Adopting A Cohesive GRC Mindset For Cloud Security

Advertise on CloudTweaks

Cloud Security Mindset

Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business, while the technology and cybersecurity around it constantly evolves. This can lead businesses to finding themselves with a fragmented approach to cloud control and security, and this needs to be avoided through the implementation of a cohesive governance, risk and compliance (GRC) framework.

Cloud services are big business. In 2019, IDC predicts that worldwide spending on public cloud services will be $141 billion while last year, Amazon Web Services achieved net sales of $7.88 billion. Businesses get on board with cloud to perform better, to meet targets and objectives by being leaner, faster and more cost-effective.

Cloud helps businesses minimize the capital investment and maintenance costs of hardware and infrastructure. It supports rapid scaling up and down as needs dictate and brings elasticity to business operations, facilitating the addition and removal of user access more quickly and easily. Project deployment with cloud can be a more agile and faster affair. Efficient business operations are supported through improved access and information retrieval, while disaster recovery measures include robust backup and controls.

Being clear on risk

In the early days of cloud there were security concerns. It seemed to follow that assets residing ‘somewhere else’ were more at risk. Ownership and control of infrastructure gives a perception of security. However, the walls of a data center can be vulnerable to professional hackers, therefore it doesn’t automatically follow that infrastructure ownership provides greater security.

hacker-cloud

(Image Source: Shutterstock)

Cloud is a service based delivery model typically involving an infrastructure provider, a platform provider and a software provider. While service procurement of an IT solution delivers some benefits it also comes with some of its own risks. These include shared technology issues, the risk of insufficient due diligence and service reliability. And of course, it cannot be immune to the threat of data breaches and other potential security issues or data loss.

Clarity on the division of labor between company and service provider is an essential first checkpoint of a robust cloud service model – what are you responsible for? What is the service provider? This covers situations that include incident handling and virus infection on storage. Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t be only half understood, governance around all aspects is essential.

Secure cloud service provision

The right cloud architecture is a second critical consideration. Virtualization was the first phase of cloud adoption now, isolation of data is also an imperative. While we saw multi-tenant solutions adopted first, the call is now for multi-instance to guarantee separation of company data. This is important because some regulation requires proof of data segregation and it also provides greater flexibility with faster implementation of changes.

A cloud solution should also provide federated identity management so that the business has control over the access its users and devices have. As users move around in the organization the system needs to be resilient to managing segregation of duties.

For continuous security assurance, quarterly or monthly testing is not enough. Real-time dashboards are needed and should be a part of the service model.

Cloud service providers are now adopting industry standard GRC solutions that include segregation of duties, change management, continuous monitoring and reporting and analytics. For best practice secure cloud implementation, businesses should start with a robust GRC framework, assess cloud service providers meeting industry standards against that framework, and then ensure governance and control through service level agreements and continuous monitoring.

The GRC framework

compliance-cloud

For a single source of truth on regulatory compliance, security and control, the company’s GRC framework should apply across the complete cloud infrastructure and cover:

  • Continuous system controls monitoring – as business data and applications are mission critical
  • Penetration testing and audit management – conducted to a defined schedule
  • Incident response management – this is the norm with internally controlled assets and there should be no difference with cloud implementation. The process needs to detail response activities that kick-in immediately in the event of a security problem
  • Compliance controls testing – the specifics of this will depend upon the industry as particular requirements will apply in the likes of healthcare and finance
  • Disaster recovery and business continuity – this is about more than demonstrating disaster recovery on paper, the theory needs to be tested through disaster recovery operations
  • Onsite and offsite backup audits – on a regular basis.

In addition, a comprehensive GRC framework will also cover data encryption audits, forensics log management and reporting, elasticity and load tolerance testing, advanced cyberattack prevention measures and advanced cloud security analytics.

Resilience and control

Effective governance and control is integral to business success and growth. A risk-managed company is more resilient to market and situational change. The culture and practice of risk management and control has to come from the top down, permeating the organization’s entire operations. As well as defining and enforcing the policies for complete cloud implementation across all instances and cloud providers, the GRC framework should also serve as the template against which future providers can be evaluated.

