February 20, 2017

5 Recommendations for Effective Governance, Risk and Compliance Management

By Vibhav Agarwal

Effective Governance, Risk and Compliance Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues for cloud vendors were “within touching distance” of $150 billion. Gartner also predicts that, a corporate ‘no-cloud’ policy will be as rare by 2020 as a ‘no-Internet’ policy is today. However, a ‘’cloud-ready’ security and […]

Effective Governance, Risk and Compliance

Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues for cloud vendors were “within touching distance” of $150 billion. Gartner also predicts that, a corporate ‘no-cloud’ policy will be as rare by 2020 as a ‘no-Internet’ policy is today. However, a ‘’cloud-ready’ security and compliance program is the need of the hour, to manage the risks and the complexities due to cloud adoption. This will enable organizations to face cloud challenges which, according to RightScale’s 2016 State of the Cloud Report include compliance with regulations, a lack of resources and expertise, governance and control and security. Although a challenge mainstay, confidence in cloud security is nonetheless rising; SkyHigh Networks points out that 65 percent of IT leaders think the cloud is as secure, or more secure, than on-premises software.

To maximize the benefits of cloud deployments while mitigating the risks, companies need to prioritize a cohesive approach to governance, risk management and compliance (GRC). A cloud governance framework can automate cloud security, risk, and compliance workflows, enable stakeholder reporting and visibility, and ensure best practices and standards for cloud compliance.

With that in mind, here are five recommendations for ensuring a proper governance, risk and compliance framework for cloud assets and operations:

1. Improve cloud asset / service visibility

An essential first step is to understand the scope of cloud services in use within the organization and gain visibility into the whole cloud environment. IT and infrastructure managers need to have a complete picture of the processes running on cloud deployments, the underlying assets and their ownership within the organization both from an IT and business standpoint. While they may seem intuitive, alarmingly, the 1H 2016 Shadow Data Report states that organizations use 841 cloud apps on average – an astonishing 20 times more than they thought they did. Organizations also need a well-defined policy to deploy, manage and run the cloud applications and categorize the sensitivity of the data held to ensure that requisite controls are in place to manage the data.

2. Assess the cloud service provider (CSP) continuously

Businesses always have the thought of losing control on application and infrastructure while deploying an application on the cloud. Assessing and creating a working relationship with the cloud provider based on a mutually agreed framework is very important. The organizations must select a cloud provider who can demonstrate validation of controls including network security, physical datacenter security as well as a standard audit framework conforming to applicable regulatory standards.

Gartner recommends that organizations need to address several key issues when selecting a cloud hosting provider, which include access privileges, regulatory compliance, data provenance, data segregation, data recovery and business continuity.

To gain a complete understanding of the CSP environment, organizations should also ensure that there is no ‘insufficient due diligence’, which Cloud Security Alliance (CSA) rates as one of the ‘notorious nine cloud computing top threats, and establish a due-diligence framework to monitor the cloud service provider performance on a continuous basis.

3. Assign business ownership and accountability for critical cloud assets and services

Organizations should understand the importance for an effective governance function within the cloud environment. The cloud assets, cloud services, business objectives, business processes, policies must be documented, along with their operational relationships. These processes and policies must be accountable, clearly assigned and consistently understood throughout the business.

Also, it is of utmost importance to establish accountability when customer information is intertwined with that of the cloud service provider. This includes logical separation of your data sets from those of the other customers / users, defining SLAs on both sides and categorizing the services consumed.

4. Know the cloud threat landscape and evaluate risks

Inevitably, there are risks with cloud environments as there are with all storage and retrieval systems, both electronic and manual. Businesses must understand the cloud threat landscape, effectively evaluate and mitigate risks and protect themselves and their interested parties from exposure.

The likelihood of threats rarely lessens, but threats do change in nature and for this reason companies should be continually alert and abreast of latest developments. SkyHigh Networks revealed, in its Q4 2016 Cloud Adoption and Risk Report that the average company experiences over 23 cloud-related security incidents each month. Yet, despite this, a different study – the 2016 Global Cloud Data Security Study from Gemalto and the Ponemon Institute – discovered that 54 percent of respondents didn’t agree that their companies have a proactive approach to managing security and complying with privacy / data protection regulations for the cloud. Therefore, it is imperative that organizations prepare for security threats to the cloud before becoming a victim.

