Managing risk and compliance throughout your cloud journey

At this point, almost every company has leveraged the cloud to move applications and business systems off premise and into external data centers. However, managing risks and compliance in a cloud environment requires new skills and a broader perspective than traditional risk management activities. Many cloud risk and governance frameworks are either well behind advances in existing cloud platforms or do not address differences between cloud and on-premises frameworks, leading to potential vulnerabilities.

The cloud can be an extremely beneficial solution, but it’s also very broad and complex, meaning different things to different people. In addition, the cloud is constantly changing by adding new features and functionality. Organizations accept the risk of moving to the cloud and build controls around products and services that are available at that time. But many fail to periodically reevaluate their solutions to determine if they are taking advantage of new tools that may expose them to undue risk.

The cloud consists of three different architectures—software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS)—and each carries distinct risks.  Many companies develop their governance and controls, or risk frameworks, around one specific cloud architecture assuming they are addressing all three cloud architectures. The specific cloud architecture—IaaS, PaaS or SaaS—and any regulatory demands should dictate what controls are in place.

In addition, many companies assume their cloud risks are covered because they have a contract with a vendor, a vendor management process, or receive a Service and Organization Controls (SOC) report. These processes often have a heavy concentration on information security, because that is the area with the most inherent risk. But with a focus on only five to six information security control areas, companies can lose sight of managing what they have in the cloud and other key risk areas. A more holistic approach is necessary to effectively manage cloud risks.

Moving applications or services to a virtualized environment is a consequential decision for most businesses, and represents a departure from traditional views as to how a company controls its operations. Rarely is anyone within a company an expert in this model, so organizations must be careful not to expose the company to additional risk when transitioning to the cloud.

Organizations can take several steps to understand how cloud solutions align with compliance demands while managing risks involved with cloud platforms.

Many organizations attempt to manage cloud risks after they have implemented a solution, reverse engineering and applying controls when risks become apparent. However, if you build your cloud solution with a compliance and risk mindset up front, you will likely be exposed to less risk, operate more efficiently and build more effective business relationships.

A truly compliant and secure cloud framework requires input from three key business functions—procurement, information technology (IT) and information security—working in conjunction with your business lines. However, many organizations will implement a cloud risk and governance platform that is driven by only one of those business functions or a single business line. For example, almost exclusively, IT is not involved in cloud risk conversations. IT should be a critical element because they are responsible for the design of cloud solutions and the transitioning of data and applications.

When IT is left out of the conversation to consider controls and cloud architecture, a solution is unlikely to work effectively. On the other hand, when information security is not involved, the right controls and policies are difficult to understand and implement. Many companies rely solely on procurement for limiting their cloud risk, incorrectly assuming that contracts with cloud providers will cover risk.

When the line of business dependent upon the cloud solution is not involved, IT may not design and transition data and applications properly, and information security may not adequately protect the data.  Without input from all three functions, nobody is managing overall risk. Instead, they are all only managing their own specific risks.

When you are implementing a cloud solution, you should begin with a framework to guide your risk practices. Several standards are available—such as Federal Risk and Authorization Management Program (FedRAMP) and Control Objectives for Information and Related Technologies (COBIT)—with many aligning with specific industry compliance guidelines. These standards can give you a holistic view of all the risks associated with the cloud.

Ultimately, taxonomy and governance are directly related to risk and compliance. Large, multinational organizations have recently struggled with cloud program governance and design from country to country and region to region, leading to significant vulnerabilities and risk exposures. Starting with a standard forces your organization to adhere to an established framework and helps you understand potential risks.

Many organizations use integrated audits to evaluate the risks within key business applications. In the past, core infrastructure controls were in place within the internal data centers to audit and manage risks. However, with the cloud, you are outside the control of your organization and inside an external data center.

When leveraging the cloud, you must examine new cloud components within audits to avoid opening your organization up to a tremendous amount of risk. Depending on your cloud solution, new components that may be necessary include mobile device management, identity authentication and encryption—all areas that would be covered under other more traditional reviews.

As mentioned, many middle market companies do not have the necessary skillsets in-house to properly identify and manage cloud risk and compliance challenges. In those situations, an experienced advisor can provide supplemental resources and advice throughout your cloud journey, from technical insights about the cloud’s evolution to IT governance and compliance.

In addition, some providers have developed proven cloud risk frameworks, based on established cloud standards. These models have specific domain areas that evaluate different facets of your organization, providing a holistic view of your cloud risks. Some models are also modular, with the ability to pivot and address any specific industry or international compliance demands.

The cloud is unlike any other solution and any other technical audit that your organization has previously undergone. Many stakeholders in different places need to be addressed to remain secure and compliant, as the platform is constantly changing. Before transitioning data and business applications to the cloud, you must ensure that you understand your risk and compliance environment and have the right level of support to avoid any potentially harmful risk exposures.