Organizations in both the private and public sectors have increasingly turned to cloud service providers (CSPs) to support their technical infrastructure, primarily to reduce IT costs and increase the efficiency of computing resources. In many cases, CSPs can also offer protection from security threats and increased cyber resilience — though customers often face trade-offs when they rely on cloud providers for these protections.
In the area of cyber resilience, in particular, organizations can offload much of the responsibility for keeping computer systems up and running by relying on cloud service providers, but this also means relinquishing much of their own control over those resilience measures.
Defining Cyber Resilience
The resilience of computer systems can mean slightly different things to different organizations. For some, it refers to maintaining a system that never goes down, while for others it refers to a system’s capacity to recover from incidents and outages as quickly and painlessly as possible.
The National Institute of Standards and Technology (NIST) defines the resilience of information systems as “The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.”
The Cost of Downtime
Although the types of incidents and their consequences vary from business to business, a 2014 estimate from Gartner puts the average cost of just one minute of IT downtime at $5,600, and a 2016 Ponemon Institute report raises that estimate to nearly $9,000 per minute. The ever-increasing reliance on IT services suggests that the financial consequences of unplanned outages are continually rising.
Since IT costs and efficiency are typically primary drivers of cloud service adoption, it makes sense that reducing costs due to IT outages and interruptions might also factor into the decision.
Long-Known Advantages of Cloud Services
Cloud services can help organizations with both of the components of cyber resilience: operating continuously under adverse conditions and recovering rapidly from incidents with minimal business interruptions. CSPs typically operate infrastructure with much greater capacity than individual organizations, and they may also have significantly more resources to devote to security measures and attack prevention.
Way back in 2012, a report published by ENISA, the European Union’s cybersecurity agency, determined that a cloud service provider’s ability to “dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc, to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.” In other words, a denial-of-service (DoS) attack that might otherwise cause company server outages can be easily absorbed by a cloud provider’s larger traffic capacity and greater ability to filter traffic.
Similarly, ransomware attacks that cut organizations off from their systems and data can be overcome with the assistance of cloud providers that produce and retain back-up copies of those systems.
Alternatively, a CSP can help customers respond to natural disasters that cut off power to servers in one region by shifting their traffic and systems to servers operated in a data center somewhere else.
A 2017 white paper titled “Advancing cyber resilience with cloud computing,” published by Microsoft, makes similar arguments: “Cloud computing can be a practicable and valuable tool for cyber resilience and digital continuity,” the authors assert. “Thanks to its geographic replication of data, rapid scalability, security features and cost-effectiveness, cloud enables users to increase the efficiency of their operations and their agility in response to threats.”
The impressive capabilities of cloud services have changed how businesses around the world operate, but ultimately, it is up to individual organizations to determine whether these long-known advantages outweigh the possible downsides.
The Trade-Offs of Cloud Services
The downside to relying on cloud services for resilience is that it can sometimes leave customers with little control over the resilience of their own computer systems and infrastructure and can also leave them vulnerable to attacks directed at their providers — as well as any mistakes the providers might make.
As more organizations rely on the same small set of cloud service providers, the consequences of each individual outage may become greater, even if the number of outages decreases. But for many small and medium-sized businesses (SMBs) that lack dedicated security staff, the risks of a cloud provider outage still won’t beat out the benefit of having the enhanced security and resilience resources that large cloud providers can offer.
assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy
Josephine Wolff is an assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy. Her research interests includ...