Assessing and Mitigating Cloud Risks

Please join our thank you panel here. You'll have noticed we have John Hermans of KPMG who joined happily our round here, and we have some time to discuss the different approaches to the audits. And maybe you want to give you impression first and you are from KPMGs August. So I ask you not too much to comment on her. I'll do I'll do that alga you this very well.

No, no. Hi everyone. I'm John many, many, many, many years ago. I was always present during COA call. And when sitting here, I'm realizing I'm getting old, because I think apparently we didn't tackle this whole issue for the last three, four years. And so that makes me wonder, is this really an issue? It's really the, the fact that we can't order the cloud providers, is that really stopping the companies using cloud who, who would like to, to comment on that?

Well, I think some companies are, are, are, are not prepared to use the cloud and, and they may be doing this for a good reason, or simply from prejudice. There are other companies that will use the cloud for some purposes. And for example, I came across an oil company that said, we will only use the cloud for non-business critical and non-compliance areas, right? So there are companies that, that are concerned with that. And yet at the other extreme I've come across a major bank that has decided it's going to move everything to the cloud. Right? So that it depends.

And it depends, as you were saying, Olga, it depends on the risk appetite, the real perception, you know, and although I've produced and all, we've all talked about a rational view to risk. We all know that risk is perceived in an irrational way, right? By by many people, you know, there's the, the, the, the various sort of irrational fears of this, but it is to answer your question. It does remain a problem for some people, and it may be a problem for some of those organizations that have moved. They don't realize what the risk they've taken is.

The interesting thing is if you look to the whole model to assess the quality of it services, the, the, to assess the quality of it, sourcing providers, that's something, what we are doing for, for, for, for decades. What does this makes this so fundamentally different that we apparently have three or four conferences still?

We, we, we are debating on, on risk management models on continuous auditing. And of course I like auditing because I'm earning a lot of money by why, why by doing all of this, apparently we all move into the, the, of that cloud.

So, but what's so fundamental different that we should be careful about is what's different knowing that our traditional it is secure than de cloud. What what's different is is that this, this is mainly a conference attended by it people. Okay.

And it, people have been trained and educated to do rather than to assure. And the concern is that it, people are comfortable in running their own services and they are uncomfortable in assuring other people's services. So they're not lawyers, they're not auditors.

And that, that is one of the major cultural problems in this Olga, from your experience, what's the biggest risk using cloud services. I think it's on now. It's On now.

Oh, no. Yeah. Losing your data. That's what we say.

I, I, I think you were implying something, how Applying from scale Mario, are you, so what's, what's the biggest risk? Well, actually I liked the overview from Mike with the top five and our project for example, is addressing the compliance risk, right? So we have these different kinds of certifications and we realized, okay, well, it's nice to have those audits once a year, but in cloud infrastructure, which is so dynamic, this is not sufficient from our point of view, Is it not even simpler?

That biggest risk is that, how can we control people stopping buying cloud services if they're not allowed to? Is that not probably the biggest risk?

What, what we're currently seeing in major corporations, any of you? Yeah, well, I can, I can give, yeah, we were discussing that it's called shadow it and executive the example that 10 times more people using cloud applications. And also we had the discussion earlier today on mobile technologies in other sessions that Shelby allow not mobile technologies within the companies. And the reality is that yeah, if you, if you, if you prohibit that people will still bring the, the mobile phones and keep using the cloud sources or without control of it organizations.

So not sure what's your view on that yet. So you are asking that the largest risk that people in companies using cloud services, but it's not allowed. Right. So for example, Dropbox, They're just bought, they just buying it right. Use credit card and you buy it, Right.

I mean, a P permanent example is indeed a Dropbox. So if you're in a company and Dropbox is so easy to handle to, to share your documents, and it's a very fast way to do so.

And, but just another project in our side, we are currently evaluating tools that are made to monitor this. Yep. So there are already lots of examples of tools that monitor in companies. Are there any cloud services used that are not allowed? Yep. Yep. Yep. And of course we will use them many times, of course, but I think that's probably the fundamentally, that's one of the, the key issues. Apparently all the, all staff, all people just can acquire the cloud service without an it knowing.

So I think if you're talking about the new paradigm in, in the past, we, we said cloud plan will be the new paradigm or the new paradigm is that I have cloud, I have shadow shadow it. I have on-prem and off-prem than it. So that's the new paradigm. So how can we actually done Key On controlling that I Would say it's not actually new because I'm, I'm so old that I remember when client server arrived, there were the good days.