Effective Governance, Risk and Compliance

5. Leverage standard risk / control frameworks to assess compliance

Businesses should assess cloud compliance with regard to security, privacy practices and policies. Among the most well-known risk and control frameworks are best practices is the Cloud Security Alliance (CSA)’s GRC stack, which provides a toolkit to assess private and public clouds against industry standard best practices and compliance requirements.

Others include the CSA’s ‘Treacherous Twelve’ Cloud Computing Top Threats, ISACA’s cybersecurity Threats and Controls, the National Institute for Standards and Technology (NIST)’s Framework for Improving Critical Infrastructure Cybersecurity, ISO/IEC 27017, ISO/IEC 27018 and the Center for Internet Security (CIS)’s Critical Security Controls.

Leveraging industry standards provides a level of assurance that best practices are followed both by the organization and by cloud Service Providers.

Businesses can achieve enhanced information security, compliance and risk management as well as reliability, operational control and transparency with effective implementation and extension of the GRC framework to their cloud assets and operations. Adhering to best practices and standards will deliver informed decision-making and ongoing management, placing the business in a better position to reduce risk and realize the benefits of the cloud in enhancing business performance.

By Vibhav Agarwal

Vibhav Agarwal

Vibhav Agarwal is the Director, Product Marketing at MetricStream.

Vibhav has 11+ years of progressive experience in Enterprise product marketing, sales management, ERP & CRM program planning and delivery, software vendor selection and implementation across Hi-Tech, Trading & Capital Markets and Internet domains. Worked extensively in various roles dealing with multinational conglomerates as well as mid-sized companies like Info Edge India, in deals ranging between 0.5-30 million USD. Exposure to all stages of product and IT applications, sales & marketing, product management, and enterprise implementations.

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more
Katrina Thompson

Why Zombie APIs are Such an Important Vulnerability

Zombie APIs APIs have a lifecycle, the same as anything else. They are born, they [...]
Read more

A.I. is Not All It’s Cracked Up to Be…At Least Not Yet!

Exploring AI’s Potential: The Gap Between Aspiration and Reality Recently Samsung releases its new Galaxy [...]
Read more

Azure Free Tier vs. AWS Free Tier: Which Provides More Value?

Cloud computing has become a cornerstone for the digital transformation of businesses. From startups to [...]
Read more
Metasploit-Penetration-Testing-Software-Pen-Testing-Security

Leading Cloud Vulnerability Scanners

Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn’t help with [...]
Read more

SPONSORS

Interviews and Thought Leadership

Algirdas Stasiūnaitis

The Future of Cybersecurity: Insights from Cyber Upgrade’s Founders

AI and Cybersecurity: Innovations and Challenges In the rapidly evolving landscape of technology, where artificial intelligence and cybersecurity shape the future of our digital world, CloudTweaks is pleased to present [...]
Read more
Randy

Karen Buffo, CMO of MixMode, on the Rise of AI in Safeguarding Digital Assets

Welcome to our Q&A session with Karen Buffo, CMO of MixMode, hosted by CloudTweaks. Today, we’ll explore the profound impact of generative Artificial Intelligence (AI) on cybersecurity. As AI takes [...]
Read more

Navigating Tomorrow: AI and Big Data as Catalysts for Smarter Governance

The Future of Governance In a world increasingly shaped by big data and artificial intelligence (AI), it’s curious why these [...]
Read more

Leveraging Artificial Intelligence in Insurance Claims Analytics Software Development

Enhancing Insurance Claims Analysis with AI Technology Nowadays, digital technology affects all aspects of our everyday lives, and the insurance [...]
Read more

Embracing Governance to Navigate 2024’s Tech Trends

Mastering Governance Strategies for Success The start of a new year is a fitting time for goal-setting, and IT managers [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.