The risks associated with adopting software – particularly software accessed in the cloud – are many and varied. Here, we consider some of the critical software risks that may be important for businesses to consider and mitigate.
Availability and performance Service Level Agreement (SLAs)
There are two key components of every service – availability and performance.
Availability itself also has two aspects in the cloud – the software provider’s service and the internet service. While internet connectivity is constantly improving, there are still areas with limited connectivity, and someone putting a digger through the cables down the road cannot be foreseen! It is therefore important to consider whether any availability issues are down to the software provider, or the stability of your own connection, and what need there will be to access the software where the internet connection is slow or unreliable. A need for ‘always-on’ access may not preclude cloud services, but may require a solution that supports local replication or offline access, both of which are increasingly common (for example till systems that do not require a continuous connection to head office, but instead replicate periodically).
What are the consequences of unavailability – is it merely frustrating, or could it materially impact business operations?
The same is true for a slow performing service, particularly if speed is crucial. A slow website, for example, can be the difference between winning and losing custom, and poorly performing internal systems can dramatically impact productivity and efficiency. Again, there are many factors that can impact performance, some of which may be within your control, some within the control of the software provider, and others which may be impossible to influence. As with all risks, understanding the likelihood and severity of impact is key.
When using a cloud service, ask the provider about their historical availability and performance service levels as well as levels they are willing to contractually commit to. Explore the resilience of the system and ask about the levels of compensation for the service being unavailable, or failing to meet certain performance criteria, and circumstances in which those service levels may not apply. Those that are unable to guarantee their service’s availability may indicate a lack of confidence in how their cloud platform has been built and its reliability.
Service accessibility
Availability of a cloud service should not be confused with accessibility. Cloud-based services have many access points as the services are accessible from virtually any internet-connected device. A high level of accessibility also makes it possible for third-party applications to connect to the cloud service for additional features and functionality. While connecting to third-party applications is useful, it is important to set access permissions. Users of the cloud service will be responsible for setting who has access permissions and privileges to modify and change service and system settings. The biggest benefit of using a cloud service can also be the biggest risk factor, as not all networks are secure. Public networks, particularly unsecured wireless networks, are risky for services that contain crucial data. It is possible for other users on the network to intercept unencrypted data being sent between your device and the network, and thus potentially gain access to usernames and passwords.
Historically, connection to a corporate VPN was often mandatory before accessing an office network but for a small business setting up and maintaining such a network just isn’t feasible. Services exist for web VPNs, which will encrypt traffic sent between your device and the internet, and for a low monthly fee these can be used anywhere in the world to secure your internet connection when connecting to a public or unsecured network. More cloud providers now support ‘allow’ and ‘block’ lists of IP addresses, which can be used to restrict access to known locations (however, in the modern, hybrid working world, this may be impractical) – or at the very least will generate a notification to the system administrator(s) if there is a login from an unrecognised location or device.
Security and cyber risks
Vulnerabilities are found in software all the time, and any platform that is publicly accessible carries more inherent risk than one that is not.
From a security perspective, the following questions should be asked of the service provider to ensure they follow best practice principles:
- Is the platform regularly given to third-party ‘penetration testing’ for potential vulnerabilities? Do they vigorously test the platform to determine whether an attacker could gain unauthorised access?
- Who is responsible for monitoring the environment for security breaches? Does the vendor proactively scan and flag unusual activity? What is the process in the event of a security breach being determined?
- Is data held on the platform stored in an encrypted format?
- Is payment data held on a PCI-DSS compliant platform?
- Are there recognised, standard working processes and procedures in place and adopted (eg, are ISO accreditations, such as ISO 27001, held, or ITIL frameworks followed, or is an ISAE 3402 or similar attestation of internal controls available)? Are there clear policies and procedures for administrator access to the data (can staff at the service provider access your data, and if so, how is this controlled)?
- Is the platform protected against ‘denial of service’ attacks, where attackers could prevent access to the service indefinitely by flooding the platform with erroneous traffic or requests for information?
- Does the platform meet the requirements of the Cyber Essentials Scheme or any other relevant cyber security scheme, which evaluate the provider’s ability to assess and mitigate risks from common cyber security threats to their IT systems?
- Does the platform have sufficient security controls in place? A good comprehensive guide to controls for cloud technology are outlined in the Cloud Controls Matrix issued by the Cloud Security Alliance.
Furthermore, it is not just the cloud provider’s software products that need to be considered. Given they are generally accessed via the internet and web browser technology, the internet connection itself is a critical part of the infrastructure. Remember that data protection regulations, such as GDPR, place the onus on the organisation, not its service providers, to ensure that its customers’ data is secure.
In addition, remember that cloud service providers do not always provide liability protection. It is important to review the contractual agreement to determine the extent of liability coverage and if additional cyber insurance will be required to cover third-party liability costs and expenses related to dealing with a breach.
As the responsibility remains with the organisation, consider the importance of training staff on the possible cyber risks and issues associated with the new service. This is a key part of building a strategy to mitigate and address cyber breaches as quickly and safely as possible.
User authentication
While security against vulnerabilities is important, so is functionality that helps to ensure only permitted users can access the platform. With software services that contain very sensitive data – such as bank accounts, address details, or any of the special categories of data identified as part of UK or EU GDPR regulations - suppliers are encouraged to provide an extra layer of authentication via a device that only the user could have on them at that specific time, often referred to as multi-factor authentication (MFA). This can be a physical device (like a key card for online banking), a text message, or authentication app on a phone, which typically provides a unique, ever-changing key. Face, voice, or fingerprint recognition are biometrics that can also be used to allow authentication to systems.
Most cloud service providers now offer MFA as standard but may not turn it on by default. This should be something to look for when adopting a new service in order to ensure someone can’t access your data simply through having your username and password. Or, the use of single sign-on (SSO), allowing centralised authentication across multiple integrated applications. This approach uses a single set of credentials, such as an organisation’s Identity and Access Management (IAM) solution, to allow users to securely log in and access multiple services without having to re-authenticate. SSO can improve security by simplifying username and password management for users, providing those sign-on credentials are sufficiently secure to start with.
While 'back-end' systems will record access information, this may not be readily available to end users or only available on request. Some software products will maintain easily visible audit trails of access – who, when as well as their activity, which are available to authorised users – so you should consider if this is important to your organisation.
Breaches of contract and losses
There is arguably no better test of a supplier’s confidence in their abilities than to match their assurances with financial compensation for breaches of contract or business losses due to service outages or data loss. However, compensation should be used as a way of holding a third party accountable and is not a substitute for ensuring that a business has a continuity plan in the event of a service being unavailable or data loss.
Where possible, financial compensation and agreed levels of liability should be written into agreements with cloud service providers, and it is sometimes advisable to offer clients levels of compensation for contractual breaches. This sets the correct expectations for the availability of service that can be anticipated. A user with the contractual right to reclaim a percentage of their monthly fee due to service unavailability should consequently not expect that the service is 100% guaranteed.
As regards financial compensation, you should also ascertain whether this is automatically applied, or whether it actually needs to be claimed each and every time the service fails.
Compensation is usually available for periods where the service is unavailable (though often with exclusions for factors outside of the control of the provider – which may or may not be acceptable to the user), but rarely for substandard performance levels or data loss. Where these aspects of the service are key to the user, they should be discussed to ensure the risks are effectively addressed.
It is important to note that most service providers will include liability exclusions and caps in their terms of services. Determine if these terms are negotiable, and in the instance the vendors are reluctant to change standard terms, consider alternative measures such as external back-ups and third-party insurance to ensure business continuity.