Article co-written by Peter Morin, Senior Manager, Technology Risk Consulting; Sivan Vaisman, Senior Manager, Forensic Technology; and Jeff Dance, Manager, Cyber Security, KPMG in Canada
Moving to the cloud? As promising as the service as a software (SaaS) model can be, it is important to balance lofty expectations with the realities of working online.
For many, the migration to the cloud has led to Office365, Microsoft's suite of subscription-based productivity applications such as Outlook, Word, Excel, PowerPoint, SharePoint, and OneDrive, Microsoft's solution to cloud-based data storage and sharing.
As with other SaaS solutions, Office365 enables organizations to pay a subscription for access to these applications and makes numerous add-ons available to both enhance functionality and mitigate data security risks.
The price alone has enticed numerous organizations to transfer their IT functions to the 'cloud'. And while there are merits to this strategy, any move must be made with full consideration of the risks and misconceptions around these online services.
One of the largest myths of working in the cloud is that organizations are no longer burdened by data privacy and security concerns. Certainly, services like Office365 come with standard security controls and advanced add-ons; but at the end of the day, the responsibility still falls on the user to practice good data hygiene, ensure that proper security controls are enabled and functioning appropriately, and understand the full value of every byte of your corporate, and sometimes personal, data being uploaded and shared in the cloud environment.
In short, if you move to the cloud with bad data security habits, the bad habits are going to be amplified in the cloud.
It helps to recognize the difference between on-site services and cloud-based alternatives. Traditionally, with an on premise Microsoft Exchange server, many organizations will have several controls such as VPNs, firewalls and multi-factor authorization to keep transactions secure. These are perimeter controls that do their job behind the scenes and with little to no effort required by the end user.
In the cloud, those controls are not always guaranteed – and even when they are enabled, it is unlikely end users will be familiar with how they operate. Moreover, the data is now in a public environment that can be accessed by anyone who knows your login information. Office365 addresses virtually all these concerns, yet data security remains something organizations have to take a more active role in ensuring and verifying on an ongoing basis.
The best solution is to shift from a perimeter risk to a data risk perspective. This is an approach which acknowledges the fact that these perimeter controls cannot be taken for granted and that the organization has to pay closer attention to the security features it is using, what it is sharing online, and the specific controls and processes in place to protect it.
After all, you can be secure in the cloud, but only if you remain on guard.
Education and skills around cloud computing are growing. Still, many organizations have yet to grasp the full scope of their responsibilities and risks in this virtual environment. Here are six considerations to take before moving to Office365.
With cloud computing, the saying rings true, 'immunization is cheap, but triage is expensive.' Before packing up for the cloud, it is best to have preventative measures to not only avoid lengthy and costly recovery efforts but move into the virtual age with solid footing.