At this point, almost every company has leveraged the cloud to move applications and business systems off premise and into external data centers. However, managing risks and compliance in a cloud environment requires new skills and a broader perspective than traditional risk management activities. Many cloud risk and governance frameworks are either well behind advances in existing cloud platforms or do not address differences between cloud and on-premises frameworks, leading to potential vulnerabilities.
The cloud can be an extremely beneficial solution, but it’s also very broad and complex, meaning different things to different people. In addition, the cloud is constantly changing by adding new features and functionality. Organizations accept the risk of moving to the cloud and build controls around products and services that are available at that time. But many fail to periodically reevaluate their solutions to determine if they are taking advantage of new tools that may expose them to undue risk.
The cloud consists of three different architectures—software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS)—and each carries distinct risks. Many companies develop their governance and controls, or risk frameworks, around one specific cloud architecture assuming they are addressing all three cloud architectures. The specific cloud architecture—IaaS, PaaS or SaaS—and any regulatory demands should dictate what controls are in place.
In addition, many companies assume their cloud risks are covered because they have a contract with a vendor, a vendor management process, or receive a Service and Organization Controls (SOC) report. These processes often have a heavy concentration on information security, because that is the area with the most inherent risk. But with a focus on only five to six information security control areas, companies can lose sight of managing what they have in the cloud and other key risk areas. A more holistic approach is necessary to effectively manage cloud risks.
Moving applications or services to a virtualized environment is a consequential decision for most businesses, and represents a departure from traditional views as to how a company controls its operations. Rarely is anyone within a company an expert in this model, so organizations must be careful not to expose the company to additional risk when transitioning to the cloud.