Cloud services – Guidance for managing cybersecurity risks

Cloud services make information technology (IT) resources (e.g., networks, servers, software applications and data storage) and related services (e.g., hardware and software maintenance and technical support) available as a utility or consumption-based service. Cloud services enable an organization to outsource its IT requirements to a specialist cloud service provider (a CSP) who can provide required services in a better and more efficient and cost-effective manner. For those reasons, cloud services can provide significant benefits, but they can also present potentially significant risks.

An organization that uses cloud services to operate its business or provide products or services to its customers remains responsible and liable for legal compliance and performance of the organization’s legal obligations to investors, employees, customers and business partners. In addition, the organization is often dependent on the CSP and vulnerable to CSP misconduct, because the CSP usually has complete control over the quality and availability of the cloud service and physical custody of the organization’s business data, including the organization’s own sensitive/confidential data and third party data that is protected by restrictions/requirements imposed by contract, common/civil law or statute.

Those circumstances can present potentially significant risks to the organization, including risks relating to: (1) business continuity (if there are problems with the service or the CSP suspends or terminates the service); (2) data availability, integrity and confidentiality; and (3) legal compliance. Failure to manage those risks can result in various kinds of potentially significant claims and liabilities (e.g., lawsuits by shareholders, customers, employees and business partners, and investigations and enforcement proceedings by regulators) and losses (e.g., business disruption losses and reputational harm).

The Canadian Centre for Cyber Security has issued guidance for managing cybersecurity risks associated with cloud services. The guidance recognizes the significant benefits of cloud services, but cautions organizations to carefully assess and effectively manage the risks presented by cloud services. All organizations contemplating the use of cloud services can benefit from the Cyber Centre’s guidance.

Read Bradley Freedman’s bulletin on this guidance.

This content has been updated on August 23, 2020 at 10 h 38 min.