Cloud Computing Risks and Exit Strategies

Cloud computing has become the default way most organisations run their information systems. Email, file storage, accounting, customer relationship management, internal communications, line of business applications - all increasingly delivered as services rather than installed on local infrastructure. The shift has reduced the burden of running technology and improved availability for most organisations, but it has also moved the risks rather than removed them.

The cloud risks fall into two main categories: risks created by the relationship with the provider (outages, cost increases, contract changes, business failure) and risks created by how the service is configured and used (misconfigured access, leaked credentials, data ending up in the wrong jurisdiction). Both need to be identified and managed, and the same management system that handles the wider information security risks needs to extend to cover cloud services explicitly.

Cloud Computing Risks

The headline cloud risk for most organisations is service unavailability. A major cloud provider going down for hours takes huge swathes of the internet with it, and most contracts cap the provider's liability well below the actual cost to the customer. The position is partly mitigated by choosing providers with good track records and by designing services to tolerate provider outages where possible, but full mitigation is rarely cost-effective for ordinary businesses.

Data location is the next significant risk. Cloud services may store data anywhere the provider has infrastructure, and that creates compliance questions for personal data under UK GDPR and contractual questions for customer data with restrictions on where it can sit. The provider's contract should make the data location explicit, and the data protection register should reflect the actual locations rather than what the marketing material implies.

Misconfiguration is the source of most cloud security incidents. A storage bucket left open to the internet, a database with default credentials, an administrator account without multi-factor authentication. Cloud platforms make it easy to do the right thing and easy to do the wrong thing; the controls that produce good outcomes are training, configuration baselines and routine review of how services are actually set up.

Vendor lock-in is the slow-burn risk. The longer a business runs on a particular cloud platform, the harder it becomes to move - data formats, integrations, custom configurations and trained staff all create switching costs. The exit strategy is the document that addresses this risk before it becomes urgent rather than after.

The Shared Responsibility Model

Cloud security operates on a shared responsibility model. The provider is responsible for the security of the cloud - the underlying infrastructure, physical security of data centres, the platform itself. The customer is responsible for security in the cloud - configuration, access management, what data is uploaded, who can reach it, how it is protected.

The split varies by service type. With software-as-a-service (Microsoft 365, Salesforce, Xero), the customer's responsibility is mostly user accounts, access permissions and data classification. With platform-as-a-service or infrastructure-as-a-service (AWS, Azure, Google Cloud), more of the configuration is the customer's job. Many of the high-profile cloud breaches reported in the press are not provider failures - they are customer-side configuration errors, with cloud storage left publicly accessible by mistake or with admin accounts protected only by weak passwords.

The practical control is making sure the boundary is understood for each service the organisation uses. The cloud register records the responsibility split so that nothing falls between provider and customer assumptions.

The Cloud Computing Register

The first step in managing cloud risk is knowing what cloud services the organisation actually uses. This is harder than it sounds. Sanctioned services - the major systems chosen and contracted by IT - are visible. Shadow services - subscriptions that workers and teams have signed up for individually, often using a credit card and a personal email address - are not. Both need to be in the register.

The register captures the service, the supplier, what data is stored or processed there, the contract terms, the data location, the security certifications the provider holds, the renewal date and the owner inside the organisation. Reviewing the register periodically catches the services that have crept in informally and surfaces decisions that have been made by default rather than deliberately.

Critical or business-essential cloud services warrant additional attention - documented assessments before adoption, regular review of the provider's security posture, and explicit treatment in the continuity and exit plans.

Cloud Exit Strategies

The cloud emergency exit strategy answers a simple question: if this provider stopped working tomorrow, or if the relationship had to end suddenly, what would we do? The answers are rarely simple. A working exit strategy covers how the data would be retrieved (in what format, how quickly, by whom), where it would go next (an alternative provider, on-premise systems, or a holding arrangement), and what continues to work in the meantime.

The strategy needs to be specific to the service. An exit from a file storage service is largely a data transfer problem. An exit from an integrated business platform is often months of work. An exit from a bespoke industry application may simply not be feasible without considerable lead time and budget. Knowing this in advance shapes the contractual position with the provider and the realistic recovery time the business has to accept.

The exit strategy is closely related to the wider business continuity plan but addresses a different scenario. Continuity planning assumes the provider is temporarily unavailable; exit planning assumes the provider is permanently unavailable or the relationship has to end. Both are needed, and the cloud register should record which scenarios apply to each service.

Emerging Cloud Risks - AI and Beyond

Cloud-hosted AI services have introduced a new variant of cloud risk. The data sent to the AI service is processed by the provider, often used in ways the customer has not fully understood, and may end up training models that benefit other customers. Confidential information sent to a chatbot or a coding assistant may not stay confidential in the way the user assumed. The controls are the usual cloud controls plus an additional layer specific to AI: documented terms covering data use, awareness training so workers understand what should and should not be shared, and explicit decisions about which services are approved for what purposes.

Quantum computing is the longer-horizon emerging risk. The encryption used to protect data in transit and at rest will eventually need to migrate to quantum-resistant algorithms. The realistic timeline is years rather than months, but data captured now and stored by an attacker could be decrypted later if the migration is delayed. Major cloud providers are actively working on this transition, and the practical action for most organisations today is to track the topic rather than to make immediate changes.

UK Legislation

The following UK legislation is directly relevant to cloud computing risks and data location. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

• Data Protection Act 2018
• Network and Information Systems Regulations 2018
• Computer Misuse Act 1990

Further Resources

• Information Security overview
• Managing Information Security Risks
• Backup, Business Continuity and ICT Recovery
• Access Control, Passwords and User Authentication