And, and the point was, it was the same. There was suddenly, there was a shift where a deep departmental manager or a line of business manager out of his budget could buy a system. And that's all that's happened is we've just gone back to that with the cloud. And so the, the sales director of, you know, some small department can, can actually go out and buy a CRM system for himself without asking anybody because it's within his budget.

And this adds to the chaos and confusion, because, you know, in one of, one of the problems with the cloud, which wasn't on my list is that for large organizations, it's just another dimension of complexity. Yep, absolutely.

You know, the, the, the, and, and it can be even worse where, where in fact that there are many different cloud solutions for the same problem that are bought by different depends. So your point about buying, it has to be brought in a large organization. It has to be brought back within the normal purchasing cycle, rather than the, the golf course purchase for a small organization. It may be a different kettle fish altogether.

You know, I I've come across small organizations where the whole crown jewels are on a five year old PC under the desk, and security is a dog, or in reality, often these, these are people that run in poor data center quality, and they would be much better to, to put everything into a cloud service rather than trying to run it themselves. So I think on some cases, actually just going to the cloud and embracing it for a small to medium business is the absolutely the right hand. Absolutely.

And well, actually, I I'd like to ask you something because I really found very interesting that you are asking for the risk appetite in the beginning of your, the action that you will undertake. Yes. I do audits myself and I usually have people there that are extreme either. They're like, okay, I'm really open to risk. And it's very important for me not to spend too much money for exam, not to have a long period of implementation or there's people.

No, I'm really afraid. Maybe it's my branch, whatever. I don't want to take any risk. That really reminds me on Tom Langford, who today introduced his traffic like saying, well, if people have to watch what they're doing now, and if they have to judge on what they're doing now, no one takes anything else these days, except the yellow, because red, you're not supposed to, to tell because you have failed. If you take your green light, then it's like, you will not have any budget anymore.

Can we transfer that to the situation that you meet when you ask your clients, what's your risk for what's your appetite for risk? Are they all yellow? Ooh. So your question is to using a light metering to, to determine the risk episodes, maybe if you want, well, I think we are quite practical in the sense we, we, of course we like colors, but I think for this particular way of dealing with cloud risk, we're always asking more like, okay, give us practical examples. What does it mean for you to, to be afraid of cloud or not?

Okay, exactly. This example, I told that, yeah, we will never allow business critical information going to cloud. So you might read flag that definitely.

Why not, but for us is just a statement. Okay. So it's more statement of what they want to achieve in general, Or how do they like of information? Like Mike was saying that some, we see some conservative, some clients saying we want everything eventually in the cloud, not even hybrid model, we want to have only one wifi and 10 on-premise and rest is in cloud. So this is, will be example of really risk taking. It's more what they want. And by saying what they want, they express to you, the professionals that's, what's the risk they want to take. Yeah.

That's a starting point for us to together, determine the route and select appropriate controls. Okay. Because if they really try, they want everything in the cloud means that well, that we will have more flexibility in terms of, for example, legal and compliance. Sure. We'll have to, I really liked your answer. That was very short. I don't know if everyone heard that when John was asking you, what's the biggest risk. If you go to the cloud and you were like, well, it's losing your data. It was so evident for you the way you said it.

I thought, at least it was very evident for you. I take very much the legal perspective.

Yeah, certainly. And now a lot of lawyers who say, well, this is not the question. Once you use the cloud, you already have lost your data. Yeah. So it's a prerogative to everything that you will lose the data, or you're not gonna be on the driver's seat. We have discussed trust a lot today in various sessions. Of course that's a pretty extreme perspective on it, but certainly some actions that might be taken in the future, if you don't have a dedicated cloud, you are not gonna be able to decide.

We had the issue of foreign governments, possibly asking foreign information that's stored in the cloud and so on. So there's many aspects on it. Possibly you wouldn't even know where your data is at the moment. Yeah. And according to privacy loss, you're about to, you are supposed to inform yeah.

Your, your customers, where their information is some things you might not be able to achieve once you move to the cloud. So that's what I mean, when I say there is people out there saying you've lost your data from second one. That's May I challenge you on that one? Yeah. I think what's different was 10 years ago.

