Sage Advice - Cybersecurity Blog

The Risks and Rewards of Cloud Services

cloud-services-risks-and-rewardsCloud computing has gained popularity over the past few years, and organizations large and small are utilizing a variety of cloud services to support their business needs.

Cloud services are convenient because they are delivered remotely over the Internet. There is no need to manage on-premise servers. But as with all things online, they also present some risks. Remember, you can outsource the function, but never the risk or responsibility.

Let’s take a look at the different types of cloud computing services available, and why you might choose one model over another. Then we’ll review the risks and rewards all cloud services present.

Cloud Services Defined

In general, cloud computing allows organizations to access software and hardware that is managed by a service provider. This shared pool of computing resources can be scaled up or down depending on business needs. There are three basic types of cloud services and from these myriad hybrid models can be developed.

1. Software-as-a-Service (SaaS)

With SaaS, the operating environment is basically irrelevant, and a fully functional application is provided.  Examples include CRM systems, like SalesForce, ERP systems, like QuickBooks, and other office applications, like Office 365.

You can think of SaaS like renting a car. What you rent, is what you get. If it stops working, they give you a new one. You often pay based on how far you go and much gas you use. No modifications are allowed apart from configuration settings in the application itself. And of course, terms and conditions apply.

This model works best for organizations that have no interest in directly maintaining a business solution, but they need the solution because it solves a specific business need.

An example is email. Microsoft Exchange Server is a complicated and expensive business solution. Under the covers it requires a lot of engineering and design to work correctly. Issues of performance and storage are common with on premise implementations. The business just wants email messaging to work smoothly and be reliable, so they employ a SaaS, for example Microsoft Office 365, to take care of it.

2. Platform-as-a-Service (PaaS)

With PaaS, an operating system is included, for example, Windows / .NET and Linux / J2EE.  This model is more like leasing a car.  You can use it and modify it the way you need it to be. If you break something, it’s your responsibility to fix it. And terms and conditions still apply.

This model works best for organizations that have application engineers and a dedicated programming shop, but their on-premise resources cannot keep up with demands for faster performance, more storage, and faster updates to infrastructure. Improvements are often curtailed by the capital cost of upgrades.

In this model, the team can click a button to get resources added – new servers, additional storage, faster processing. Upgrades of resources is a financial issue and not an organizational road block. When you break something in this environment it is all on you to fix.

3. Infrastructure-as-a-Service (IaaS)

With IaaS, a virtual platform with operating environment and application are deployed. It includes a storage-as-a-service offering. In the IaaS model, you are basically building your own car from parts. Some of the parts you make yourself and others you buy. You need your own machine shop and garage, and you can rent one to get started.

This model works best for organizations that have infrastructure and network engineers, but the on-premise resources have become too demanding and expensive to manage. This can be because parts break, warranties expire, or you run out of space.

The team manages the same classes of resources remotely in someone else’s “garage.” Most resources — if not all — will be virtual. The garage owner is responsible for keeping the lights on, the lifts operating, and those fancy air compression pumps running.

Cloud Services Accountability

Vendors providing cloud services are not immune to cyberattacks. Some have had spectacular failures that have resulted in the clients going out of business or the vendor going out of business.

One recent example is VFEmail, an email service provider. In February 2019, they were essentially put out of business after a hacker was able to gain access to their servers and destroy all they company’s primary and backup data in the United States. Eighteen years of their customers' emails – including everything they had in their inbox and everything they had archived – was gone forever.

It’s important to know what controls your cloud service providers have in-place should the worst happen. Be sure you have a contingency plan for both protecting the data stored in the cloud as well as for retrieving your data stored in the cloud. Ask them what happens when your contract with them ends.

Cloud Services Risks & Rewards


As with everything online, the risks of storing your data in the cloud are many. But it’s important to be aware of the risks, so that you can build controls to mitigate them. Here are a few.

  • Lack of transparency into the actual control environment.
  • Loss of internal control.
  • Potential loss of “Institutional Memory” of critical services delivery.
  • Reliance on agreements, often significantly weighted toward the cloud service provider.
  • Out of sight-out of mind.
  • Tendency to think risk and accountability are outsourced.
  • Failure to implement adequate Complementary User Controls.

You could outsource the function. But the risk and accountability are yours. Like with all third-party service providers, make sure you understand the controls your cloud service providers have in place, and that they are on par with your policies.


There are also many rewards to using a cloud service provider.  Especially for organizations that have limited resources, budgets, and / or expertise. Here are a few.

  • Boosted capabilities and expertise.
  • Reduced risk of personnel shortages.
  • Reduced risk of skills deficits.
  • Contractual leverage for service delivery.
  • Infrastructure resilience.
  • Monthly expenses over capital purchases.
  • Someone else upgrades and updates.

One of the best ways to mitigate cybersecurity risk posed by third-party vendors, including your cloud service providers, is to implement a Vendor Risk Management Program. Learn how to build an effective program in our blog post, Seven Steps to a Successful Vendor Risk Management Program.

Cybersecurity Risk Assessment & Analysis

Topics: Vendor Management, Cloud Security

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More