Cloud Solution Governance and Oversight Consulting
Cloud computing is an operational model and set of technologies for managing shared pools of computing resources that has the potential to enhance collaboration, agility, scaling, and availability. From a business perspective cloud computing is attractive due to the opportunities for cost reduction through scalability, flexibility, and limited capital investment requirements. Cloud Service Providers (CSP) try to leverage economies of scale to manage costs and enable capabilities. This means creating extremely standardized services (including contracts and service level agreements) that are consistent across all customers.
Cloud computing affects risk governance, management, and oversight. The key to the success of cloud solutions is the establishing clear, documented responsibilities between the company and CSP. The primary issue to remember when governing cloud computing is that an organization can never outsource responsibility for governance, even when using external providers. Cloud computing changes the responsibilities and mechanisms for implementing and managing governance. Responsibility is shared between the cloud customer and cloud service provider. A general model for risk management/control responsibilities is a follows:
Ultimately, responsibilities and mechanisms for governance are defined in the contract. There are no predefined mandates or uniform contracts throughout the industry; each contract will be different, so each set of rights and responsibilities will vary according to what the customer and provider negotiate. If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and there is a governance gap.
According to the Gartner report published September 22, 2015 "Clouds are Secure: Are you using them securely?"
“Through 2020, 95 percent of cloud security failures will be the customer’s fault.”
Cybersecurity Risk Categories
The following six major risk categories should be included in any cloud risk governance and oversight assessment:
Data Security
Data security risk can be associated with loss, leakage, or unavailability of data. This can cause business interruption, loss of revenue, loss of reputation, or failure to meet regulatory compliance requirements. Specific data risks that require evaluation include:
Increased complexity of access controls and security groups due to involvement of CSP personnel in the actual provisioning processes
Lack of visibility into controls over initiation, authorization, recording, processing, or reporting of transactions
Unauthorized data access by a service provider and/or less control over who sees what data
Data leakage or access risks due to multitenancy/shared infrastructure between different organizations
Lack of flexibility over data protection mechanisms, such as encryption and implementation of specific controls by data type
Lack of visibility into the controls over configuration, analysis, and retention of security event logs and audit trails
Improper reliance on CSP security operation processes for the identification, research, and if required incident response suspicious activities
Regulatory
Regulatory risk is associated with noncompliance with various national/geographic regulations, industry, or service specific legal and regulatory requirements. According to the Cloud Security Alliance survey The Cloud Balancing Act for IT: Between Promise and Peril, the primary obstacle to moving systems of record to the cloud noted by 67.8 percent of companies was the ability to enforce established security policies when operations are migrated to a cloud service provider.
Technology
Technology risk can be associated with constantly evolving technologies and lack of standardization in how they integrate or interoperate. Technology risks could lead to costly re-architecture efforts for adoption or integration with new technology. Specific technology risks which may behave differently in a cloud solution include:
Increased velocity of technology change and deployment might require the organization to upgrade or rearchitect its computing resources and retrain its technology support staff to maintain connectivity and interaction with the CSP environment
Increased potential for human error due to the number of configurable points and frequency of deployments.
Constantly evolving technology features might require the organization to rearchitect its cloud applications much more frequently compared to mature technologies.
Failure to leverage advanced security capabilities offered by the CSP for free or at a nominal cost
Limitation on what and how much an organization can customize (infrastructure, platform, or applications), depending on which service model the organization is using
Limitations on compatibility with other cloud providers
Limitation on technology and related tool choices allowed within the environment
Each public cloud solution vendor typically offers its own administration console. With the rapid rise in the number of Software as a Service (SaaS) solutions in use at organizations, this is increasingly becoming a daunting task due to the lack of a single/consolidated management dashboard.
Operational governance
The operational governance principle consists of two cost-cutting measures - identifying and terminating unused “zombie” assets, and scheduling stop/start times for non-production instances used in development, testing, staging, and QA. Specific operational risks the organization should actively manage include:
Suboptimal service reliability and uptime
Lack of a customized service level for different IT services, which might require the organization to choose a proximate acceptable service level, including those related to application availability and disaster recovery
Less control over quality of service
Reduced control on critical application availability and disaster recovery
Financial
The financial management governance principles for cloud-based solutions consist of budget policies and cost trend policies. These two policies are closely related to the risk management procedures needed to determine whether budgets are going to be met or if they need adjusting. Specific financial risks requiring evaluation include:
Accurately budgeting the time/effort and initial costs to build/transition to a cloud solution
Procedures for the secure disposal of hardware and software being obsoleted by the transition
Timely, ongoing management of costs resulting from cloud resource usage due to poor planning and requirements from the business.
The company needs to explicitly assign the responsibility for budgeting, tracking, and managing cloud costs.
Vendor
Vendor risk comes from leverage or association with vendors. Unforeseen vendor circumstances such as bankruptcy, lawsuits, SEC probe, or any other act of defamation for the vendor could significantly damage an organization’s reputation and goodwill. This risk has historically been applied to third-party service providers. With the use of CSPs, procedures need to ensure that adequate controls are in place to comply with various laws, rules, and regulations.
Why Engage CTSA?
Organizations that are new to cloud computing may not know what to ask for during contract negotiation to ensure adequate insight to the risk management/control structures. Engaging an external consultant with the appropriate core technical competencies and cloud operation standards during contract migration and cloud migrations.
CTSA will provide professional personnel who have extensive cloud security knowledge as evidenced by their Certificate of Cloud Security Knowledge (CCSK) and/or Certified Cloud Security Professional (CCSP) certifications.
CTSA provides cloud risk governance & oversight assessments at the following timeframes during cloud implementation/adoption projects:
Per implementation consulting during the negotiation and initial deployment phase to ensure the establishment of risk management roles, responsibilities, and reporting activities for the CSP and the your organization (the cloud customer)
Periodic assessment of the ongoing oversight activities to verify both internal operations and the CSP are effectively performing their agreed upon roles and responsibilities.
Each organization and even each contract within an organization differs in its governance requirements, so it may be necessary for CTSA to work with the client to amend the approach to effectively manage the risks listed below to match the specific engagement.