Beware of the dark side of the cloud

Beware of the dark side of the cloud
Published: 
November 2017

Cloud computing can offer real benefits for business but it also brings new challenges. Dr Micheal Axelsen, an IT expert from UQ Business School, says businesses need to understand the risks and address them.

Gone are the days when a business might keep all of its valuable data on one hard drive. Today, most of it is likely to be in the cloud - stored on distant and unknown computers.

We back up our data to the cloud, our emails are hosted on it and many popular business software programs are cloud-based applications.

Cloud computing offers definite advantages - it is accessible from any location and if your office burns down or your laptop breaks, the data will still be ‘there’. It is easier to sign up for and manage new software, and the computing power can be scaled up or down as required. Cloud computing reduces costs and is more reliable than a ‘roll-your-own’ solution.

However, the cloud brings its own challenges. Businesses need to be aware of the risks they are taking and take steps to address them.

Choose providers carefully

A cloud computing arrangement is a long-term commitment and the service provider needs to be financially sustainable and must continue to refine and develop their product.

Carry out due diligence on the service provider before entering the arrangement and don’t fall into the trap of using a ‘cheaper’ provider that fails to deliver. Price is an important consideration, as is the provider’s technical capability, but the real question is: Will they be there for as long as I need them?

Ensure you understand how the provider monitors their services, achieves reliability and recovers from any failures. The relationship between you should be built upon trust.

It is a good idea to spread the risk by using a portfolio of cloud providers – for example, Xero for accounting, Amazon Web Services for client data analysis and Microsoft Office 365 or OneDrive for email and file storage. If one provider is unable to deliver what you need, the impact on the business will be less.

Have a strict policy on passwords

While password management has always been important, it was less critical when the business had control over the physical device. There is little tolerance for error in the cloud with passwords. 

Ensure passwords are secure and changed regularly, including when staff leave. Where possible, use multi-factor authentication - for example, a password and another device. Without this, anyone with the password is able to access the information. Ensure that only those users who need them are given passwords and usernames.

Maintain high levels of security

Ensure that cloud-based services are secure by implementing anti-virus software and firewalls, applying security to operating systems and applications, and encrypting files where possible on the business’ network as well as at the cloud service provider.

Comply with data privacy rules 

Businesses hosting data in the cloud need to take extra care to protect personal or sensitive information and will need to comply with the new and tougher rules coming into force in 2018.

Currently the Privacy Act 1988 (Cth) applies to businesses with a turnover in excess of $3 million or those which provide a health service, and relates to personal information, or that which could make an individual ‘identifiable or reasonably identifiable’ and sensitive information such as information regarding health, religious beliefs, sexual orientation or political affiliations. 

It requires that companies disclosing such information to overseas entities must ensure that it is not accessed by non-compliant third parties. In practice, this creates difficulties as information in the cloud may be stored anywhere in the world – for example, Dropbox stores files in US-based data centres. If such information is not shared with third parties, it is ‘internal use’ – it is only if a non-compliant third party accesses the information that a ‘disclosure’ occurs.

From February 2018, organisations will be obliged to notify the Office of the Australian Information Commissioner when a data breach occurs and could incur penalties of up to $2.1 million. Penalties aside, the disruption and damage to reputation could be very costly. Businesses must understand the data they capture and hold, and have a plan for managing it effectively and how to respond in the event of a data breach. If you are holding information that is of no use, get rid of it.

Don’t get locked in

Entering a cloud computing arrangement is much easier than leaving it. Ensure that the service you choose is standard and you can easily move to other providers. Understand what is involved in moving and what capabilities you need if you take the service back in-house. 

Otherwise ‘vendor lock-in’ can arise which means it is prohibitively expensive or just not possible to move. Without viable alternatives, it is difficult to negotiate a better service or better deal with your existing provider.

While cloud computing is now mainstream, it is not a ‘silver bullet’ that cures all woes. For businesses with highly sensitive information, it may never be suitable. For the rest of us, cloud computing can have a silver lining – providing that businesses address the challenges that it brings.