Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

CIOs must reassess cloud concentration risk post-CrowdStrike

The recovery from last week’s defective content update from CrowdStrike that impacted millions of Microsoft Windows endpoints has been a significant undertaking, to say the least.

The outage put enterprises, cloud services providers, and critical infrastructure providers into precarious positions, and has drawn attention to how dominant CrowdStrike’s market share has become, commanding an estimated 24% of the endpoint detection and response (EDR) market.

That leading position and the ongoing push toward platform approaches to securing data are the main drivers for CrowdStrike’s inclusion on CSO’s top 10 most powerful cybersecurity companies list. But the outage has also raised questions about enterprise cloud strategies and resurfaced debate about overly privileged software, as IT leaders look for takeaways from the disastrous event.

It also highlights the downsides of concentration risk.

What is concentration risk?

CrowdStrike is regarded by many in the industry as the “Gold standard” in the EDR and anti-malware protection market. Its Falcon solution employs an agent on each endpoint device to continuously monitor them for and respond to cyber threats such as ransomware and malware. This agent-based approach, along with a flaw in CrowdStrike’s Rapid Response Content validation process, are central to the scope of blue screens of death (BSODs) many enterprises have had to remediate.

As enterprises bring their systems back online, IT leadership teams must certainly face questions about how they were impacted, and what their true exposure to these types of incidents are. Despite efforts to increase resilience in recent years, everyone is going to feel a little more vulnerable than they previously did in the wake of CrowdStrike.

Looking to the future, IT leaders must bring stronger focus on “concentration risk”and how these supply chain risks can be better managed. 

As noted by the Financial Conduct Authority (FCA), concentration risk is defined as: “The risks arising from the strength or extent of a firm’s relationships with, or direct exposure to, a single client or group of connected clients.”

In layman’s terms, it simply means putting all your eggs in one basket. We should expect this simple definition to be applied and for it to receive regulator attention. I say this with reference to a recent meeting I had with fellow CISOs and regulators who expressed increasing concern about concentration risk.

Regulation ahead

Regulators will have observed what is being called the “world largest IT outage,” and they will be under pressure about what steps they can take to help prevent this scenario from occurring again. Once the dust settles, I anticipate the ever-increasing cloud concentration risk to be a significant target.

Most enterprises continue to make progress in their journey to the public cloud, with multiple large institutions adopting a “cloud first” mantra. These transformations typically start with a single cloud provider and gradually introduce additional cloud providers as necessary for specific use cases and to meet data sovereignty requirements.

Cloud concentration risk is now arising when these enterprises rely worryingly on a single cloud service provider (CSP) for all their critical business needs. In effect this has shifted reliance on their own data center to now storing all data, running all applications on a single cloud infrastructure.

Cloud concentration risk is then fully realized when any one incident, like the CrowdStrike outage, can disrupt your entire operation. With enterprises increasingly dependent on the same applications and cloud providers, this can be devastating at scale, as we’ve seen with CrowdStrike. Such a scenario extends to security breaches and other events that can have more systemic impact on countries and industries.

Dr. Matt Ryan from the UNSW Institute for Cyber (IFCYBER) explains that “during a major technology disruption event, large financial institutions will find it very difficult to simply pivot from one cloud service providers to another, as the cost to build this level of resiliency is simply too high for most commercial organizations.”

Still, we must.

Enter multi-cloud

Toavoid the dangers of cloud concentration risk, a multi-cloud strategy,in which business workloads are spread across multiple cloud providers, is vital. With a multi-cloud strategy in place, when one provider has an issue, your operations in the other clouds can keep things running.

The alternate is to adopt a hybrid cloudapproach,combiningprivate and public cloud. This gives you more control over proprietary and sensitive data whilst still having all the benefits of public cloud scalability.

But either of these approaches, multi-cloud or hybrid cloud, will have increased complexities and challenges that could possibly impact resilience if not managed properly. Unfortunately, the complexity of multiple vendors can lead to incidents and new risks. This includes cloud misconfigurations, and difficulties in troubleshooting.

For the CIO, these approaches add vendor complexity, requiring management across different SLAs and support processes. FinOps, which blends financial and cloud operations, will have to be implemented to manage the costs across the various cloud providers in your multi-cloud environment, as well as the contracts. Internally, the CIO must manage their security policies across these cloud vendors, as well as any third partiesthe cloud providers themselves use.

What is your concentration risk tolerance?

Moving forward, understanding your organization’s exact acceptable level of concentration risk will be a key concern. Boards will be wanting management teams to measure this risk so they can define what their tolerances should be.

The Cloud Security Alliance has some good thinking on this topic. It recommends ways to develop processes for transforming risk tolerance assessments, data/asset classifications, and business requirements into company policies, control objectives, and technical controls.

The approach I would recommend is to begin by identifying and documenting all your business-critical operations. Once these have been defined, technology teams can begin identifying all the underlying technology components and suppliers that support those operations. It’s at this stage that organizations can begin testing and identifying single points of failure in the process that may require further treatment or redundancy.


Read More from This Article: CIOs must reassess cloud concentration risk post-CrowdStrike
Source: News

Category: NewsJuly 25, 2024
Tags: art

Post navigation

PreviousPrevious post:4 cities proving the transformative value of data and ITNextNext post:I CIO di oggi sono più che mai sotto pressione (ed è una cosa del tutto positiva)

Related posts

Barb Wixom and MIT CISR on managing data like a product
May 30, 2025
Avery Dennison takes culture-first approach to AI transformation
May 30, 2025
The agentic AI assist Stanford University cancer care staff needed
May 30, 2025
Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
May 30, 2025
“AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
May 30, 2025
“ROI는 어디에?” AI 도입을 재고하게 만드는 실패 사례
May 30, 2025
Recent Posts
  • Barb Wixom and MIT CISR on managing data like a product
  • Avery Dennison takes culture-first approach to AI transformation
  • The agentic AI assist Stanford University cancer care staff needed
  • Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
  • “AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
Recent Comments
    Archives
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.