Cyberisk Australia provides cost effective and actionable advice to address risks due to evolving threats and your changing customer and supply chain expectations, enabling you to keep up with your competitors, protect your customers, grow your business, and ensure the availability of your services.

Our MyRisk® fixed price cloud service risk assessment service includes company due diligence, financial due diligence, service quality, privacy, IT risk and cyber security. Our founder’s original research is cited in over 20 global University papers and international frameworks.

During 2019, we conducted cloud service risk assessments for a number of State Government agencies, ASX 200 companies and their service providers. These are our lessons learnt.

Supplier Control  & Financial Due Diligence

In the current low interest environment, the world is awash with capital looking for higher returns, and venture capital funds are taking greater risk with higher leverage investments. This presents a problem for the cloud service consumer, with a lack of shareholder funds available for data breach or other claims.

During the year we found a leading global payment services company, leading legal document management solution, and leading low-code software development platform with year-on-year net losses, and either a current or approaching deficiency in stockholder funds (technically insolvent). We also found a leading Governance Risk and Compliance solution with management involved in prior business failures and previously banned from directorship.

In these cases, we have recommended a solvent contracting entity or guarantor with suitable financial position and cyber insurance cover to allow for liability for any loss of personal information.

Cloud Disaster Recovery

Many successful and innovative eCommerce and payment platforms are not resilient to a “whole of region” disaster scenarios, which although rare, may present a life critical or business continuity issue for a cloud service consumer.

During the year we found three leading global payment platforms, a leading eCommerce platform, a leading Building Management System, and a popular content marketing platform operating with single region infrastructure – in two cases with data centres located in within a known flood plain or tornado area.

In these cases, we have recommended the cloud service consumer develop their own Business Continuity plans that provide for a 1-3 day outage and require or implement a daily backup resilient to a whole of region outage. It is also important to ensure the cloud provider has a support BCP in place, and sufficient support staff to allow for growth they are experiencing.

Service Reliability

The use of Infrastructure-As-A-Service (IaaS) platforms by a Software-as-a-Service (SaaS) cloud service is no guarantee of service reliability. During the year, we found a leading low code software development platform and leading Human Resources service operating on legacy architectures and  applications re-hosted within Amazon Web Services (AWS). The opposite is also true, where we found new mobile services introduced by cloud service providers without adequate testing of technical or process differences between their traditional web and new mobile operating model.

Privacy & Compliance

Cloud services by definition are multi-location, presenting legal jurisdiction issues and multiple compliance regimes that need to be considered in any cloud service risk assessment – a cloud service provider may be headquartered in one jurisdiction, contracting through a subsidiary in another, operating infrastructure in all three or a different location, and supported by contract staff in yet another location.

Many US and EU based cloud service providers have a stated compliant with GDPR and EU-US Privacy Shield, however they will need to agree to compliance with Australian Privacy Laws, in particular “as soon as practicable” mandatory breach reporting rather than 72 hours under GDPR. The use of support staff in overseas locations (particularly non-OECD countries) by a cloud service provider will require additional contract language to ensure cyber security controls, human resource practices, and compliance attestations are in place.

Many cloud service providers have standard terms and conditions that state they are not liable for loss, corruption or damage to data, or consequential loss, even though this may be in conflict with their undertaking for compliance with Privacy Laws, and industry standards such as the PCI-DSS. Contract language will need to be developed and agreed to ensure undertakings made during supplier selection are enforceable.

Supply Chain Risk

Cloud Service offerings are themselves generally composed of many other Software-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service or managed support services. This presents supply chain risk for the cloud service consumer, that will need assurance from the cloud service provider or additional assessment by the consumer.

During the year we found a global payment platform providing assessment responses based on their PCI-DSS Attestation of Compliance but operating some critical business processes using non-certified storage and integration services. We also found a popular crash / bug reporting service hosted in the Middle East with no security information available, and leading GRC using a tier-2 managed service provider with no assurance over their services.

Cyber Security

A significant number of cloud service providers operate on standard Amazon Machine Images without additional hardening, vulnerability management or anti-malware protection.  In addition, many cloud service providers including a leading global payment platform and leading Identity-as-a-Service platform do not have anti-malware protection on their AWS Linux servers.

During the year we also found:

  • A leading Human Resources platform with a 3 monthly patching cycle
  • A leading microservices API company and a leading GRC system that do not conduct penetration testing or independent code review – relying on a bug bounty type arrangement with customers
  • A leading Building Management system with no regular penetration testing
  • A leading Learning Management System with no periodic vulnerability scanning or secure code reviews
  • A number of cloud services including a leading GRC system storing keys and passwords in a consumer password safe.

An effective cloud risk assessment requires a repeatable process of control assurance across  company due diligence, financial due diligence, service quality, privacy, IT risk and cyber security. The cyber security controls to be assessed should be aligned to an industry standard such as ISO 27001 or NIST Cyber Security Framework (CSF). Cloud service consumers should apply a risk based approach to assessments, using the required business process resilience and classification of data to be processed by the cloud service to either accept risk, obtain responses to a series of questionnaires, or require an independent audit report. A number of cyber security companies are available to assist, including Cyberisk Australia with our fixed price service.

Disclaimer. This is general advice only. The reader is solely responsible for establishing and maintaining an effective system of internal control over their operations including systems designed to assure achievement of their control objectives and compliance with applicable laws and regulations. The reader should obtain additional legal and cyber security advice prior to making any supplier or service procurement decisions.