Adopting A Cohesive GRC Mindset For Cloud Security

Vidya Phalke

Cloud Security Mindset

Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business, while the technology and cybersecurity around it constantly evolves. This can lead businesses to finding themselves with a fragmented approach to cloud control and security, and this needs to be avoided through the implementation of a cohesive governance, risk and compliance (GRC) framework.

cloud services are big business. In 2019, IDC predicts that worldwide spending on public cloud services will be $141 billion while last year, Amazon Web Services achieved net sales of $7.88 billion. Businesses get on board with cloud to perform better, to meet targets and objectives by being leaner, faster and more cost-effective.

Cloud helps businesses minimize the capital investment and maintenance costs of hardware and infrastructure. It supports rapid Scaling up and down as needs dictate and brings elasticity to business operations, facilitating the addition and removal of user access more quickly and easily. Project deployment with cloud can be a more agile and faster affair. Efficient business operations are supported through improved access and information retrieval, while disaster recovery measures include robust backup and controls.

Being clear on risk

In the early days of cloud there were security concerns. It seemed to follow that assets residing ‘somewhere else’ were more at risk. Ownership and control of infrastructure gives a perception of security. However, the walls of a data center can be vulnerable to professional hackers, therefore it doesn’t automatically follow that infrastructure ownership provides greater security.

Cloud is a service based delivery model typically involving an infrastructure provider, a platform provider and a software provider. While service procurement of an IT solution delivers some benefits it also comes with some of its own risks. These include shared technology issues, the risk of insufficient due diligence and service reliability. And of course, it cannot be immune to the threat of data breaches and other potential security issues or data loss.

Clarity on the division of labor between company and service provider is an essential first checkpoint of a robust cloud service model – what are you responsible for? What is the service provider? This covers situations that include incident handling and virus infection on storage. Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t be only half understood, governance around all aspects is essential.

Secure cloud service provision

The right cloud architecture is a second critical consideration. Virtualization was the first phase of cloud adoption now, isolation of data is also an imperative. While we saw multi-tenant solutions adopted first, the call is now for multi-instance to guarantee separation of company data. This is important because some regulation requires proof of data segregation and it also provides greater flexibility with faster implementation of changes.

A cloud solution should also provide federated identity management so that the business has control over the access its users and devices have. As users move around in the organization the system needs to be resilient to managing segregation of duties.

For continuous security assurance, quarterly or monthly testing is not enough. Real-time dashboards are needed and should be a part of the service model.

Cloud service providers are now adopting industry standard GRC solutions that include segregation of duties, change management, continuous monitoring and reporting and analytics. For best practice secure cloud implementation, businesses should start with a robust GRC framework, assess cloud service providers meeting industry standards against that framework, and then ensure governance and control through service level agreements and continuous monitoring.

The GRC framework

For a single source of truth on regulatory compliance, security and control, the company’s GRC framework should apply across the complete cloud infrastructure and cover:

  • Continuous system controls monitoring – as business data and applications are mission critical
  • Penetration testing and audit management – conducted to a defined schedule
  • Incident response management – this is the norm with internally controlled assets and there should be no difference with cloud implementation. The process needs to detail response activities that kick-in immediately in the event of a security problem
  • Compliance controls testing – the specifics of this will depend upon the industry as particular requirements will apply in the likes of healthcare and finance
  • Disaster recovery and business continuity – this is about more than demonstrating disaster recovery on paper, the theory needs to be tested through disaster recovery operations
  • Onsite and offsite backup audits – on a regular basis.

In addition, a comprehensive GRC framework will also cover data encryption audits, forensics log management and reporting, elasticity and load tolerance testing, advanced cyberattack prevention measures and advanced cloud security analytics.

Resilience and control

Effective governance and control is integral to business success and growth. A risk-managed company is more resilient to market and situational change. The culture and practice of risk management and control has to come from the top down, permeating the organization’s entire operations. As well as defining and enforcing the policies for complete cloud implementation across all instances and cloud providers, the GRC framework should also serve as the template against which future providers can be evaluated.

With a GRC framework on cloud, businesses can expect enhanced information security, compliance and risk management, the highest levels of reliability and operational control and continuous transparency and confidence. Business continuity will be robust with disaster recovery measures in place. Also, regulatory mandates will be complied with.

GRC on the cloud is a way of ensuring security risks are completely understood, and that management through manual processes and firefighting in the event of an incident are avoided. It is also a way of smoothly managing change when business decisions require it.

The right GRC approach will support informed decision-making and ongoing management, putting your business in a better position to reduce risk and to realize the benefits of cloud in enhancing business performance.

By Vidya Phalke, Chief Technology Officer at MetricStream

Kayla Matthews

40% of Organizations Are Leaving Office 365 Data Vulnerable

Office 365 Data Vulnerable Microsoft Office 365 is a popular platform for individuals and organizations alike. But, recent research shows many organizations are apparently too ...
Karen Gondoly

You Don’t Need Cloud Desktops, You Need Cloud-Based VDI. Here’s Why

Cloud Desktops / Cloud-Based VDI Virtual Desktop Infrastructures (VDI) have been around for a while. As an example, VMware started selling their first VDI product ...
Matt Holleran

Cloud Marketplaces Give Startups A Leg Up – Part 2

Cloud Marketplaces In my last post, Cloud Platforms, Marketplaces, and Startups Part One, I examined the proliferation of partner ecosystems within the cloud software business, ...
Or Lenchner

Destination IPPN: why the travel sector must harness a global IP proxy network

Destination IPPN While massive growth in the travel sector has been predicted, the digital environment has also massively upped competition amongst service providers, keen to ...
Johan

Why the digital infrastructure is a matter of national interest!

Digital Infrastructure National Interest When the Internet was born, it promised a form of democracy and guarantee that everybody could be part and setup their ...
Dan Saks 1

How to Transform to Succeed in the Digital Economy

Succeed in the Digital Economy In today’s increasingly competitive business climate, companies must put digital technologies at the core of their operations. In order to ...
Steve Prentice

Cloud-Based Financial Software Reinforces the 80/20 Rule of Business Management

Cloud-Based Financial Software Sponsored by Sage 50cloud Small businesses are known for being innovative and customer-focused in a way that their larger competitors cannot. This ...
Mark Kirstein

BitTitan Cloud Predictions and IT Migration Trends

IT Migration Trends The beginning of a new year is an ambitious time for people and businesses. Strategic initiatives are finalized, goals are set and ...
Dan Saks 1

How the Cloud Will Transform in the Next Decade

Transformative Cloud Silicon Valley is easy to stereotype: the gadgets, the startup perks, the culture and mentality. However, the real reason Silicon Valley captures headlines ...
Kaylamatthews

What You Need to Know – IoT and Real-Time Operating Systems

Real-Time Operating Systems A real-time operating system, or real-time OS, appears to execute tasks while using a single processing core simultaneously.  However, what's really happening ...