If So, if we talk about say sponsors crime and those, that kind of things come on, we are on a security conference that was 10 years ago, exact the same. And still we make a lot of money, right. With all the businesses.

We still, we still have huge and profits by doing the new business and that kind of stuff. It's interesting, of course, that everyone is putting straight away the debate out about privacy of data, about losing data, but let's not get into the same pitfall again, that we are stopping innovation because we are, we are afraid that some other people would like to have access to a data because that's common practice already, since since many, many, many, many years, that's let's really use in the most optimal way, the new technologies like like cloud.

And also let's not try to always make it 100% secure. Let's same also the Mario, if you look at your presentation about the continued auditing aspect, is there really a business value or than for that are businesses really asking or than for that? I'm not sure, even though I'm from an auditing company, right. I'm not sure if my clients would have almost real time assurance that this control is, is 100% correct, because it's part of risk management back to your question about risk appetite. I'm taking risk if I'm doing business. So that means sometimes something is going wrong.

So why do I need continuous auditing? Well, first of all, I would say security and also privacy are not the party breaker. So you can still do your business. Of course. And as you said, it depends on the use case. And we know for example, use cases in, in Europe or in Germany, which rely very much on very strict compliance regulations and rules and laws. And for those scenarios, it's very important to have a reliable and, and secure cloud infrastructure with a high level of security for lots of other business cases, I would say, well, maybe they are lower.

I also follow Mike's argument that for example, for startups, cloud is brilliant. Yeah, you have those security guys already there in the cloud data centers, which set up everything for you. And then the question still is, okay, where is my data? Maybe you don't care, but then it's up to you. But if you decide for yourself, okay, I take the risk. If there is any risk for you and you say, okay, I follow this model. And if you have higher or maybe depending on, on compliance rules, you have to meet higher security levels. Then for example, those dynamic certifications can, can play a role.

I mean, it's, for this sense, it's still This project. Yeah. But then the follow-up question again, there it's of course, when we did the, the standard it art sourcing having 1, 2, 3, 4, 5, 10 different than sourcing partners, all major companies, they just relied on the south 70 are now called and SOC two, none of them was interested and none of them was interested in paying for real time and than auditing. So what makes the cloud so different or what they change over time that we, that would be a business case kind of a business value for having than, or, or than a continuous auditing.

Okay. I see.

Well, I think this, well, I can say that this is also part of the project. Well, it's currently not, I don't have a clear answer on this. So we have partners working on, on business models.

I mean, you can imagine that Euro cloud, for example, is very interested in doing those business models. Also the techno technological university Munich, we have experts there working on, on business cases, unfortunately, KP and G quit the proposal, just Wrong person To some history.

So, but to answer your business case, I cannot answer your question right now Just to adopt. Oh yeah, sure. There's the question over there. Yep. Maybe want with us. Thank you. Normally. Hello. Yeah. Normally I don't need a microphone of a bar voice, which makes it very embarrassing for the person waiting after my confession in church. But here's my question. I'm gonna make a, ask a question by making a rather bold statement. Isn't getting into the cloud in some way, increasing your risk because here's an example of say I'm a, a medium to large size kind of nondescript company.

I have my data center. I'm pretty much under control and all that. And nobody really cares about me. I know that eventually everybody could get hacked, but every 14 year old, every PLA Analyst, every hack on Moldova is looking to crack AWS, looking to crack Microsoft, looking to crack Dropbox and all that because that's where the that's where the other high value targets are.

And that'll do it technically, even though they have an army of people of technologists defending it, or they might do it the old fashioned way by finding some Analyst that works for Microsoft or AWS and extorting them or whatever. So taking my crown jewels, if you will, that nobody really cares about. And they're kind of in my little corner and putting 'em out in this high value target environment, wouldn't that in a sense, increase my risk. And I see you're shaking your head.

No, but I'd like to hear the panels answer. Can I give two specific examples of organizations that moved to the cloud to reduce risk?

One was a, a, a business of a couple of hundred people professionals that worked internationally, who could only worked out of an office, which was their data center, which was on top of a shopping mall. And they were holding highly sensitive information about buildings and things like this. And they realized that they could not afford, they could never afford to have a properly secure data center, but that if they bought it as a cloud service with appropriate controls, they could dramatically reduce the risk of loss of service and of other kinds of attack.

