By Marcelino Hoyla

Published on Fri, January 22, 2021

All posts by this person

When it comes to storing organizational data in the Cloud, a few phrases come to mind: the train has left the station; the ship has sailed; the horse is out of the barn, etc. No matter how you phrase it, the meaning is the same – the world is moving to the Cloud, with or without you. It is no longer an oncoming revolution. The revolution is here and your organization needs to prepare for dealing with data in the Cloud, if it hasn’t already. With that in mind, let’s talk cloud logistics – namely, security and cost.

Cloud Security and Costs How to Mitigate Risks Within the Cloud_AdobeStock_334975224

First up to the Plate – Cloud Security

You might have heard the analogy circulating in technology forums recently that storing your data within the Cloud is akin to storing data on someone else’s hard drive. Unfortunately, from a security perspective, that’s not quite an accurate analogy (although life would be much easier if it were true).

Don’t get me wrong - a significant benefit of moving to the Cloud is that it allows an organization to transfer much of the day-to-day security management to a technology company with the resources and expertise to handle that risk. Thus, if you are moving to a private cloud (i.e., renting data center space for your equipment), you can ease security concerns by ensuring that the hosting company maintains widely recognized security attestations/certifications and has a demonstrated commitment to data center security in accordance with strict vendor management risk processes. And of course, there’s always the reassurance when moving to a public cloud (Microsoft’s Azure or Amazon’s AWS) that you’re entrusting your data to companies with seemingly infinite security resources and expertise. That all certainly helps me sleep better at night.

However, working within the Cloud still poses unique internal security challenges that will only amplify any of your existing security weaknesses if you’re not prepared for them. To put it another way: ISO certifications from cloud service providers cannot protect you from yourself. Risk, governance, and compliance teams will need to identify, plan for and adapt to internal security challenges. To do so, be sure to have a change management and review approval process in place (ideally before moving to the Cloud, but if not, as soon as possible once you’ve migrated). Also, ensure that your company has someone on hand (either through a vendor or within your IT staff) with the expertise needed to manage your internal cloud security who can stay abreast of all updates and changes.

Next up – Cost

To plan for a cloud migration, all stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) should have a seat at the table and a plan in place for scaling up in the Cloud. Each team should understand the plan and process, as well as the role their team plays in controlling cost and risk for the company.

Cloud Security and Costs Best Practices

To plan for security risk in the Cloud, companies should ensure that:

  • All cloud service providers are fully vetted, security certified, and have the requisite posture in place to fully protect your data.
  • Company internal processes are evaluated for security risks and gaps. Have a change management and review approval process in place and ensure that you have the experts on hand to manage your cloud security practices and stay abreast of all updates and changes.

To plan for costs, companies should ensure that:

  • All stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) collaborate and have a plan in place for scaling up within the Cloud when needed.
  • Each team understands the plan and process, as well as the role their team plays in controlling cost and risk for the company.

If you would like to discuss this topic more or if you have questions, please reach out to me at MHoyla@lighthouseglobal.com

About the Author
Marcelino Hoyla

Security Compliance Analyst

Marcelino has over 12 years of IT experience. At Lighthouse he manages compliance tracking via ServiceNow and validates compliance with internal security policies and standards as well as client requirements. Additionally, Marcelino leads certification reviews for ISO 27001, SOC 2, and HIPAA.