There are four competing business propositions affecting most American businesses today. Think of them as four freight trains on different tracks headed for a four-way stop signal at fiber-optic speed.
First, with a significant potential for cost savings, American business has adopted cloud computing as an efficient and effective way to manage countless bytes of data from remote locations at costs that would be unheard of if they were forced to store their data on hard servers. According to one report, “In September 2013, International Data Corporation predicted that, between 2013 and 2017, spending on public IT cloud computing will experience a compound annual growth of 23.5 percent.” Another report noted, “By 2014, cloud computing is expected to become a $150 billion industry. And for good reason – whether users are on a desktop computer or mobile device, the cloud provides instant access to data anytime, anywhere there is an Internet connection.”
The second freight train is data security. Making your enterprise’s information easier for you to access and analyze also potentially makes it easier for others to do so, too. 2013 and 2014 have been the years of “the big data breach,” with millions of personal data and information records stolen by hackers. Respondents to the 2014 Global State of Information Security® Survey reported a 25 percent increase in detected security incidents over 2012 and a 45 percent increase compared to 2011. Though larger breaches at global retailers are extremely well known, what is less known is that cloud providers are not immune from attack. Witness the cyber breach against a file-sharing cloud provider that was perpetrated by lax password security and which caused a spam attack on its customers. “The message is that cyber criminals, just like legitimate companies, are seeing the 'business benefits' of cloud services. Thus, they’re signing up for accounts and reaching sensitive files through these accounts. For the cyber criminals this only takes a run-of-the-mill knowledge level . . . This is the next step in a new trend . . . and it will only continue.”
The third freight train is the plaintiff’s litigation bar. Following cyber breach after cyber breach, they are viewing the corporate horizon as rich with opportunities to sue previously unsuspecting companies caught in the middle of a cyber disaster, with no clear way out. They see companies scrambling to contend with major breaches, investor relation delays, and loss of brand and reputation.
The last freight train running towards the intersection of cloud computing and data security is the topic of cyber governance – i.e., what directors should be doing or thinking about to protect their firm’s most critical and valuable IP assets. In our previous article, we noted that though directors are not supposed to be able to predict all potential issues when it comes to cybersecurity issues, they do have a basic fiduciary duty to oversee the risk management of the enterprise, which includes securing its intellectual property and trade secrets. The purpose of this article is to help directors and officers potentially avoid a freight train collision by helping the “cyber governance train” control the path and destiny of the company. We will discuss basic cloud security principles and basic questions directors should ask when considering whether or not the data their management desires to run on a cloud-based architecture will be as safe from attack as possible. As usual, when dealing with cybersecurity issues, there are no 100 percent foolproof answers. Even cloud experts disagree on cloud-based data security practices and their effectiveness. There are only good questions a board can ask to make sure it is fulfilling its duties to shareholders to protect the company’s valuable IP assets.
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Cloud computing is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, and provides the opportunities for cost reduction through optimized and efficient computing. The cloud model envisages a world where components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an on-demand utility-like model of allocation and consumption.”
Cloud computing is generally based upon three separate and distinct architectures that matter when considering the security of the data sitting in the particular cloud environment:
Now, if the above discussion of the types of cloud platforms isn’t confusing enough, data security issues on the cloud are equally complicated. But they can be boiled down into several concepts that can be easily understood:
We note that there are highly secure cloud providers that employ cutting-edge security architecture as well as cybersecurity analytic capability that may make future risk decisions related to migrating to the cloud not only more efficient, but more cost effective with reduced (not increased) risk.
As shown above, what is commonly referred to as the cloud actually can mean many different things depending on the context and use. Using SaaS to manage a customer base has a vastly different set of governance criteria to using IaaS as a development environment. As such, there are very few accepted standards for properly monitoring/administering a cloud-based environment. There are many IT consultants in the cloud-based computing environment that can be consulted in that regard. Our view, however, is that directors are ultimately responsible for enterprise risk management, and that includes cybersecurity, a subset of which is cloud-based cybersecurity. Thus it is important for directors to have a basic understanding of the risks involved in cloud-based data storage systems and with cloud-based storage providers. Below are a few basic questions that come to mind that a director could pose to management and the company’s CISO and CIO:
High-profile breaches have proven conclusively that cybersecurity is a board issue first and foremost. Being a board member is tough work. Board members have a lot on their plate, including, first and foremost, financial reporting issues. But as high-profile breaches have shown, major cyber breaches have almost the same effect as a high-profile accounting problem or restatement. They cause havoc with investors, stock prices, vendors, branding, corporate reputation and consumers. Directors should be ready to ask tough questions regarding cybersecurity and cloud-based security issues so they do not find themselves on the wrong end of a major data breach, either on the ground or in the cloud.
 PwC, CSO magazine, CIO magazine, “The Global State of Information Security®” Survey 2014, September 2013.
 See “Cloud-based services emerge as potential platforms for cyber-attacks,” FedScoop, June 30, 2014.
 See “Guest Post: Cyber Security, Cyber Governance, and Cyber Insurance: What Every Public Company Director Needs to Know,” D&O Diary, June 4, 2014.
 See “Security Guidance for Critical Areas of Focus in Cloud Computing,” Cloud Security Alliance, 2011.
 Note that regardless of the architecture framework, service level, security, governance and liability issues are normally addressed in a service level agreement (SLA) that is offered to the customer. Those should be thoroughly reviewed by legal counsel in additional to the CIO/CISO review of the particular cloud environment.
 Proper Security Incident Management is built upon knowledge of the tactics, technologies, principles, and processes to protect, analyze, prioritize, and handle incidents. See http://cloud.cio.gov/topics/security-incident-management.
 See here. The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
 See “In Cloud We Trust Our Data: Can you Trust Your Cyber Insurance Policy?,” Data Breach Insurance, May 30, 2014.
Paul Ferrillo is Counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation. David Burg is a Principal of PWC’s U.S. Advisory Practice and is PWC’s Global and U.S. Cyber Security Leader. He leads a team of cybersecurity professionals who assist multinational businesses, private organizations and governments to understand, plan for and mitigate the risk of global cyber threats. Aaron Philipp is a Principal of PWC’s U.S. Advisory-Forensic Practice.