How do I manage my availability, risk or resiliency risk so that I can meet my obligations and keep those key systems up and running?”
Carl Freeman: With the advent of building infrastructure, there is much higher reliance on automation. Automation is really becoming a big area of focus for us in terms of looking at tech risk assessments, because automation can be your biggest fan, or can be your worst enemy. If you get a piece of automation wrong, it can be devastating in how it can destroy the environment rather than keep it up. If you think about that in the public cloud, the biggest mess from a resiliency risk point of view in that space is that when people go to the cloud, there is a general understanding or belief that going to the cloud adds a layer of redundancy and disaster recovery into your business. That is not true. You still have to build for disaster recovery and resiliency and redundancy as you would in your normal business practices. It doesn't solve for that and people tend to forget about that.
ED: Do you think hybrid cloud is a safer option that a lot of organizations are looking at now?
PS: Take a look at different industries. In financial services, it’s not much of a choice, but instead it’s a reality. They've got legacy systems that have been in place for 50, 60, 70 years in some cases, and there's lots of talk about what to do with it. When you think about hybrid cloud, you are introducing two environments that have to be controlled. Part of your risk is not just increased by the number of new things that you have to manage. It's also a risk around talent because now you have to not just retain the same types of folks that have to maintain the legacy environment, but you have to also look at potentially new talent to manage. If you're exclusively leveraging your existing talent that has not been adequately trained or experienced, you do increase your risk position because you do need to appreciate some of the nuances with the new paradigm. It’s about the capabilities that you have in your organization or your aptitude to hire the talent that you need to get the organization competent to manage those new term environments.
CF: If you think about moving to the public cloud as a function of risk management actually, well that's how a lot of the banks are starting to think about it. It's risk appetite, and how does a firm score its risk appetite? In financial services, that is derived more from reputational risks.
ED: What do you think the future holds in terms of cloud risk?
CF: Because of human nature, we are going to see an increase in malicious risk. These are deliberate attempts to corrupt people, data, and lives in a way that we didn't see before, because things are ultimately more connected. How does cyber security more involved in the Internet of Things (IoT) and making sure that the entry points are more controlled?
PS: From long-term thinking perspective, I think as automation increases, we must keep up with the concept of dynamic controls to mitigate that risk. We're introducing so much speed and agility into modern architecture and modern capability, but the controls to manage those things are still very much based on thinking. As time moves on, I see the same level of evolution in terms of speed and capability and automation be applied to the consolidation space. I see risks being managed, some more efficiently, but there still needs to be human intervention. We can't outsource our risk to technology completely. There still needs to be a hand on the wheel. If you think about ethical artificial intelligence (AI) and things of that nature there still needs to be a hand on the wheel and proper governance. Look at autonomous vehicles: How does one calculate risk when there's harm between hurting one person versus a group of people? Is it a calculation based on numbers. How do you manage that risky algorithm when you're looking at purely automated autonomous systems? I think the sophistication of risk will increase, but so must the dialogue on what proper controls around risks are, and the ethical nature of managing risks.
See Related: 11 Benefits Of Cloud Computing