A lot has been written about cloud computing and the benefits it provides in terms of agility in deploying technology and also in terms of cost savings. A great deal has also been written about security, privacy, compliance, and resilience, both in support of cloud and in pointing out problems. Very little has been presented in terms of governance. Mostly, cloud discussions have been focused on tactical and management aspects of cloud rather than starting with governance considerations.
Demystifying cloud computingwhat it iswill also require what the governance considerations are. Cloud is often described from the vantage point of the supplier rather than the subscriber. Cloud is defined in terms of how it is offered as an infrastructure, a platform, or a service. Cloud is also described in terms of where it is deployedinternally, externally, and in a hybrid method.
One thing for sure is that the cloud computing trend is putting pressure on the traditional IT governance processes to adapt.
In general, the strategic direction of the business and IT is the main focus when considering the use of cloud computing. Ensuring that IT is aligned with the business, systems are secure, and risk is managed is challenging in any environment and even more complex in a third-party relationship. Typical governance activities such as goal setting, policy and standard development, defining roles and responsibilities, and managing risks must include special considerations when dealing with cloud technology and its providers.
The cloud presents many unique situations for businesses to address. One large governance issue is that business unit personnel, who previously were forced to go through IT, can now bypass IT and receive services directly from the cloud. Therefore it is paramount that information security policies address uses for cloud services.
Organizations will obtain the benefits they expect if they have a mature governance structure. Cloud is no different than any other technology deployment. Organizations can adopt to technology and business change if there is a clear strategy, a structure of policies and standards, clear responsibilities and accountabilities, and an integrated approach to risk management that accounts for operational and technical risks.
An effective and efficient governance system is a system that facilitates the creation of an acceptable value to the various stakeholders using limited resources in a responsible way and at an optimal, or acceptable, level of risk to the various stakeholders.
Governance objectives are defined as value creation, management of risks, and optimization of resources for achievement of enterprise goals.
Cloud Governance Consideration
- Who should be responsible for assuring Cloud Security? If not already part of the businesss governance or system development life cycle process, the move to cloud computing essentially dictates that a company information security officer or director be included in all further governance and system development life cycle processes.
- Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to achieve their strategy? Will it impact the relationship between organization business units, IT, and governance professions in aligning IT, risk management, compliance with the organization strategy? One will need a more refined look at governance and cloud computing by examining organization strategy, strategy alignment.
- Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to manage operational and technical risk? Will the drive for quicker deployment and reduced costs impact the ability of security and audit professionals to protect organizations? Will the reliance on service providers provide for a better or reduced understanding of what the risks to the business are?
- Will the adoption of cloud computing by organizations positively or negatively impact the ability of organizations to create value by using their resources (technology, infrastructure, and people) in an optimal manner? Will the drive for quicker deployment and reduced costs impact resource value?
- What questions should executives and board members consider when they are beginning to contemplate a movement to the cloud or planning to utilize cloud infrastructures, platforms, or services to support the organization?
Our questions should encompass governance in terms of strategy, risk, and resource. We need to make sure that we address proper governance considerations.
Assurance Considerations for Cloud Computing
There are many challenges for the assurance providers. What can be done to improve the assurance professionals ability to provide direct and indirect users of cloud computing with trust in the software services and infrastructure that make up the cloud?
Some of the key assurance issues that need to be addressed are:
- Transparency: Service providers must demonstrate the existence of effective and robust security controls, assuring customers that their information is properly secured against unauthorized access, change, and destruction. Key questions to decide are: How much transparency is enough? What needs to be transparent? Will transparency aid be a malefactor? The key areas where supplier transparency is important include: What employees (of the provider) have access to customer information? Is segregation of duties between the provider and employees maintained? How are different customers information segregated? What controls are in place to prevent, detect, and react to breaches?
- Privacy: With privacy concerns growing across the globe, it will be imperative for the cloud computing service providers to prove to existing and prospective customers that privacy controls are in place and demonstrate their ability to prevent, detect, and react to breaches in a timely manner.
- Compliance: Most organizations today must comply with a litany of laws, regulations, and standards. There are concerns with cloud computing that data may not be stored in one place and may not be easily retrievable. It is critical to ensure that if data are demanded by authorities, it can be provided without compromising other information.
- Trans-border Information Flow: When information can be stored anywhere in the cloud, the physical location of the information can become an issue. Physical location dictates jurisdiction and legal obligation. Country laws governing personally identifiable information (PII) vary greatly. What is allowed in one country can be a violation in another.
- Certification: Cloud computing service providers will need to provide their customers assurance that they are doing the right things. Independent assurance from third-party audits and/or service auditor reports should be a vital part of any assurance program.
While cloud computing is certainly poised to deliver many benefits, information security and assurance professionals should conduct business impact analyses and risk assessments to inform business leaders of potential risks to their enterprise. Risk management activities must be managed throughout the information life cycle and risks should be reassessed regularly or in the event of a change.