May 21, 2020 By Josephine Wolff 3 min read

Organizations in both the private and public sectors have increasingly turned to cloud service providers (CSPs) to support their technical infrastructure, primarily to reduce IT costs and increase the efficiency of computing resources. In many cases, CSPs can also offer protection from security threats and increased cyber resilience — though customers often face trade-offs when they rely on cloud providers for these protections.

In the area of cyber resilience, in particular, organizations can offload much of the responsibility for keeping computer systems up and running by relying on cloud service providers, but this also means relinquishing much of their own control over those resilience measures.

Defining Cyber Resilience

The resilience of computer systems can mean slightly different things to different organizations. For some, it refers to maintaining a system that never goes down, while for others it refers to a system’s capacity to recover from incidents and outages as quickly and painlessly as possible.

The National Institute of Standards and Technology (NIST) defines the resilience of information systems as “The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.”

The Cost of Downtime

Although the types of incidents and their consequences vary from business to business, a 2014 estimate from Gartner puts the average cost of just one minute of IT downtime at $5,600, and a 2016 Ponemon Institute report raises that estimate to nearly $9,000 per minute. The ever-increasing reliance on IT services suggests that the financial consequences of unplanned outages are continually rising.

Since IT costs and efficiency are typically primary drivers of cloud service adoption, it makes sense that reducing costs due to IT outages and interruptions might also factor into the decision.

Long-Known Advantages of Cloud Services

Cloud services can help organizations with both of the components of cyber resilience: operating continuously under adverse conditions and recovering rapidly from incidents with minimal business interruptions. CSPs typically operate infrastructure with much greater capacity than individual organizations, and they may also have significantly more resources to devote to security measures and attack prevention.

Way back in 2012, a report published by ENISA, the European Union’s cybersecurity agency, determined that a cloud service provider’s ability to “dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc, to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.” In other words, a denial-of-service (DoS) attack that might otherwise cause company server outages can be easily absorbed by a cloud provider’s larger traffic capacity and greater ability to filter traffic.

Similarly, ransomware attacks that cut organizations off from their systems and data can be overcome with the assistance of cloud providers that produce and retain back-up copies of those systems.

Alternatively, a CSP can help customers respond to natural disasters that cut off power to servers in one region by shifting their traffic and systems to servers operated in a data center somewhere else.

A 2017 white paper titled “Advancing cyber resilience with cloud computing,” published by Microsoft, makes similar arguments: “Cloud computing can be a practicable and valuable tool for cyber resilience and digital continuity,” the authors assert. “Thanks to its geographic replication of data, rapid scalability, security features and cost-effectiveness, cloud enables users to increase the efficiency of their operations and their agility in response to threats.”

The impressive capabilities of cloud services have changed how businesses around the world operate, but ultimately, it is up to individual organizations to determine whether these long-known advantages outweigh the possible downsides.

The Trade-Offs of Cloud Services

The downside to relying on cloud services for resilience is that it can sometimes leave customers with little control over the resilience of their own computer systems and infrastructure and can also leave them vulnerable to attacks directed at their providers — as well as any mistakes the providers might make.

As more organizations rely on the same small set of cloud service providers, the consequences of each individual outage may become greater, even if the number of outages decreases. But for many small and medium-sized businesses (SMBs) that lack dedicated security staff, the risks of a cloud provider outage still won’t beat out the benefit of having the enhanced security and resilience resources that large cloud providers can offer.

More from Cloud Security

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Cloud security uncertainty: Do you know where your data is?

3 min read - How well are security leaders sleeping at night? According to a recent Gigamon report, it appears that many cyber professionals are restless and worried.In the report, 50% of IT and security leaders surveyed lack confidence in knowing where their most sensitive data is stored and how it’s secured. Meanwhile, another 56% of respondents say undiscovered blind spots being exploited is the leading concern making them restless.The report reveals the ongoing need for improved cloud and hybrid cloud security. Solutions to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today