Adopting A Cohesive GRC Mindset For Cloud Security

46shares

Cloud Security Mindset

Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business, while the technology and cybersecurity around it constantly evolves. This can lead businesses to finding themselves with a fragmented approach to cloud control and security, and this needs to be avoided through the implementation of a cohesive governance, risk and compliance (GRC) framework.

cloud services are big business. In 2019, IDC predicts that worldwide spending on public cloud services will be $141 billion while last year, Amazon Web Services achieved net sales of $7.88 billion. Businesses get on board with cloud to perform better, to meet targets and objectives by being leaner, faster and more cost-effective.

Cloud helps businesses minimize the capital investment and maintenance costs of hardware and infrastructure. It supports rapid Scaling up and down as needs dictate and brings elasticity to business operations, facilitating the addition and removal of user access more quickly and easily. Project deployment with cloud can be a more agile and faster affair. Efficient business operations are supported through improved access and information retrieval, while disaster recovery measures include robust backup and controls.

Being clear on risk

In the early days of cloud there were security concerns. It seemed to follow that assets residing ‘somewhere else’ were more at risk. Ownership and control of infrastructure gives a perception of security. However, the walls of a data center can be vulnerable to professional hackers, therefore it doesn’t automatically follow that infrastructure ownership provides greater security.

Cloud is a service based delivery model typically involving an infrastructure provider, a platform provider and a software provider. While service procurement of an IT solution delivers some benefits it also comes with some of its own risks. These include shared technology issues, the risk of insufficient due diligence and service reliability. And of course, it cannot be immune to the threat of data breaches and other potential security issues or data loss.

Clarity on the division of labor between company and service provider is an essential first checkpoint of a robust cloud service model – what are you responsible for? What is the service provider? This covers situations that include incident handling and virus infection on storage. Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t be only half understood, governance around all aspects is essential.

Secure cloud service provision

The right cloud architecture is a second critical consideration. Virtualization was the first phase of cloud adoption now, isolation of data is also an imperative. While we saw multi-tenant solutions adopted first, the call is now for multi-instance to guarantee separation of company data. This is important because some regulation requires proof of data segregation and it also provides greater flexibility with faster implementation of changes.

A cloud solution should also provide federated identity management so that the business has control over the access its users and devices have. As users move around in the organization the system needs to be resilient to managing segregation of duties.

For continuous security assurance, quarterly or monthly testing is not enough. Real-time dashboards are needed and should be a part of the service model.

Cloud service providers are now adopting industry standard GRC solutions that include segregation of duties, change management, continuous monitoring and reporting and analytics. For best practice secure cloud implementation, businesses should start with a robust GRC framework, assess cloud service providers meeting industry standards against that framework, and then ensure governance and control through service level agreements and continuous monitoring.

The GRC framework

For a single source of truth on regulatory compliance, security and control, the company’s GRC framework should apply across the complete cloud infrastructure and cover:

Continuous system controls monitoring – as business data and applications are mission critical
Penetration testing and audit management – conducted to a defined schedule
Incident response management – this is the norm with internally controlled assets and there should be no difference with cloud implementation. The process needs to detail response activities that kick-in immediately in the event of a security problem
Compliance controls testing – the specifics of this will depend upon the industry as particular requirements will apply in the likes of healthcare and finance
Disaster recovery and business continuity – this is about more than demonstrating disaster recovery on paper, the theory needs to be tested through disaster recovery operations
Onsite and offsite backup audits – on a regular basis.

In addition, a comprehensive GRC framework will also cover data encryption audits, forensics log management and reporting, elasticity and load tolerance testing, advanced cyberattack prevention measures and advanced cloud security analytics.

Resilience and control

Effective governance and control is integral to business success and growth. A risk-managed company is more resilient to market and situational change. The culture and practice of risk management and control has to come from the top down, permeating the organization’s entire operations. As well as defining and enforcing the policies for complete cloud implementation across all instances and cloud providers, the GRC framework should also serve as the template against which future providers can be evaluated.

With a GRC framework on cloud, businesses can expect enhanced information security, compliance and risk management, the highest levels of reliability and operational control and continuous transparency and confidence. Business continuity will be robust with disaster recovery measures in place. Also, regulatory mandates will be complied with.

GRC on the cloud is a way of ensuring security risks are completely understood, and that management through manual processes and firefighting in the event of an incident are avoided. It is also a way of smoothly managing change when business decisions require it.

The right GRC approach will support informed decision-making and ongoing management, putting your business in a better position to reduce risk and to realize the benefits of cloud in enhancing business performance.

By Vidya Phalke, Chief Technology Officer at MetricStream

Vidya Phalke

Vidya Phalke is responsible for MetricStream’s technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering where he was responsible for MetricStream’s Software Products and Platform Delivery. Starting with MetricStream in 2003, Vidya has been instrumental in developing an industry-leading GRC software platform. Before joining the software industry, Vidya earned a PhD in Computer Science from Rutgers University, where he won two Small Business Innovation Research grants for his research on databases and network optimization.

www.metricstream.com/

THOUGHT LEADERS

The Need for Experts Goes Beyond AI

The Need for Experts The explosion in AI technologies has brought with it clear concern that easy answers and intelligent copywriting are now the domain of machines. This has led to the question of whether ...

Accelerating the AI Pipeline with Optimized Software

In 2030, AI will likely contribute around $15.7 trillion to the global economy. Organizations that invest significantly in AI and leverage practices that accelerate and scale AI development have been shown to gain the highest ROI from AI ...

How to Enable Successful Remote Work Strategy with AI

How AI Is Important for Businesses Shifting to Remote Work The Coronavirus Pandemic has taught us that organizations must have remote work choices. It is no longer possible to work in a digital environment. The ...

3 ways AI can create a more equitable future for food distribution

More equitable future for food distribution with AI At best, only 70% of food gets used in the United States. The rest goes to waste. Although devastating, the good news is this massive waste of ...

Sustainable Solutions for the Data Center: Net Zero Emissions Designs

Net Zero Emissions Designs Sustainability has become an increasingly frequent topic of discussion for data center operators, with many pledging to be carbon-free as soon as 2030. But are these commitments a response to the ...

Get Smarter

Whether you're just starting out in the online industry or looking to take your skills to the next level, Get Smarter eLearning platform is the perfect choice for you. Sign up today and start your journey towards online success!

Use code LEARN15 to enjoy 15% off all courses.