As I mentioned in the previous blogs in this series, myself and my colleagues at CyberCube are currently conducting research to model the likely effects - both short and long-term - that the current pandemic will likely have on businesses in the coming months through the lens of cyber risk. Early research has thrown up some interesting findings already so I thought that I would share some of them.
In this blog, I’ll turn my attention to the increased use of cloud services as a result of the pandemic and explore some of the trends and risks that are emerging and that should be considered.
There can be no doubt that, in recent years, use of cloud infrastructure as a service (IaaS) and software as a service (SaaS) has exploded in businesses of all sizes. According to some sources, 94% of enterprises already use at least one cloud service and the average enterprise uses five different cloud platforms or applications. With some estimating that 83% of enterprise workloads will be run from the cloud by the close of 2020, it is clear that our dependence on cloud service is now deep and irreversible.
Of course, the current Coronavirus pandemic is forcing business to rely even more heavily on cloud services. Usage of cloud infrastructure and business applications are up as a result of workers being forced to work from home and, probably more significantly, cloud-based communication applications such as email, web-conferencing and social media apps have skyrocketed in recent months. The “Zoom” web-conferencing app is seeing daily usage numbers that are up more than 300% from the weeks preceding the pandemic and Microsoft says that it has seen a 775% rise in usage of its cloud offerings following the introduction of social distancing measures.
My prediction is that many of the cloud habits now forming will not leave us post pandemic. In a future blog, I’ll outline what “new norms” (including the use of cloud communications) we should expect to see as we emerge from this pandemic.
All of this does make me consider the implications of severe cloud outages (I am a Security Strategist, after all). Entirely coincidently, I have been working on a project at CyberCube since the December period (i.e. “pre-pandemic”) that attempts to model a scenario involving a major outage at one of the “big three” cloud providers. There is precedence here and plenty of well-documented system failures that have created pretty large impacts to the customers of cloud service. A recent example at Google served to demonstrate a number of things. Firstly, the outage proved categorically that a major cloud services provider can experience a systematic issue which takes down multiple data centres as part of one outage event. Secondly, the outage showed that, as is often the case, multiple failures can combine to amplify the impact of an outage (in Google’s case, the failures were associated with human error combined with a software bug). Thirdly, the Google event demonstrated a common factor that, when mis-configured, could cause major disruption, again, across multiple sites. This was Cluster Management Software (CMS) in Google’s case.
Previous attempts to model potential disaster scenarios associated with the cloud have largely been focused on an outage of IaaS, showing that businesses that rely on virtual servers and storage resource are interrupted. However, we need to take a step back. An entire cloud ecosystem now exists with IaaS providing a foundation for a myriad of services to exist in an ecosystem (a “value-chain”, if you will) that now supports a greater and greater percentage of “business important” (if not yet “business critical”) functions.
Of course, the percentage of “business important” or critical business applications that are now run from the cloud is difficult to quantify. CyberCube’s estimation is that around 90% of business are currently making use of cloud service and that 60% of these are using the cloud to do “something important”. It is true that few seem to be running anything “business critical” (i.e. something that immediately stops the business when it disappears) in the cloud but “business important” applications such as email, web-conferencing (particularly during a pandemic event) HR, CRM, Payroll or compute resources that support internal systems are critical enough that the business would be severely affected should these services be unavailable for prolonged periods of time.
So, what are the chances of one of these cloud ecosystems being severely disrupted? It’s hard to say but many predict that we are due for a major cloud outage within the next three years. There is certainly plenty of precedence for major cloud ecosystem disruption. In terms of a “disaster-level” event, some are very concerned. How about this for a prediction from Jack Wallen, an award-winning tech writing at Techrepublic..? “In 2020, there will be a cloud breach to make all other breaches look elementary in execution and minuscule in outcome. This breach will see billions of users' data at risk and will force companies with stock in the cloud to take an inventory of their security offerings.”
I hope that the timing of Jack’s prediction is wrong, given the Coronavirus pandemic. Imagine our current “lockdown” with heavily reduced cloud services. Those businesses which are just about getting by thanks to internet communications would be impacted further, compounding the severe disruption that we already face. Some insurance experts predicted in 2018 that an incident that takes a major cloud provider offline in the US for three to six days could result in losses to the industry of $15 billion. This would likely be far greater, mid-pandemic.
My take is that Jack’s timing may be wrong (I’m a natural optimist) but that this may well be the only element of his prediction that is off.
I would suggest that, as a minimum, businesses should be evaluating cloud dependency, creating risk mitigation strategies and ensuring that any single points of failure that could create major business disruption are eliminated through multi-vendor strategy and back-up processes.
{An entire cloud ecosystem now exists... (a “value-chain”, if you will) that supports a greater and greater percentage of “business important” (if not yet “business critical”) functions.