Information Security in the Time of Covid-19 – Moving to the Cloud as a Cost-Cutting Measure Does Not Lessen Compliance Obligations

Moving to the Cloud to Save Money

The Covid-19 pandemic has created profound challenges for almost every organization. As these challenges mount, companies are dramatically cutting their soft costs, including information security. Many companies are reducing their information security and privacy compliance spending by moving to the cloud. This is good, right? Maybe, and only if the move is managed in a well-informed way. Not asking the right questions up front can lead to serious consequences.

It is crucial to keep in mind that no information security or privacy law in existence today views being in the cloud, in and of itself, as constituting reasonable information security. Nor does any information security or privacy law view the cloud as a mitigating factor in the context of data breaches.

 Increasing Reliance on Cloud Computing

The use of cloud platforms has grown exponentially. One of the results of the work-at-home mandate, which will persist even as work restrictions are relaxed, is the continuing move to cloud computing, both because of the benefits of scalability and the dedicated IT and IS resources afforded by cloud vendors and also the need to conserve financial resources. It is difficult and expensive to maintain onsite information technology and information security operations and staff. Cloud computing reduces costs and increases accessibility.

Moving to the cloud, however, does not eliminate all risks – some hazards go away but others are introduced. Cloud environments are vulnerable if end-users fail to observe proper security hygiene – vulnerabilities at the end-user level will create vulnerabilities in the cloud environment. It is imperative as well that the cloud vendor has appropriate information security and privacy compliance measures in place. Many smaller cloud vendors and service providers who use the cloud have deficient information security and privacy compliance frameworks, assuming they have any in place at all. Many organizations, especially small and medium sized businesses, seldom evaluate whether their vendor’s cloud is a safe place to be.

Getting the move to a cloud environment right is crucial. The security and availability of an organization’s data is important for both operational and business continuity reasons. Moving to a cloud is no excuse for taking eyes off of information security or for lax privacy compliance.

Questions to Ask When Considering a Move to the Cloud

Recurringly, organizations fail to ask themselves the most rudimentary questions before moving to cloud platforms, and they suffer as a result. They think, for example, that deploying Office 365 will solve all their productivity and data management challenges yet never address the fact that they still remain responsible for data breaches and for maintaining network performance and security. They also never imagine that their managed services provider may be storing their data with a cloud vendor whose operations are subpar. And as safe as the Amazon, Azure and Google clouds may be, none of them insure the security of your data from risks that arise on the customer side. Ask at least these questions when considering a move to a cloud environment:

  • Is the cloud vendor compliant with any of the leading information security frameworks – NIST 800-53, ISO 27001, CIS Twenty Critical Security Controls – and will the vendor share its compliance documentation with you?
  • Is the cloud vendor compliant with the privacy laws that apply to your organization, notably the California Consumer Privacy Act, and will the vendor share its compliance documentation with you?
  • Has the cloud vendor ever experienced a serious data breach? And was it significant enough to raise questions about the vendor’s information security practices and processes?
  • Can the cloud vendor support the applications you’re moving to the cloud without compromising your own information security plan?
  • Do you understand the allocation of legal and operational responsibilities for information security and privacy risks as between your organization and the cloud vendor?

These are only a few of the many questions that should be addressed in connection with any move to a cloud platform, regardless of the size and sophistication of the cloud environment. If you have not asked these questions and gotten satisfactory answers, your move to the cloud may expose you to serious legal compliance and operational risks.

Regulatory Compliance and the Cloud

The current pandemic has forced changes in the way we work and has seen nasty new exploits from hackers. The privacy compliance and enforcement landscape, however, has not changed. Some privacy regimes have been relaxed – HIPAA for example, to facilitate telemedicine. But there is no indication that other privacy laws will be ignored or relaxed and, especially in California, all indications are to the contrary. The California Attorney General is set to enforce the California Consumer Privacy Act on schedule, beginning in July of this year. In particular, the CCPA-imposed duty to have reasonable information security processes and practices in place remains in effect. Companies are subject to private rights of action with statutory damages if they experience a data breach and do not have reasonable information security in place.

Keep Cloud Risks Front and Center

Moving to the cloud to save money may be a good business and financial strategy. If managed properly it can even be a good information security and privacy strategy. But moving to the cloud creates its own set of risks, some of them potentially existential. These risks can only be controlled if the right questions are asked before the move.

Hot this week

The Myth of Perfect Security

Perfect security is a myth, and focusing on resilience rather than prevention can better protect your organization from inevitable breaches.

Why Traditional Passwords Are Failing Us

Password fatigue from complex rules often causes more security breaches than weak passwords, requiring a shift toward user-friendly tools and behaviors.

Why Your Employees Are Your Best Security Defense

Empowering employees with security awareness training often provides better protection than stacking more technology, turning human factors from a weakness into your strongest defense.

Why Most Security Awareness Training Fails and What to Do About It

Security awareness training often fails because it focuses on knowledge rather than behavior, but shifting to a behavior-based approach can lead to better outcomes and fewer incidents.

The Myth of Multifactor Authentication Security

Multifactor authentication enhances security but is not foolproof, as it can be bypassed through social engineering and technical exploits. Understanding its limitations and adopting stronger methods is essential for effective protection.

Topics

The Myth of Perfect Security

Perfect security is a myth, and focusing on resilience rather than prevention can better protect your organization from inevitable breaches.

Why Traditional Passwords Are Failing Us

Password fatigue from complex rules often causes more security breaches than weak passwords, requiring a shift toward user-friendly tools and behaviors.

Why Your Employees Are Your Best Security Defense

Empowering employees with security awareness training often provides better protection than stacking more technology, turning human factors from a weakness into your strongest defense.

Why Most Security Awareness Training Fails and What to Do About It

Security awareness training often fails because it focuses on knowledge rather than behavior, but shifting to a behavior-based approach can lead to better outcomes and fewer incidents.

The Myth of Multifactor Authentication Security

Multifactor authentication enhances security but is not foolproof, as it can be bypassed through social engineering and technical exploits. Understanding its limitations and adopting stronger methods is essential for effective protection.

Why MFA Is Not Enough Anymore

Multi-factor authentication is no longer a silver bullet for security as attackers develop new bypass methods, requiring a layered defense approach with phishing-resistant tools and continuous monitoring.

Why Phishing Still Works and What to Do About It

Phishing remains a top threat because it exploits human psychology, not just technical gaps. Shifting focus to employee awareness and habits can build stronger defenses than relying solely on technology.

Rethinking Password Security

Complex password rules often increase risk by encouraging poor habits. Learn how password managers and multi-factor authentication offer more practical protection for organizations of all sizes.
spot_img

Related Articles

Popular Categories