The business disruptions of COVID-19 accelerated companies' movement to the cloud. Web-based computing services enabled employees to work remotely, stabilized supply chains, and delivered new digital experiences to unexpectedly homebound consumers.
It was inevitable that some risk-averse executives would start wondering about the exposure associated with all that data migration. In fact, PwC's US Cloud Business Survey, released this year, found that half of company leaders who were surveyed viewed cloud-computing's risks as a significant barrier to realizing value from it.
But Michael Corey, the technology, media, and telecommunications cybersecurity leader for PwC US, sees potential to reframe the cloud conversation around risk.
"Cybersecurity can actually help accelerate business innovation," he said. "Cloud-native security and monitoring tooling has created a world where full-stack cloud-security engineering talent can accelerate adoption with faster go-to-market timing and lower costs."
"But first," Corey said, "organizations must map their cloud strategy onto specific needs around cybersecurity, as well as compliance."
Cloud-security professionals must understand how expanding cloud footprints translates to risk, Corey said.
Consider the rapid shifts to web-based computing that happened in the immediate aftermath of remote-work policies implemented in response to COVID-19. With many companies mobilizing remote-work plans virtually overnight in March 2020, servers and applications used for identity management, payroll, and human-resources administration — functions that had traditionally been confined to internal corporate networks — were suddenly exposed to the internet, Corey said.
At the same time, mass implementation of software-as-a-service applications enabled workers to collaborate via videoconferencing and document sharing. The application programming interfaces of these services bring their own complexities, increasing the chances for security misconfigurations.
It's exactly those misconfigurations that bad actors scan for an opening to exploit, Corey said. He pointed to a "sense of asymmetry" between the work of security teams and criminals: One side must monitor countless devices, while the other need find only one vulnerability.
Cybersecurity criminals practice so-called social engineering, such as using pandemic-inflected messaging to get people to click on a phishing link and unwittingly unleash malware.
"It's not that the bad actors are out-innovating innovative companies," Corey said. "But they have the ability to pivot their attention on a situational basis with the intent of going after the lowest-hanging fruit. In other words, the most probable way to compromise the target's system."
There is also the misperception that the only risk associated with cloud migration is in exposing sensitive data. There are other risks, said Cameron Whittfield, the technology, media, and telecommunications leader for PwC Global Legal Network (PwC Australia). These include "lack of transparency and control, increased complexity (particularly when managing multiple vendors and IT ecosystems), compatibility risks, third party supplier risks and transition risks," he said.
"Potential roadblocks to cloud migration include compliance requirements and associated costs," Whittfield said.
Noncompliance — when a company doesn't comply with its regulatory obligations — can result in regulatory investigations, reputational damage, and, possibly, regulatory and legal liability. Some businesses, having already suffered losses throughout 2020, may decide that compliance costs are not worth the upside of cloud migration.
Whittfield understands this concern. But he does find the cloud's compliance maze manageable — and ultimately worth it — once an organization gets people, process, and technology working together.
"For day-to-day internal compliance, technology and automation can be leveraged," Whittfield said. "However, this is only as effective as the human capacity to define compliance-monitoring requirements and respond to areas of noncompliance."
Each industry has a distinct relationship with the cloud — and with the security and compliance issues it presents. Whittfield pointed to the retail, consumer goods, and telecommunications sectors as further along in cloud adoption, while the financial services and government sectors tend to attract extra layers of scrutiny.
"We tend to see clients are concerned with the complexity of maintaining compliance when operating in the cloud, and admittedly, it can get complex," Whittfield acknowledged.
To manage the complexities, he recommends developing what he calls a cloud-governance function as part of a company's overall cloud blueprint. This enables timely and accurate management of risk and compliance activities, through a blend of people-managed workflow and software-led automation.
Risk and compliance are best assessed according to what Whittfield calls a shared-responsibility matrix, to ensure there are multiple eyes on data security across the company, the cloud-service provider, and other applicable third parties. Built-in tools can also be leveraged to create and simplify compliance programs.
Finally, he emphasized it's perfectly fine to start small, with what's known as "minimum viable cloud," a cloud-centric take on the "minimum viable product" model of software or product development that gets a project off the ground.
"Companies may wish to start with a minimum viable cloud and build muscle memory around that," he said. "Some organizations have unique requirements, and cloud adoption doesn't need to be a 'big bang' from the start.
"Given the implications that arise from a cloud migration in terms of people, process, and technology, it's worth considering an agile and iterative approach, identifying what works for each and every organization individually."
And though the demands of compliance can make executives feel it's all too easy to misstep, Whittfield said it's worth remembering who this oversight is designed to safeguard.
"Ultimately, it is to protect the customer, consumer, and community," he said. "At the end of the day, cloud-related regulations exist to sustain and build trust in a digital environment while providing assurance and confidence."