Layering Governance Over Cloud: Do Not Re-Build Perpetually!

Layering Governance Over Cloud 

As the latest Amazon earnings announcement for AWS suggests, enterprises have adopted cloud at a rapid pace over the last few years as a part of the emerging Bimodal IT paradigm. However, given the focus on cost and agile development, the sourcing of cloud vendors has typically been cost-based, and the governance framework adopted across empirical. The recent Sony cyberattacks have proved beyond doubt, that enterprise data is the biggest source of competitive advantage in today’s digital era and needs to be preserved and protected at all costs. Today, as critical business processes and data have started moving to the cloud, there is an increasing clamour for newer and more specific risk and control measures to ensure information security. At the same time, the threat landscape and information security requirements changes with each vendor, location, service, business priority and more. But, this does not and should not mean that organizations need re-invent their cloud management systems and governance processes again every time the threat landscape evolves.

As the phenomena of cloud-based software deployments become the new normal, enterprises need to take a deeper and renewed look into Information Security and Risk Management instead of perpetually trying to re-build their Governance, Risk and Compliance (GRC) programs to keep pace with regulations and emerging cloud service models and technologies. The modern and leading organizations of tomorrow need to adopt a layering approach. Organizations need to create a single GRC layer over their cloud ecosystem, which can expand across multiple cloud vendors and models. The layering approach is imperative to ensure the cloud ecosystem can scale securely across the following attributes:

  • Heterogeneity: The ecosystem can support heterogeneous platforms in terms of their operating systems, technology ecosystems, devices and user base to ensure economies of scale and lower total cost of ownership.
  • Virtualization: The ecosystem will adopt cloud-based virtualized environments.
  • Big Data: The ecosystem can manage the complexity, volume and variety of data being created as the phenomena of social collaboration and mobility takes centerstage in enterprises.

The GRC layer should have capabilities to consolidate information from various end-point data sources within the cloud ecosystem and aggregate them into a single container. The layer should be able to provide a common taxonomy and orchestration for system level controls, risk assessments, access control audits and compliance checks across the cloud ecosystem. It needs to have aggregation dashboards and reporting mechanisms to consolidate the data, and provide a single source of truth to IT and business leaders. As business resilience becomes paramount in modern digital enterprises, the governance layer will also need to include the business continuity and disaster recovery related audits, plans and ownership. The layer can be used to define, create and enforce a common set of policies across all cloud vendors. It can act as the repository for all historical information in terms of compliance and control measures. The GRC layer will also provide a common framework for the risk and compliance evaluation of future cloud Service Providers that an organization may be considering. Having a common risk and control framework will allow the organization to set the right benchmarks and service-level agreements for the providers and aid in assimilating them with the ecosystem in a timely manner.

Cloud Ecosystem Downtime

While the naysayers will debate the cost and complexity of the tasks at hand, the cost of not having the GRC layer within the cloud ecosystem is enormous. Analysts estimated a $5 million USD loss from one single hour of outage of AWS for Amazon itself. Today most businesses are not even able to assess the true cost of cloud ecosystem downtime. The ability to handle these outages, compliance costs and threats leveraging a comprehensive GRC layer can save trillion of dollars in business operations losses, regulatory fines and service restoration costs. A fragmented or silo-based approach not only exposes the organization to the risk of operational loss or data theft, but also increases the cost of replicating the layer separately across each silo.

In conclusion, adopting a GRC layering approach allows organizations to create a single source of truth in terms of cloud governance, as well as superimpose a business context onto cloud-based assets. It is a priority that organizations recognize cloud factors such as the total cost of ownership model, the cost of disruption and the lack of organizational governance, control and provisions. The one stop assurance framework provided by a GRC layer can allow organizations to choose across the variety of emerging service and delivery models allowing them to optimize their total cost of ownership while ensuring governance across cloud ecosystem.

By Vibhav Agarwal

Kokumai

Identity Assurance – Sufficient and Necessary Conditions

Identity Assurance It is not easy to define the 'sufficient condition' for describing a set of processes used to establish that a natural person is real, unique, and identifiable; criminals keep coming up with hitherto ...
Mark Barrenechea

Information is at the Heart of Your Business

Information Business Even though digital information is evolving at a rapid pace, the world is still document-centric. Documents, whether created by a human or generated by a machine, underpin every operation, communication exchange and innovation ...
New York

From Y2K To NYC Parking Meters: Have We Learned Anything About Complacency In Cybersecurity?

Cybersecurity Complacency This past January – in what seems like a different world now – a story briefly hit the headlines and was seen as more of a quirk than a threat. It was soon ...
Bill Talbot

How IT Operations Can Survive and Thrive in a Multi-cloud World

IT Operations Can Thrive in a Multi-cloud World IT operations teams are contending with the reality that growing volumes of workloads are running across multiple cloud services. While multi-cloud environments are growing ubiquitous, many IT ...
Ajay

Explainable Intelligence Part 3 – The Strategy for XAI

The Strategy for XAI It is not enough to say that something is true just because 'I know it’s true!' – we have to have some evidence or argument that gives a justification for our ...
Ben Ferguson

7 Reasons Why You Should Consider Deploying SD-WAN Alongside Public Cloud Services

Why You Should Consider Deploying SD-WAN Software-defined WAN (SD-WAN) and public cloud IaaS services both offer powerful benefits to virtually any business. Many of these same businesses, however, are missing out on an incredible opportunity by ...