With a GRC framework on cloud, businesses can expect enhanced information security, compliance and risk management, the highest levels of reliability and operational control and continuous transparency and confidence. Business continuity will be robust with disaster recovery measures in place. Also, regulatory mandates will be complied with.

GRC on the cloud is a way of ensuring security risks are completely understood, and that management through manual processes and firefighting in the event of an incident are avoided. It is also a way of smoothly managing change when business decisions require it.

The right GRC approach will support informed decision-making and ongoing management, putting your business in a better position to reduce risk and to realize the benefits of cloud in enhancing business performance.

By Vidya Phalke, Chief Technology Officer at MetricStream

Vidya Phalke

Vidya Phalke is responsible for MetricStream's technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering where he was responsible for MetricStream's Software Products and Platform Delivery. Starting with MetricStream in 2003, Vidya has been instrumental in developing an industry-leading GRC software platform. Before joining the software industry, Vidya earned a PhD in Computer Science from Rutgers University, where he won two Small Business Innovation Research grants for his research on databases and network optimization.

Something went wrong. Please check your entries and try again.

CONTRIBUTORS

Cloud-Based or On-Premise ERP Deployment? Find Out

Cloud-Based or On-Premise ERP Deployment? Find Out

ERP Deployment You know how ERP deployment can improve processes within your supply chain, and the things to keep in ...
Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Real-time Gas Pricing Get used to it – we will extract every dollar you can afford at your friendly … ...
The Smart Cloud - Microsoft Wants to Streamline AI Adoption

The Smart Cloud – Microsoft Wants to Streamline AI Adoption

Microsoft Streamline AI Adoption Artificial intelligence, or AI, has begun to see incorporation into more and more of the technologies ...
The Role of AI in Assisting Customer Experience

The Role of AI in Assisting Customer Experience

Assisting Customer Experience From being the plots of sci-fi thrillers to being seen as threats by the working populace, Artificial ...
The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, ...
2017 Brings DLP Technology and IoT's Weaknesses to Light

2017 Brings DLP Technology and IoT’s Weaknesses to Light

DLP Technology In regards to data loss prevention (DLP), in the last five years many companies rushed to implement DLP ...
The Cloud Movement - The Good and the Bad

The Cloud Movement – The Good and the Bad

The Cloud Movement Like it or not, cloud computing permeates many aspects of our lives, and it’s going to be ...
Cisco Discusses the Resilience of Cloud Strategy

Cisco Discusses the Resilience of Cloud Strategy

Cloud Strategy With businesses and consumers relying on the public cloud more than ever, it’s important that market transparency and ...

NEWS

CIOs Cutting Through the Hype and Delivering Real Value from Machine Learning, Survey Shows 

CIOs Cutting Through the Hype and Delivering Real Value from Machine Learning, Survey Shows 

New survey reveals progressive CIOs tap machine learning to solve everyday work problems SANTA CLARA, Calif. – October 17, 2017– A ...
Cisco Unveils Industry's First Predictive Services Powered by AI

Cisco Unveils Industry’s First Predictive Services Powered by AI

New offerings designed to manage growing technical skills gap through unique expertise, intelligence and automation SAN JOSE, CA--(Marketwired - Oct ...
New IDC Spending Guide Forecasts Nearly $120 Billion in Worldwide Spending on Security Products and Services in 2021

New IDC Spending Guide Forecasts Nearly $120 Billion in Worldwide Spending on Security Products and Services in 2021

FRAMINGHAM, Mass., October 19, 2017 – Worldwide spending on security-related hardware, software, and services is forecast to reach $119.9 billion in ...

NEWSLETTER SUBSCRIBE

CloudTweaks has been a prominent influence covering cloud technologies since 2009. We have worked and continue to work with a tremendous number of writers, contributors and partners throughout the world – all of whom provide insights into the cloud business community. This information is provided to our Newsletter subscribers on a weekly basis - free of charge.

Subscribe to recieve our weekly collection of Best of Thought leadership, Technology news, Tweaks, Curated resource links, Excluisve promotions and our popular Comic series.

JOIN US

Something went wrong. Please check your entries and try again.