Articles & E-Books

 

How cloud redundancy affects SOC2 reporting

Mar 30, 2022

Multi-cloud is a strategy for using two or more cloud computing services to provide for additional redundancy and recovery capabilities. Organizations can use one of the cloud platforms as a primary (production) cloud environment and another as the secondary (backup) cloud environment. This redundancy helps to ensure an organization can recover without any disruptions if one provider becomes unavailable for any reason.

When designing controls to meet the SOC 2 risk mitigation and availability criteria, a multi-cloud platform offers major advantages. As large cloud providers have increasingly experienced  outages, it’s important for service providers to have a backup plan and address it in their vendor due diligence documentation, such as SOC 2 reporting.

In some cases, multi-cloud is used to support a single architecture with specialty services available within the respective cloud environments. According to Gartner, 81% of organizations currently work with two or more public cloud providers. Multi-cloud platforms keep organizations from being locked in with any single vendor.

But this flexibility comes with extra costs, as you may double your costs if constructing a completely redundant and current version of your production resources in an alternate cloud environment. Also, be aware of the functionality details. Do you understand multi-platform monitoring, security mechanisms and how the environments will pass and share data?

How to implement a multi-cloud strategy

Organizations need to pay particular attention to their data structure and flow. Databases can be inherent to the cloud provider (e.g., Amazon DynamoDB), and the team would need to figure out a similar database type in a mirrored cloud environment that would work.

Another strategy could be to use the same underlying database type in all cloud platforms. If you’re building your application and systems from scratch, the platforms may all seem suitable on the front end, but they may have differences that can make them more challenging to implement.

It’s important to note how containerization and orchestration software play into a multi-cloud strategy. This type of setup can make it easy to move the software and rely on systems from one cloud to another without any code modifications. Containerized workloads can be orchestrated, deployed, scaled and managed using orchestration software like Kubernetes.

Business continuity in the cloud

Consider cloud strategies for business continuity as well. You could maintain what is called a “cold site” in the cloud. This means you have the resources needed to maintain operations in the new environment, but the data is not replicated in real time.

Another option is to have your source code and infrastructure as code packaged up and ready for deployment in another cloud environment in case of disruption. As you can guess, these approaches take considerable time to get up and running.

Challenges of multi-cloud adoption

For all of benefits that a multi-cloud platform provides, it’s essential to be aware of key obstacles affecting adoption.

  • Management complexity: Managing multiple cloud environments is complex as cloud vendors have different portals and connection mechanisms, different application programming interfaces associated with the network and unique processes for managing the cloud environment.
  • Talent scarcity: Having the employees you need to manage a multi-cloud platform can be difficult because the supply is limited. Retaining the right staff who are increasingly in demand can be challenging, and the war for talent is expected to get worse.
  • Cost control: Cost can become an issue as organizations have to pay for multiple vendors and their various services. However, it may be worth the cost if an outage would cause significant losses in revenue or cause contractual penalties.

How Wipfli can help

Wipfli advisors are knowledgeable about the benefits and challenges of using multi-cloud approaches and how that is reflected in your due diligence and SOC reporting efforts. Contact us to learn whether your current strategy makes sense or how it could be improved.

Sign up to receive additional content and information in your inbox, or continue reading:

Author(s)

Mary Beth Marchione, CPA, CISA, CISSP
Senior Manager
View Profile
Greeshma Yellu, CISA
Consultant, CISA, Security +
View Profile