Article co-written by Peter Morin, Senior Manager, Technology Risk Consulting; Sivan Vaisman, Senior Manager, Forensic Technology; and Jeff Dance, Manager, Cyber Security, KPMG in Canada

Moving to the cloud? As promising as the service as a software (SaaS) model can be, it is important to balance lofty expectations with the realities of working online.

For many, the migration to the cloud has led to Office365, Microsoft's suite of subscription-based productivity applications such as Outlook, Word, Excel, PowerPoint, SharePoint, and OneDrive, Microsoft's solution to cloud-based data storage and sharing.

As with other SaaS solutions, Office365 enables organizations to pay a subscription for access to these applications and makes numerous add-ons available to both enhance functionality and mitigate data security risks.

The price alone has enticed numerous organizations to transfer their IT functions to the 'cloud'. And while there are merits to this strategy, any move must be made with full consideration of the risks and misconceptions around these online services.

One of the largest myths of working in the cloud is that organizations are no longer burdened by data privacy and security concerns. Certainly, services like Office365 come with standard security controls and advanced add-ons; but at the end of the day, the responsibility still falls on the user to practice good data hygiene, ensure that proper security controls are enabled and functioning appropriately, and understand the full value of every byte of your corporate, and sometimes personal, data being uploaded and shared in the cloud environment.

In short, if you move to the cloud with bad data security habits, the bad habits are going to be amplified in the cloud.

It helps to recognize the difference between on-site services and cloud-based alternatives. Traditionally, with an on premise Microsoft Exchange server, many organizations will have several controls such as VPNs, firewalls and multi-factor authorization to keep transactions secure. These are perimeter controls that do their job behind the scenes and with little to no effort required by the end user.

In the cloud, those controls are not always guaranteed – and even when they are enabled, it is unlikely end users will be familiar with how they operate. Moreover, the data is now in a public environment that can be accessed by anyone who knows your login information. Office365 addresses virtually all these concerns, yet data security remains something organizations have to take a more active role in ensuring and verifying on an ongoing basis.

The best solution is to shift from a perimeter risk to a data risk perspective. This is an approach which acknowledges the fact that these perimeter controls cannot be taken for granted and that the organization has to pay closer attention to the security features it is using, what it is sharing online, and the specific controls and processes in place to protect it.

After all, you can be secure in the cloud, but only if you remain on guard.

Education and skills around cloud computing are growing. Still, many organizations have yet to grasp the full scope of their responsibilities and risks in this virtual environment. Here are six considerations to take before moving to Office365.

• Know your data: Data is like water; no one knows what it is worth until it is gone or has been corrupted. This is why it is important to take stock of the data you intend to take online, classify it accurately, assess its value, and to ensure your 'crown jewels' are under virtual lock and key.
• Review your subscription: There are several subscription levels for cloud-based services like Office365, each offering various degrees of functionality and security features. The lower-tier subscriptions may be appealing to your budget but may not include more advanced data privacy and security measures. When budgeting for cloud-based services, consider both the flat recurring fee and the price of additional products and services you will need to truly protect your digital assets.
• Multi-factor authentication: Many cyber incidents can be avoided by simply enabling multi-factor authentication. Microsoft provides this feature as part of Office365 and there are third-party solutions to consider as well. Organizations may opt to eliminate this step to make it easier for their end users to access their email, leaving them more vulnerable to access by unauthorized users.
• Mobile environment: As companies expand their mobile footprint, more and more employees are using their own devices to access their cloud-based services. These mobile networks need to be adequately considered since all the controls in the world will not mean a thing if a mobile environment is not equally secure. Microsoft's Intune cloud-based management solution is one tool that can help.
• Do not rely on training alone: Making employees responsible for data security practices never hurts, but it is rarely a foolproof approach. End users cannot be assumed to have the same level of education or understanding around security, and your employees have a more important job to do than keeping pace with data security. The best approach is to complement data security awareness with embedded cloud-based security controls and processes that operate without the need for human interaction.
• Make the journey with a partner: Partnering with a third-party consultant who has experience in the cloud can help organizations throughout the planning and migration process and set them up to operate safely and efficiently in their new virtual office.

With cloud computing, the saying rings true, 'immunization is cheap, but triage is expensive.' Before packing up for the cloud, it is best to have preventative measures to not only avoid lengthy and costly recovery efforts but move into the virtual age with solid footing.