Layering Governance Over Cloud: Do Not Re-Build Perpetually!

Layering Governance Over Cloud 

As the latest Amazon earnings announcement for AWS suggests, enterprises have adopted cloud at a rapid pace over the last few years as a part of the emerging Bimodal IT paradigm. However, given the focus on cost and agile development, the sourcing of cloud vendors has typically been cost-based, and the governance framework adopted across empirical. The recent Sony cyberattacks have proved beyond doubt, that enterprise data is the biggest source of competitive advantage in today’s digital era and needs to be preserved and protected at all costs. Today, as critical business processes and data have started moving to the cloud, there is an increasing clamour for newer and more specific risk and control measures to ensure information security. At the same time, the threat landscape and information security requirements changes with each vendor, location, service, business priority and more. But, this does not and should not mean that organizations need re-invent their cloud management systems and governance processes again every time the threat landscape evolves.

As the phenomena of cloud-based software deployments become the new normal, enterprises need to take a deeper and renewed look into Information Security and Risk Management instead of perpetually trying to re-build their Governance, Risk and Compliance (GRC) programs to keep pace with regulations and emerging cloud service models and technologies. The modern and leading organizations of tomorrow need to adopt a layering approach. Organizations need to create a single GRC layer over their cloud ecosystem, which can expand across multiple cloud vendors and models. The layering approach is imperative to ensure the cloud ecosystem can scale securely across the following attributes:

  • Heterogeneity: The ecosystem can support heterogeneous platforms in terms of their operating systems, technology ecosystems, devices and user base to ensure economies of scale and lower total cost of ownership.
  • Virtualization: The ecosystem will adopt cloud-based virtualized environments.
  • Big Data: The ecosystem can manage the complexity, volume and variety of data being created as the phenomena of social collaboration and mobility takes centerstage in enterprises.

The GRC layer should have capabilities to consolidate information from various end-point data sources within the cloud ecosystem and aggregate them into a single container. The layer should be able to provide a common taxonomy and orchestration for system level controls, risk assessments, access control audits and compliance checks across the cloud ecosystem. It needs to have aggregation dashboards and reporting mechanisms to consolidate the data, and provide a single source of truth to IT and business leaders. As business resilience becomes paramount in modern digital enterprises, the governance layer will also need to include the business continuity and disaster recovery related audits, plans and ownership. The layer can be used to define, create and enforce a common set of policies across all cloud vendors. It can act as the repository for all historical information in terms of compliance and control measures. The GRC layer will also provide a common framework for the risk and compliance evaluation of future cloud Service Providers that an organization may be considering. Having a common risk and control framework will allow the organization to set the right benchmarks and service-level agreements for the providers and aid in assimilating them with the ecosystem in a timely manner.

Cloud Ecosystem Downtime

While the naysayers will debate the cost and complexity of the tasks at hand, the cost of not having the GRC layer within the cloud ecosystem is enormous. Analysts estimated a $5 million USD loss from one single hour of outage of AWS for Amazon itself. Today most businesses are not even able to assess the true cost of cloud ecosystem downtime. The ability to handle these outages, compliance costs and threats leveraging a comprehensive GRC layer can save trillion of dollars in business operations losses, regulatory fines and service restoration costs. A fragmented or silo-based approach not only exposes the organization to the risk of operational loss or data theft, but also increases the cost of replicating the layer separately across each silo.

In conclusion, adopting a GRC layering approach allows organizations to create a single source of truth in terms of cloud governance, as well as superimpose a business context onto cloud-based assets. It is a priority that organizations recognize cloud factors such as the total cost of ownership model, the cost of disruption and the lack of organizational governance, control and provisions. The one stop assurance framework provided by a GRC layer can allow organizations to choose across the variety of emerging service and delivery models allowing them to optimize their total cost of ownership while ensuring governance across cloud ecosystem.

By Vibhav Agarwal

Gary Bernstein
Most Dangerous Botnets While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate ...
Using Data Scraping to Learn What You Need to Know
Data Scraping Opportunities How can you know what you don’t know? It sounds like a rhetorical question, but it is in fact a vital component of business strategy. As much as any company or organization ...
James Corbishly
Teams Sprawl in the Remote Workspace As working from home has become the new everyday norm, with more employers embracing the remote-work model as a new and likely permanent fixture of the employment world, there ...
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for Vultr.com - Everyone knows who the big players are in the cloud business. But sometimes, ...
Derrek Schutman
Implementing Digital Capabilities Successfully Building robust digital capabilities can deliver huge benefits to Digital Service Providers (DSPs). A recent TMForum survey shows that building digital capabilities (including digitization of customer experience and operations), is the ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.