Governance & Risk Management in the Cloud

Governance and Risk management are some of the most important aspects of any business, irrespective of the fact whether you are running your applications (business) in the cloud / on-prem or even space. All businesses need to be governed and risks faced have to be managed. In the cloud context, there are some changes that get introduced in the way businesses govern and manage the risks associated with it. 

For security professionals, cloud computing impacts four areas of governance and risk management:

  • Governance
  • Enterprise Risk Management
  • Information Risk Management
  • Information Security

Governance mainly deals with the policies and procedures that focus on how an organization performs its operations. This includes day to day tasks to its strategic decisions. Policies influence the organization’s decision making and risk tolerance.

Enterprise Risk Management includes managing the risks ( financial . political, regulatory, cybersecurity, etc.) faced by an organization.

Information Risk Management deals with risks to information especially focussing on the CIA triad of information security.

Information security refers to controls that have been put in place to secure information.

Bring in the cloud and all these aspects of governance and risk management get affected. With the cloud, you introduce a provider that manages (stores/processes) your data at a data center that you are not allowed to visit. Even if there is a breach at the cloud provider’s end, your organization remains legally liable for any losses associated with the breach. Hence the cloud customer needs to keep a close tab on the governance gaps and associated risks.

Tools to Ensure Cloud Governance

Contracts - A legal agreement between the cloud customer and provider is the best way to ensure that SLAs are met, financial considerations in case of a breach, roles, and responsibilities clearly identified, remediation measures available with either party, etc. Understand that as a cloud security professional, your role will be limited in the contract negotiation, but it is imperative that you highlight all the positive and negative aspects of the cloud to the management. 

Supplier (cloud provider) Assessments & Compliance Reporting - This is not like the age-old assessment which a security professional can perform in their own organization’s backyard and identify all the gaps and risks faced by the organization. No cloud provider allows it. As a security professional, you will have to rely on the assessment performed by third parties against various regulatory standards and best practices. ISO 27001, ISO 22301, ISO 27017, SSAE 18, PCI DSS, etc. are a few examples against which the cloud provider will get themselves assessed. Most cloud providers provide summary reports on their websites to showcase that they are compliant with such standards to instill confidence in the mind of the cloud customer. In the case of the cloud, we have to contend with such assessments, we must demand the maximum possible from the cloud provider. For ex- Most cloud providers are reluctant to share the SOC2 audit reports as it is a detailed report that details the assessment results of various control objectives. They will share the SOC3 report that is a summary report. Before signing a contract, the cloud customer must push for a detailed report, even if it entails signing an NDA with the cloud provider.

The cloud customer needs to be vigilant in every deployment model and needs to bring in various governance mechanisms at its own level with the level of information available in the cloud deployment model and service model. In addition to it, develop a Cloud Governance Framework/Model as per relevant industry best practices, global standards, and regulations like CSA CCM, COBIT 5, NIST RMF, ISO/IEC 27017, HIPAA, PCI DSS, EU GDPR, etc.

Comments

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Identification, Authentication, Authorization, and Accountability

How to Pass SSCP Exam in the First Attempt

The Endorsement Process - CISSP, SSCP & other (ISC)2 certifications