The massive hack of on-premise versions of Microsoft Exchange Server, coming a few months after the hack of SolarWinds, the on-premises network monitoring application, has fired up debate on the question: Cloud vs. On-Premise, which is more secure?
In reality, it’s not an either/or question – there’s hybrid cloud, a mix of both, and other flavors of cloud, public or private – and, for CISOs, the questions often get more specific: What’s the most secure solution for a specific application or database? Which has the least risk?
Cyber risk quantification offers very relevant insights and answers to this critical debate. Many of our clients leverage RiskLens to advise their business on critical digital decisions, including the most secure architecture for critical business applications. CISOs can quickly assess and report on risk for a specific asset or group of assets now on-premise, including the strength of existing controls, and compare to the risk if that asset were moved to the cloud, all measured in dollars. They can then compare the value of cloud savings for a true cost-benefit analysis factoring in risk exposure.
We’ve gathered three blog posts documenting how RiskLens clients have conducted risk assessments on cloud migration, including samples of financial charts and analysis outputs (generated in minutes) that give a solid footing to the on-prem vs. cloud decision process.
Start with this post that clearly lays out the three phases of a cloud migration analysis, using a data breach scenario as a case in point. Step 1, understanding current loss exposure, Step 2, understanding exposure in the cloud by tweaking the variables to account for, say, stronger controls at the cloud host, Step 3, comparing the two for risk reduction (if any) vs. the new hosting costs.
In this highly relevant case study, an information security team made its first move out of qualitative cyber risk analysis and proved for themselves the value of cyber risk quantification (CRQ). They also saw the benefit of the RiskLens platform’s guided approach to data gathering: They were able to review all of the controls they had in place to prevent email-related breaches—for example, their current patching process, email filtering capabilities and encryption abilities—as a baseline to compare against the likely improved security available from Office 365. The bottom line: Moving to O365 in the cloud would cost an additional $100,000 annually in license fees but gain an annual average risk reduction of $4 million.
Whether you’re in the federal government or the private sector, the methods you’ll see detailed in this case study are the same, and demonstrate the sophistication of RiskLens for decision support. In this case, through the analysis process, the team found that their on-premise controls were better than they thought and compared favorably with cloud security – the analysis showed only a slight improvement in risk reduction for making the move to cloud, findings that the agency management could weigh in choosing how to comply with overall federal requirements for cloud migration.
Contact us to discuss any of these case studies, and to learn more about how to better speak to your C-Suite and Board about the implications of the Microsoft hack.