Wayne Scott, Regulatory Compliance Solutions Lead at NCC Group Software Resilience explores the importance of cloud resilience and shared responsibility and demonstrates how the adoption of escrow solutions is an effective means to safeguard data and ensure business continuity.
Why do businesses and organizations need cloud resilience?
A broad definition of resilience would be the ability to resist, absorb, recover and learn from adversity. Traditionally when we think of resilience in the cloud, we automatically think of cybersecurity, but increasingly global regulators are naming risks to be mitigated that have little to do with cybersecurity. We’re all aware that a cloud service can keep working even if something goes wrong, such as a power outage or a server failure. It can bounce back quickly and keep running smoothly, enabling your business to access data and use the services without any interruptions. But what do you do should the supplier have severe financial difficulties? How protected are you as a customer should your supplier be the subject of a takeover?
Cloud resilience is crucial for businesses and organizations in today's digital landscape. Cloud services have become integral to operations, from HR to accounting and strategy. So, it is increasingly essential to understand the shared responsibility cloud providers and end users hold, and their roles in maintaining the integrity and resilience of cloud-based systems.
Ensuring operational continuity is vital, as any disruption or downtime in cloud services can severely impact productivity, customer service, and revenue generation for a business. For large cloud providers, downtime can have a detrimental impact that is felt globally. With the vast amounts of information stored in the cloud, businesses need to safeguard against data loss by implementing resilient measures, such as data backups and disaster recovery plans.
Cloud resilience helps mitigate risks associated with cloud services like supplier failures or service deterioration. By prioritizing resilience, businesses and organizations that use cloud services can ensure operational stability, data security, and customer trust, positioning themselves for success in the dynamic digital landscape.
Wayne Scott is the Regulatory Compliance Solutions Lead at NCC Group Software Resilience.
Understanding the shared responsibility model
The shared responsibility model means that both cloud providers and end users have specific responsibilities in maintaining the integrity and resilience of cloud systems. Cloud providers are not solely responsible for the effective implementation and protection of their services, despite the assumption that responsibility lies solely with the provider.
Businesses and organizations that utilize cloud services need to address risks such as supplier failure, service deterioration, and environmental, social, and governance (ESG) considerations, all of which can impact the stability of their cloud system.
Cloud providers are also exposed to non-cyber risks like the issuing of a winding up order, as seen by UK Cloud, or soaring costs that push businesses into administration. With cloud providers facing a range of external risks, the security of assets to ensure operational continuity is paramount.
If responsibility lies with businesses too, what challenges do they face to become resilient?
One of the key challenges with cloud-based services is the lack of visibility into the systems and processes of cloud providers. End users cannot see the frequency of updates or the overall stability of external systems, and often remain unaware of cloud issues faced by their providers, such as network security issues or downtime, until they directly impact operations. In risk terminology there is a “lag” in detection, issues may only be detected at the point of impact - at the point the service fails.
Similarly, businesses also do not have sight of the financial resilience of their cloud provider. If a service provider is facing financial difficulty, non-payment of hosting fees can be the result of this, and the businesses won’t become aware of this until the service stops, placing the end user at risk of not being able to access services or data held in the cloud.
Strategies for achieving cloud resilience:
Although there are challenges for businesses when taking on cloud resilience responsibility, there are several steps they can take to begin the process and ensure their systems are resilient.
Consider escrow agreements
Escrow agreements can ensure cloud operational resilience, by offering management of the risks presented by the cloud environment on behalf of the end user, ensuring continuous monitoring, maintenance, and control. This offers greater visibility and control over the cloud environment, helping organizations fulfil their responsibilities effectively.
Technology escrow agreements also allow organizations to store their data with a third-party provider, independent of their primary cloud service. A copy of important software and related materials are securely stored with a neutral third-party, to be released to the user in specific situations, ensuring continued access and usability. This approach ensures that data remains accessible even in the event of cloud outages or disruptions.
By holding information in escrow, end users in a supply chain can protect themselves from the negative consequences of supply chain disruption, whilst also providing a level of assurance to customers and stakeholders that their services are protected and accessible even in the event of a crisis.
Escrow agreements can therefore play a crucial role in safeguarding business material against the risk of cloud supplier failure.
Stressed exit planning
Effective management of third-party cloud providers and risk management includes stressed exit planning, which is a plan on how to transition to another supplier or system should a current contract come to an end or be terminated. Businesses should work with their cloud providers to ensure that a stressed exit plan is in place.
End users should also conduct regular system audits and explore the use of multiple cloud providers to minimize risks. It's important to carefully weigh the potential regress costs – the extra expenses that occur when something goes wrong and additional work is needed - when backing up cloud data with alternative cloud providers. However, regulators across the globe, such as the European Commission in the EU, Competition and Markets Authority (CMA) in the UK, and Federal Trade Commission (FTC) in the US, are actively working to promote competition and lower expenses associated with achieving resilience in the cloud services market.
Cloud responsibility and resilience are vital considerations for end users relying on cloud services. While cloud providers have a crucial role in ensuring cybersecurity, end users must take ownership of non-cybersecurity risks and develop strategies to mitigate them.
Escrow agreements offer a reliable and auditable approach to protect data and prove resilience, enabling organizations and businesses to withstand operational failures and maintain uninterrupted operations in the case of cloud supplier failure or disruption.
Resilient measures
By understanding the shared responsibility model and adopting resilient measures, end users can fortify their cloud operations and navigate the dynamic digital landscape with confidence.
