June 2019 Derek E. Brink, CISSP Vice President and Research Fellow Information Security and IT GRC

KB

BETTER IN THE CLOUD: BUSINESS-CRITICAL APPLICATIONS FOR SECURITY, PRIVACY, AND COMPLIANCE

2

Security, privacy, and compliance used to be among the chief reasons for not moving business-critical applications to the Cloud. But today these apps are among the greatest motivators to make the jump — if you have the right solution provider.

Business-Critical Applications: Great Expectations

If you are responsible for your organization’s application computing infrastructure, you’re likely being asked to provide three pillars of business value to satisfy a variety of active stakeholders:

Users expect availability and high performance.

Operations teams demand greater flexibility, improved efficiency, and lower costs.

Everyone expects security, privacy, and regulatory compliance risks to be addressed. At a minimum, these risks include availability to business-critical systems, data, and applications, data confidentiality and integrity assurance, and, most importantly, the guarantee that valuable and / or regulated data is secure.

If these demands ring true for you, you’re not alone. When asked about current drivers toward computer infrastructure investments, respondents in Aberdeen’s benchmark research weighed these three pillars equally.

Keeping up with these requirements is a tall order, and given the incredible complexity of today’s IT infrastructure, applications, data, devices, and threats to security, the environment is especially challenging. This mandate is in stark contrast to just a few years ago, when Aberdeen’s research showed that more business-critical applications created an increasingly cautious approach in terms of moving virtualized workloads from enterprise-managed infrastructure (also referred to as on-premises) to outsourced Cloud service providers. This trend is rapidly changing, and here’s why.

Valuable and / or Regulated Data

Personal data / Personally Identifiable Information (PII)

Personal Health Information (PHI)

Confidential Information (CI)

Intellectual Property (IP)

Employee records

Client data / Business-Partner data

Cardholder data

3

What’s Important and What’s Strategic

For most organizations, simply rolling up sleeves and allocating limited IT resources to integrate, optimize, and maintain the exponentially growing complexity of the application computing infrastructure, security, privacy, and compliance would not be considered strategic. Important, yes, but not strategic. Leveraging applications and data to support business needs, serve customers, and distinguish your organization from the competition is strategic; managing the underlying technology stack is not.

Can Cloud-Based Service Providers Enhance Security?

Traditionally, data security, privacy, and regulatory compliance concerns have been the excuse for not moving business-critical applications to the Cloud; however, there’s growing evidence that cloud-based services are more secure. In a service-provider / enterprise-subscriber relationship, all parties focus their resources and expertise, specializing in what each does best:

Cloud providers deliver the architecture, integration, optimization, security, and operational aspects of the essential, computing-infrastructure lower-level stack on a large scale. They can justify investments to achieve, sustain, and certify security compliance and privacy requirements for their large subscriber base. Critical applications such as ERP, CRM, Finance / Accounting, and HCM are increasingly included in this mix.

Enterprise subscribers focus resources on applications and data, which are the most strategic aspects of the computing infrastructure stack.

Both parties share responsibilities for security operations. For most organizations, moving to cloud providers will drive net improvement in data security, privacy, and regulatory compliance as compared to managing existing practices for traditional IT or private clouds.

Many organizations lack the resources — both the bandwidth and availability of existing personnel and specialized technical experts — and tactical focus needed to perform these activities well. A company’s primary focus is on running and growing their business, not on managing security, privacy, compliance, and risk.

Important but Not Strategic Activities:

Keeping IT infrastructure properly configured, patched, and up-to-date

Achieving and sustaining security and privacy compliance

Keeping up with the latest security threats and vulnerabilities landscapes

Ensuring well-protected IT infrastructure and sensitive data

Monitoring, detecting, investigating, and responding to security incidents in a timely manner

4

Understanding and Properly Defining Risk

Many organizations struggle with quantifying the risk to sensitive data as a result of inadaquate data management. Aberdeen’s analysis based on empirical data from thousands of organizations quantifies the potetntial risk of a data breach. (Figure 1)

Figure 1: The Value of a Mature Security Model

Source: Monte Carlo analysis; data adapted from Verizon DBIR 2018, Thales www.breachlevelindex.com 2017-2018, and Ponemon Cost of a Data Breach 2018; Aberdeen, June 2019

As Figure 1 suggests, the organization’s senior leadership team is in a much stronger position to make a better-informed business decision regarding whether the risk of a data breach is addressed more effectively with an on-premises implementation or in partnership with a leading cloud services provider.

Although estimates such as “the average total cost of a data breach is $3.86M” are common, this kind of analysis is highly misleading. By definition, risk is not a single outcome but a range of possible outcomes, each with its own associated likelihood. Aberdeen’s research shows that the median total cost of a data breach is about $440,000 in the private sector. This suggests that in about half of these incidents, the expense is likely to be less, while it is likely to be more in the other half. A review of 3,271 public-data breach

5

disclosures from 2017 to 2018 shows that the median number of records breached in each episode was 1,300.

The “long tail” of the risk curve is on what senior leadership will want to focus on. The team will want to make a well-informed decision about the risk of a data breach and what to do about it. Figure 1 suggests that there’s a likelihood (10%) that the total business impact will be more than $1.8 billon.

The risk curve can also be used to answer questions about the senior leadership team’s appetite for risk. What’s the impact of a total business data breach? Will it exceed $10 million? The chance is 36%, or about 1 in 3. Will it exceed $100 million? The likelihood is 26% — or about 1 in 4.

Regulatory Compliance: Beyond Security

More recently, Aberdeen’s integration of intent data into its research capabilities has provided additional insights. Based on the most frequently searched topics, the issues that most concern enterprise are security and compliance. Referencing the top four most-searched application categories (ERP, CRM, Finance / Accounting, and HCM), Aberdeen’s analysis of over 7,700 companies yields the following insights:

Security: Companies researching the top four application categories were 2–3 times more likely to specifically search specifically security-related topics as well. This finding reflects the impact a potential compromise of confidential information or intellectual property — or an unplanned disruption of critical systems — could have.

Compliance: Companies researching the top four application categories were 20–30 times more likely to search specifically about compliance. This finding reflects the mind-numbing array of regulatory and industry compliance for data and processes requirements any given enterprise may need to deal with, including PCI DSS, GDPR, 21 CFR Part 11, contracts and service level agreements, SOX, SSAE18 / SOC 1, SSAE18 / SOC 2, ISO 27001 / 27002, ISO9001, Privacy Shield, and Cloud Controls Matrix, among others.

The apparent (and necessary) interest in security, privacy, and compliance certifications are an important and readily-available indicator of a cloud-service provider’s maturity and level of commitment. Simply put, certifications assure enterprise subscribers that critical processes related to security, privacy, or compliance for a potential cloud service provider are defined, documented, reviewed, and proven.

6

Moving Business-Critical Applications to the Cloud: Why Wait?

As seen in Aberdeen’s benchmark research, virtually all planned application deployments growth favors cloud service providers over on-premises implementations. Are you considering cloud-based proposals for your business-critical applications? With the right cloud service provider, the time has come to ask, “Why are we waiting?”

7

About Aberdeen Group

Since 1988, Aberdeen Group has published research that helps businesses worldwide to improve their performance. Our analysts derive fact-based, vendor-neutral insights from a proprietary analytical framework, which identifies Best-in-Class organizations from primary research conducted with industry practitioners. The resulting research content is used by hundreds of thousands of business professionals to drive smarter decision-making and improve business strategies. Aberdeen Group is headquartered in Waltham, Massachusetts, USA.

This document is the result of primary research performed by Aberdeen Group and represents the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group.

17911