Risk is tricky. You can take on huge amounts of it without consequence – until it’s too late.
IT firms are adopting and selling cloud services with abandon. Growth is over 100% for the past five years. While the cloud brings many benefits, many IT providers are aware of the risks in cloud computing and are charging ahead anyway.
This chart from an InformationWeek and Dark Reading survey shows the top cloud computing risks that concern IT professionals. As you can see, the top three center on the threat of unauthorized access and security.
Here are the top cloud computing risks we identified:
#1. Unauthorized access to customer and business data
Criminals do not like to work. They may target small business networks because they are easier to breach, and they often go after larger companies because of the allure of larger payouts.
Cloud services aggregate data from thousands of small businesses. The small businesses believe they are pushing security risks to a larger organization more capable of protecting their data.
However, each business that uses a cloud service increases the value of that service as a potential target. This concentrates risk on a single point of failure. A disaster at a cloud provider can affect every one of its customers.
And hackers and malware are not the only ones who may target a cloud service provider. Cloud computing risks are also presented by insider threats.
Once you outsource a service to a third-party server, you now have to worry about your staff and the vendor’s staff. More people have access to the data and systems that support the service, which means you have to extend trust to people you have never met.
The risk of government intrusion also increases when you use a cloud service. Ask yourself, if Uncle Sam more likely to snoop on your email server or an email server used by a hundred companies and maintained by Microsoft?
#2. Security risks at the vendor
When a cloud service vendor supplies a critical service for your business and stores critical data – such as customer payment data and your mailing lists – you place the life of your business in the vendor’s hands.
Ask yourself – how clean are those hands?
Many small businesses know almost nothing about the people and technology behind the cloud services they use.
They rarely consider:
- The character of the vendor’s employees
- The security of the vendor’s technology
- The access the vendor has to their data
When you depend on a cloud service for a business-critical task, then you put the trust of your business into the hands of other people and the quality of their work.
Your reputation no longer depends on the integrity of only your business – now it also depends on the integrity of the vendor’s business. And that’s a cloud computing risk.
Even if you know the number of people at a vendor who can access your data, how well do you know each person? Can you trust them with the reputation of your company?
#3. Compliance and legal risks
Are you in an industry that regulates data security? The list includes healthcare, banking, government, and anyone that accepts credit cards – and the list of regulated industries continues to grow.
Many data security regulations are intended to protect a specific type of data. For example, HIPAA requires healthcare providers to protect patient data. PCI DSS requires anyone who accepts credit cards to protect cardholder data.
Not only are the companies covered by these regulations required to protect the data, they are also typically required to know
- Where the data resides
- Who is allowed to access it
- How it is protected
If a company outsources the processing or storage of data that it is required to protect, then it is relying on a cloud service provider to maintain their compliance.
If the company does not have adequate legal protections, then it may be liable when there is a data breach at the cloud service that exposes the company’s data.
In other words, unless you are protected in writing, then a cloud service provider might not be liable for a breach of your data on its systems. So you are transferring the responsibility of protecting the data to a third party, but you are still liable if that party fails to live up to the task.
This is one of the many risks in cloud computing. Even if a vendor has your best interests at heart, your interests will always be secondary to theirs.
#4. Risks related to lack of control
When you host and maintain a service on a local network, then you have complete control over the features you choose to use. If you want to change the service in the future, you are in control.
However, when you use a cloud service provider, the vendor is in control. You have no guarantee that the features you use today will be provided for the same price tomorrow. The vendor can double its price, and if your clients are depending on that service, then you might be forced to pay.
Also, who controls access to your data in a cloud service? What happens if you are not able to make payment?
If you get behind on your bill, then you may be surprised to find your data is held hostage by the vendor. You cannot access the service and export your data until you pay up.
And who owns the data?
When you host a service locally, the data and level of service is always in your control. You can confidently assure your clients that their systems and data are safe because they are always within your reach.
Remember: you have many ways to protect your data when it is in control. However, once it’s in the hands of a cloud service provider, you have ceded control to an entity over which you have no oversight.
#5. Availability risks
No service can guarantee 100% uptime. When you rely on a cloud service for a business-critical task, then you are putting the viability of your business in the hands of two services: the cloud vendor and your ISP.
If your internet access goes down, then it will take your vendor’s cloud service with it. If you need the cloud service to process customer payments or access important data, too bad – you have to wait until the internet is back up.
Another cloud risk is that the vendor can go down as well. Anything from bad weather, DDoS attacks, or a good ol’ system failure can knock the service unresponsive.
How much uptime can your cloud vendor provide? 99%? That’s great, but consider that statistic for a moment….
99% uptime means 1% downtime. Over the course of 365 days, that’s 3.65 days the service will be down. That’s equal to 87.6 hours.
But when do those hours occur? Late at night? During the day?
If those 87 hours were to occur during business hours, then that’s equivalent to 10 days of downtime.
Can your client live without this service for 10 business days?
And remember: That’s just for the cloud service. The client’s internet connection will also experience downtime. If you again assume 99% uptime and 1% downtime, then that’s as much as 20 business days that your client will not be able to reach the cloud service.
Can your client live without the service for 20 days?
Your business and clients at risk
We’ve discussed cloud computing risks at some length, so it’s helpful to remember what is at risk.
A breach of your data or your client’s data can be devastating depending on the type of data and the extent of the breach.
The costs of investigating and resolving a breach, associated legal expenses, and the losses to a company’s reputation, can be enough to shut its doors.
The risks related to the availability of a cloud service are less severe, but still damaging.
Depending on the nature of the service and its importance to your day-to-day operations, an outage can mean anything from a temporary headache to a massive disruption that costs the company thousands.
Is cloud computing worth the risk? It’s up to you to decide.
Photo credit: Walknboston