Another example was a medium sized business, a larger than that, that had built a new data center. And when the new CIO came in, he said, oh, I like your data center.

He said, what's your backup plan? And they said, oh dear, we never thought of that.

And, and so in the end, what they did was they used the cloud as hot standby for, for a backup. Now both of those were effectively done in my, my perspective to reduce risk by using the cloud. So it isn't necessarily the case that, that, that moving to the cloud increases risk. It changes it. And you have to decide what you want for what, what your objectives are in order to decide whether that change is good or bad, acceptable, or not acceptable, Probably to add a little bit to, to that.

It's, it's all about what are your, your crown jewels. So if someone of those actors of those threat actors from scripted to stateless crime is interested in your data. If it is on your own dance system, or is it's in that cloud, he or she will actually look for it. I think it'll be much difficult, much more difficult to actually get it through that cloud provider, because it's still such a competitive market. And of course it's built build on new concepts.

It's not built on all legacy thinking in, in it security that my, my gut feeling is really that in the cloud, it's much more secure than on your own environment. Okay.

Now you, you put it synonymous for security and risk. Some somewhat. I understand. Let me give maybe a bit extreme, but re I really mean it that way. Answer from a legal perspective. I think you're shifting risk. What you do is actually before maybe not using a cloud, you were in a position where you were doing your own mistakes. You knew what you were doing wrong, probably you do. You did worse than cloud service providers in general do instead of your, you doing it yourself, however, whatever you did, you did yourself. And you knew your risk in a way.

Now, having moved to maybe a cloud service provider, you have less information about whatever is done with your, with your data. Maybe you have some information, but it's not true. It's question of trust again. So I think the shift legally spoken is really in that before you are liable for whatever you do later on, you will be liable for something that you wouldn't know as well. And it's an extra of a third party, and it's not so easy to get your money back from that third party. So at the end, even the legal risk is an economical risk to my perspective.

So it's a shift it's not less, it's not more, it's just very different. It's a bit more obscure. You wouldn't know exactly what's happening, cause it's a bit behind the curtain, But that would apply also for the it sourcing partners. That's not specific to cloud, if you would outsource to in, in IBM or an HP, the other ones that would be exact Same.

Well, from a contractual perspective, it probably would be easier to have a non-cloud partner and find rules. At least from, from what I see than a cloud partner, that's geographically, possibly even a bit more spread throughout the world, Seeing that I've got the mic already, while you delivering the mic, I'll ask my question and directed to mic. You said a contract is a very inadequate way of handling your risk. My view on that is if you look at the traditional way of delivering of it, what we've got is control.

I mean like the gentleman in the middle, there was talking about the shift of the control. You are now shifting control from yourselves to a new partner. And at the end of the day, besides the certificate that you can get for assurance, you no longer know what's actually happening to the data. So your only recourse in my view is the contract, the closes. It'll not help you in the loss of data or in your reputation when, when things go wrong.

But from a financial perspective and the due diligence perspective, you are able to recover some of the money through the SLAs that would've been breached, et cetera. So I, I still think that a contract actually is a game changer when it comes to cloud. Cause if you don't go through it with the right legal analysis, with the right type of skills. Cause I mean, at the moment we've got administrators in our data center that are looking after our, our risk, our information, our security. And when we get to cloud, we actually have to change the skills of the people that we have.

Cause we no longer need the administrators. What we now need are more of relationship managers who are able to drive our requirements from the service provider through the contract. So I'm not convinced that with the contract is not the right way to go. Thank you.

Well, actually, I'll, I'll kind of respond to that point. First, one of the problems with the contract, it goes back to kind of John's point about is cloud much different from outsourcing.

I, I used to sell outsourcing and the outsource outsources to dozens or hundreds of clients. So when they build the contract, they have hundreds of experiences to build on and they know every little, you know, knit of what they're offering. And they're very careful not to offer anything that increases their risk too much. Whereas the client typically doesn't have anywhere near that level of granular knowledge and they say, oh, well, they're doing this, this, this, you know, they're doing 1, 2, 3, 4, 7, 9, and 10.

And they don't know that, you know, six was missing or five was missing, whatever, because they don't, they just don't look at their service in that granular a fashion. And so that contracts were always strongly in favor of the outsourcer until a company had outsourced a, usually a large enterprise had outsourced for many years and maybe gone through a couple renegotiations and finally kind of started getting savvy to how to play the game where they'd hire some consultants were specific to that to help them kind of level the playing field.

