As the world begins its second year under the shadow of the COVID-19 pandemic, it is becoming increasingly clear that the cloud is no longer the universal solution to information technology’s fundamental need to deploy secure, scalable infrastructure and applications in a cost-effective manner. If anything, the cloud landscape is about to darken significantly for organizations of all types, and IT must be prepared.
This reckoning, of sorts, has been a long time coming. Tightening regulatory regimes, such as the European Union’s General Data Protection Regulation (GDPR) marked a major milestone when it was implemented in May 2018. It disrupted the business world by imposing privacy rules on any global organizations holding data on European persons -- and in doing so triggered a global privacy movement that spawned a tsunami of US state-level privacy efforts. According to a tracker created by the International Associates of Privacy Professionals, as of March 2021, 30 states have introduced privacy bills, including a landmark California Consumer Privacy Act (CCPA) that was enacted into law and went into effect January 1, 2020. Businesses should expect that GDPR or CCPA-adjacent data protection regulations will continue to pop up across the US.
As more GDPR- and CCPA-adjacent data protection regulations are enacted, the pressure on businesses to comply will only add to the complexity of their technology environment, particularly cloud-based initiatives.
The pandemic has only added to the load, as organizations increasingly shift workloads into the cloud to better manage remote workforces during this historic global event. At the same time, a rising tide of high-profile breaches involving major cloud-based platforms complicates this process, adds unanticipated risk to IT’s roadmap, and reinforces why data protection requirements deserve greater budgeting and resourcing priority.
The numbers reflect the risk, with 92% of enterprises in 2020 saying they now rely on the cloud for their IT environment. The mass pandemic-driven shift to remote work only adds to this momentum. Moreover, the mantra of “it’s safer in the cloud” should be called into question as the behemoths of the cloud world continue to fall victim to large scale cybersecurity attacks; the likes of Mimecast, Accellion, Qualys and Microsoft have all reported sophisticated attacks on their platforms in the past few weeks following the headline-grabbing SolarWinds compromise of late 2020.
Costs Will Escalate as Vendor Selection Requires Additional Scrutiny
Many businesses leverage risk-based approach to regulatory compliance as they aggregate risks associated with a business process to determine the level of protection required, often transferring risks to cloud providers with inherently enhanced protections at reasonable costs. But clearly this is no longer enough. What happens when such competent third parties are found less than capable of protecting the information entrusted to them?
In today’s cancel culture, many businesses that were SolarWinds customers quickly reviewed their risk posture and considered alternatives as soon as the compromise was publicized, willing to incur additional operational costs to avoid falling victim of a weakness in their supply chain.
As cloud providers continue to drop like flies to sophisticated attacks, the “outsource your risk” movement may come to an impasse, lest the cloud industry undergoes the necessary reform to enhance their data protection measures, such as additional segregation within their service tenants, and better control of their own supply chains to limit exposure to widespread compromises.
Yet businesses can’t afford to wait for more/better reforms to come to the industry. You are ultimately accountable for implementing, monitoring, and maintaining data protection measures on behalf of your stakeholders, even if someone else “owns” the infrastructure. You can’t hide behind service providers forever.
We Pay in the End
Reform will come. Cloud providers are realizing that they are no longer just in the business addressing their customers individual risks, but also the aggregation of all their customers’ risks, as evidenced by big virtual bulls-eyes cybercriminals have placed on cloud providers in recent months. Looming privacy regulations across the US with promise of fines and legal damages will act as fuel to fire, ushering in a panic across the cloud industry to implement enhancements to limit their exposure. Let us not be naïve in thinking that such enhancements would simply be absorbed into these vendors’ operating costs. Ultimately, the vendors’ costs of enacting necessary enhancements will simply culminate in a recalibrated price list across the entire cloud industry.
The era of blindly trusting cloud providers is over. The recent spate of high-profile attacks on cloud providers is far from an anomaly. It is our new normal, and it heralds greater cost and complexity for vendors and customers alike. As businesses continue to face ever heavier data protection regulations, they must analyze their public cloud usage with an increasingly critical eye. Start reviewing your vendors far more closely than you might have in the past, and be prepared to shift operational and budgetary priorities, as well as negotiation strategies. As the once-utopian assumptions about cloud services evaporate in the increasingly turbulent cloud services environment, businesses should think twice about who they trust with the keys to their kingdoms.
Aaron Shum is Practice Lead – Security, Privacy, Risk & Compliance at Info-Tech Research Group. With 20+ years of experience across IT, InfoSec, and Data Privacy, Aaron currently specializes in helping organizations specializes in helping organizations implement comprehensive information security and cybersecurity programs, as well as comply with data privacy regulations. View Full Bio.