4 hidden risks of your enterprise cloud strategy

As enterprise CIOs seek to find the ideal balance between the cloud and on-prem for their IT workloads, they may find themselves dealing with surprises they did not anticipate — ones where the promise of the cloud, and cloud vendors, fall short versus the realities of enterprise IT.

While cloud risk analysis should be no different than any other third-party risk analysis, many enterprises treat the cloud more gently, taking a less thorough approach. Much of that is because enterprises tend to use the largest cloud platforms available — with AWS, Microsoft Azure, and Google Cloud Platform topping that list. And those massive platforms sharply limit how far they will allow one enterprise’s IT due diligence to go. 

Exceptions are sometimes made for the largest enterprises — think Walmart, Exxon Mobil, CVS, Berkshire Hathaway, and the like — but not usually for many others. Moreover, most enterprise cloud strategies involve a variety of cloud vendors, including point-solution SaaS vendors operating in the cloud. Interrelations between these various partners further complicate the risk equation.

The most obvious risk your cloud estate can be subjected to involves cloud settings and configurations. Many IT teams spend extensive effort fine-tuning the settings of their cloud instances, architectures, and environments to precisely match the needs of their company — only to later discover that a staffer at their cloud vendor has made some universal changes for all the vendor’s corporate tenants, in effect overriding the IT team’s laboriously crafted settings.

But there are other unexpected challenges CIOs may face in the cloud that they should be aware of. Here are few such hidden risks, with advice on how you might be able to mitigate them. 

Shifting vendor risk postures

Cloud vendors themselves can encounter any number of business-related issues that can challenge their ability to provide service to the standard enterprise CIOs committed to when the contract was signed, including the introduction of new risks.

When performing whatever minimal due diligence the cloud platform permits — SOC reports, GDPR compliance, PCI ROC, etc. — it’s critical to remember that it is only a snapshot at that moment of evaluation. That’s where the contract comes into play. If anything changes that will impact your vendor’s risk posture, such as layoffs affecting its operations or budget cutbacks addressing non-human resources, there should be an explicit contractual clause obligating the cloud vendor to alert your team and, ideally, give your team an option to exit for free, including having unspent dollars upfront returned.

“I don’t see a downside in asking for that,” says Brian Levine, managing director of cybersecurity for Ernst & Young. “Will [the cloud vendor] follow through? Probably not. They likely don’t have a process in place to do that. It’s always better to have an express term rather than an implied term for litigation purposes.”

Rex Booth, CISO of Sailpoint, agrees that such a clause can’t hurt, but is subject to a lot of interpretation. A better contractual approach, he says, would be to include something along the lines of “If you take a nosedive as determined by an independent auditor, we have the right to walk away.” Booth adds, however, that layoffs do not necessarily imply a reduction in organizational efforts.

New data sovereignty headaches

Data sovereignty has been a critical IT issue for quite some time, but there are now cloud-specific data sovereignty issues that many enterprises may not be expecting. The US Commerce Department in January, for example, proposed a rule banning Chinese companies from training their LLM models in US cloud environments. Although that initially appeared to be something that would only impact Chinese companies, Forrester principal analyst Lee Sustar argues that this could easily entangle US companies — not just cloud companies, but conglomerates that have a division that performs analytics work for its clients.

For example, what if a Chinese company hires an American AI firm and pays them to train various LLMs in that American company’s US-based cloud environment? Would that violate the Commerce rule? Even more complicated, what if the client of this American company is based in Belgium or Australia? And what if that Belgian company’s client happens to be a Chinese company? If a Chinese company wanted to get around this rule, it would likely process the request through multiple non-Chinese companies.

“Now you are going to have to plan your cloud workloads, trying to factor in not only third-party risk but fourth-party as well,” he says.

EY’s Levine suggests other considerations for CIOs when negotiating new cloud agreements. Some cloud operations charge extra for logging what happens in their environments. That wouldn’t be a big issue if cloud tenants could track activity directly, but they can’t and therefore must rely on the cloud platform’s logs. 

“This is basic and if an enterprise is going to be responsible [for everything that happens in the cloud], they have to have logs of it to be responsible. How long do they retain these logs?” Levine says. 

Scalability in the event of widespread emergency

Many enterprise IT executives see the cloud as delivering near-infinite scalability — something that is not mathematically true. This is not helped by cloud marketing, which strongly implies — if not outright promises — unlimited scalability. 

Most of the time, the cloud’s elasticity affords great levels of scalability for its tenets. When emergency strikes, however, all bets are off, says Charles Blauner, operating partner and CISO in residence at cybersecurity investment firm Team8, and former CISO for Citigroup, Deutsche Bank, and JP Morgan Chase.

Blauner points out the many failed attempts for outsourcing data during the 9/11 attack, which he saw again during Hurricane Sandy in 2012 and again in the early weeks of COVID in the US. “It’s only going to work for the first companies” that make the move to push more of their data into the cloud. 

Enterprises expect to be able to “recover into a cloud environment during a crisis. And then 9/11 happened and everyone declared an emergency at the same time. If you weren’t one of the first to declare, [the cloud vendor] said, ‘We’re full,’” Blauner says.

The solution to that, Blauner says, is for CIOs to establish their emergency minimal viable product (MVP) position. By that he means for enterprises to identify their most essential services — the ones “that your customers can’t survive without” — so that, when an emergency happens, just those emergent services are moved to the cloud. If all enterprises do this, the industry could survive the next crisis.

When Blauner worked at Citi, for example, that MVP was international funds transfers. “If we didn’t protect that, we could have had a global economic meltdown. You can’t do money transfers in South Korea without Citi,” Blauner says. “For every company in the world, there is some such thing.”

Self-inflicted security risks and inefficiencies

Charlie Winckless, a senior director analyst on Gartner’s cloud security team, agrees that scalability in the event of a crises is a concern, but he sees a different problem forming from IT leaders’ typical solution: covering their cloud bets by having agreements with a large number of cloud environments globally.  

“CIOs believe that by using multiple cloud providers, they think that it is improving availability, but it’s not. All it’s doing is increasing complexity, and complexity has always been the enemy of security,” Winckless says. “It is far more cost-effective to use the cloud provider’s zones.”

Enterprises also often fall short on the financial and efficiency benefits promised by the cloud because they are unwilling to trust the cloud environment’s mechanisms sufficiently — or so argues Rich Isenberg, a partner at consulting firm McKinsey who oversees their cybersecurity strategy practice.

The enterprise IT “pushback is that they do not trust the cloud automation and technology. They want their own team to manage everything. The clouds include the cloud-native tools and automation but [the CIOs] are still gravitating to the old-school approach of using their team,” Isenberg says. These executives “are dependent on their security and access teams and they have their preferred tools from their preferred vendors.” 

That means that many cloud tasks are being done twice and that is why the efficiency benefits sometimes do not materialize. Most IT executives “think that it will be the big breaches that will threaten their jobs, but the reality is that the threat is the [executives] not being digital tech forward,” Isenberg says. If executives “do not embrace cloud-native [tools] and automation, then, yes, it will become someone else’s job.”

Cloud is also so integrated in all enterprise systems today — whether it be IaaS, PaaS, and SaaS — that a cloud strategy needs to be the default assumption. Says Isenberg: “You’re in it whenever you know it or not or want it or not.”