But to your, to, to John's point, I don't think cloud is any different than outsourcing, except that there were a lot of new businesses set up as opposed to the IBMs and the HPS who'd been in the it arena for a long time. And the cloud providers were set up to offer a very specific service. So they were not only only offering 1, 2, 3, 4, 7, 9, and 10. They were offering one, two and four. And that was it. And one of the bigger risks that didn't seem to show up and I'm, this is kind of my question is what do you think about the integration risks?

It's the it's, it's the stuff that the cloud provider isn't doing. You kind of expect they're doing, because that's what you've been doing and it's still your responsibility, but it's not clear because you, you don't know your own service granularly enough. We are almost, we, I think we are already over time. So I think we could have, could have a very long discussion on that also on the remark before. But what I would really like to know is from all of you as a closing remark, John, you said, why are we still discussing that?

So my question to everyone would be, will we still be discussing the same issue in three to five years? And why or why not?

Mike, maybe you wanna start. Well, I, I have to agree with John that I too am surprised that this game has played for so long. And in a way I hope we will still not be, we will not be still agonizing about this in, in, in five years time.

But my, my perception is that we will be moving like Jeff was suggesting that as people adopt more and more cloud services from different providers, the problem of, of, of this will be, be orchestration and integration of these incompatible things. And hopefully we will, we will see some standards that will start to emerge to, to, to do with that.

Just like, you know, you can buy electricity from whichever power power provider and you know, it's going to be the same and, and to the same quality. Thank you. How Are you?

Well, from my perspective, of course, we will continue this kind of discussion, especially when it comes to security implications. Privacy concerns don't know whether we still name it cloud computing in five years from now, but this kind of outsourcing here and data management there, and you don't know exactly where your data is and who has got access and all these kinds of authentication schemes and, and trust frameworks, of course, this will just continue like it is. And I would consider cloud.

I mean, if you think of IOT and so forth, we need those large data centers to compute all these kinds of big data stuff somewhere. So those infrastructures will exist in five years and longer and they will grow. So we have to deal with them. Sounds very convincing and very convinced. Okay. We'll definitely discuss clouds and mobile technologies, but from different angle, I think it'll get more practical. So we'll discuss cloud from like how to make it nice routine within enterprises, how to efficiently increase visibility in how many cloud services we are using.

So just making really practical, easy way of dealing with cloud. So there will be most probably conferences on this practical tips, how to maybe use new coming standards, but now it's more discussed on security and more theoretical level and I in future. So I see more practical talks coming up around that.

Okay, thank you. Now I'm thinking two points to that one.

Yes, we will. Of course still be talking about cloud. I hope that we, after the next couple of years, people talking about cloud then orchestration, what's really working and what's, what's not working, but I hope that also that we go into cloud three or four zero, that we're not going to use application or services out of the cloud, but that we using functionality out of that cloud. So that we basically use cloud as a, as a big box box of Lego blocks. And that we basically can mold the business than process using all the clouds than functionality instead of applications. And that we also yeah.

Think, yeah, like we did in the past with, with the business process modeling tools to actually use cloud in that way. And so that we actually move away from just cloud being the new it sourcing, but that we going to use cloud for functionality. Yeah. I was just gonna say quickly that cloud, as a term may go away, complexity's not going away. And so cloud, if you think about it, what is the cloud? It's a bunch of different things and bunch of different definitions. It's really a shorthand for a outsourced or a second party provision of service.

So certainly the, the everyone's right, because the cloud is not going, excuse me, the complexity's not going away and we'll have a new name for a new thing that we'll be dealing with where companies are trying to integrate it into their businesses. And so they certainly full employment for lawyers and consultants and technologists in the future, but it may be in just different pieces of the stack essentially.

Yep, absolutely. Okay. Thank you very much. I'm very much looking forward to ask you the same question in three to five years, you're all gonna be very welcome to come back and I'm sure that we will have a very entertaining discussion again, which I thought we had today. Thanks very much for contributions. Thanks for being here and telling us your opinions and your perspectives. Thanks a lot to all of you. Please come back within, I think one hour that's gonna be, that's gonna be a nice 50 minutes. Yeah. We're in overtime. Nice bunch of people discussing think globally act locally.

It's about macro level of risk. So there, thank you. Thank you.