It’s 2019 and cloud computing is the new normal. Companies are shifting core IT operations into the cloud to reduce the costs of IT infrastructure, make business operations more efficient and boost enterprise agility. Although moving mass amounts of data can come with risk, migrating data to the cloud should be no riskier than storing data on-premise. Any unsecure network can expose sensitive information if the right processes are not in place and due diligence is not performed.
Increasingly, significant amounts of data are insecurely uploaded to the cloud from various parts of organizations — a particularly risky manifestation of shadow IT given it directly impacts consumer privacy, data integrity, cybersecurity and compliance related to all the above. Despite the continual publicity around repeated breaches, most organizations do not have good housekeeping rules in play and enforced across their whole data estate in the cloud. As data keeps migrating into the cloud without secured networks to transport it, the lack of trust between customers and cloud service providers continues to grow.
Cloud computing is not a new technology. It’s an ongoing evolution of networking, storage, processing and application-based service delivery. The cloud reshapes business and operating models by sharing resources and keeping them readily available. Shared resources help enterprises lower costs, integrate business units, reach broader markets and harvest more meaningful insights. However, new business models, processes and services also create new risks to enterprise information security.
Cloud computing is extremely effective at fueling innovation and agility as long as it’s implemented with proper planning and due diligence. In a growing and crowded market, there are a lot of programs available that promise to help manage these risks — but choosing the right one for your new cloud business model can be overwhelming. Often, these programs are not fully evolved and can be ineffective because the range of risk management capabilities they offer isn’t diverse enough.
As your organization expands its cloud and data ecosystem, there will be more regulations, industry standards and contractual requirements to manage. For all these elements, you will need to implement controls. Frameworks like NIST and ISO provide a set of baseline controls, but you’ll need a technology platform to customize the controls for your ecosystem, monitor compliance and automate as many manual processes as possible.
Putting Your Cloud Process in Place
Organizations need an effective process in place to assess the associated risks to transition to the cloud successfully. If you do this poorly, it will be a costly drain on resources — time, money, staff — and could damage your reputation.
Here are the steps to assess cloud risks:
- Planning: The first step is planning. You need to understand your business requirements in their full context. For example, what happens if a data breach occurs? How will it impact your organization? With the help of an expert, list these types of scenarios and dependencies. Once you understand the context, you can start to evaluate. For instance, if you need to collect a specific type of data and process it, so you can ship out products, what risks are inherent to that operation? If you have highly sensitive data in the cloud that could lead to IT and security risk, what controls should you put around this? What are your residual risks and risk appetite? This assessment helps you identify which vendors may be right for you.
- Due Diligence: Once initial planning and evaluations are complete, it’s time for due diligence. The first component is mapping capabilities to the needs identified during planning. Next, you need to look at controls, costs and value. Thoroughly assessing and accounting for third-party risk is a significant element of due diligence. Identify and classify your vendors and inventory the processes and data they impact. Based on this understanding, investigate their ability to adhere to the guidelines you set out for controls, data handling and security. Finally, identify who in your company is responsible for monitoring vendor activities, processes and documenting follow-through. Procedures for onboarding, transitioning and offboarding vendors are a crucial piece of third-party risk management.
- Implement an IRM Program: Adapting to cloud security risks is a challenge for every kind of organization. Implementing a risk management program allows companies to streamline and systematize their management of IT and enterprise risk as well as regulatory obligations. Programs that fully integrate risk management components – including compliance frameworks, risk assessments and control libraries - supported by governance, risk management and compliance (GRC) solutions bring order and automation to critical risk activities. This approach will help to catch and mitigate risks like unsecured networks, prevent the unmonitored growth of shadow IT, preserve customer trust and protect valuable digital assets and infrastructure.
Understand Your Risk Picture
Digitally transforming organizations must prioritize effort and attention around integrated risk management (IRM) programs and the GRC solutions that optimize and support them. The capabilities that are enabled by IRM strengthen the entire ecosystem, extending well beyond cloud and data security. Integrated risk and compliance programs optimize vendor and supply chain relations, ease the audit process and ensure organizations can readily adapt to emerging regulations. Moreover, maintaining a more thorough and nuanced picture of enterprise risk leaves companies ready to adopt new technologies and partnerships, and more prepared to handle unexpected disruption and disaster.
As cloud computing, digital processes, third-party reliance and globalization continue to reshape the enterprise; organizations are driven to evolve from a siloed risk management approach to IRM. Technology support is imperative to successfully manage risks inherent to increasingly complex processes, service offerings and business models. The right technology platform allows organizations to perform IRM effectively with efficiency and agility.
Integrated solutions allow for all aspects of risk identification and management to be centralized, monitored and documented. It optimizes risk appetite, assist decision-makers and encourages collaboration — all while creating a more resilient organization that is ready to embrace change and rise to the challenges of new opportunities and markets.
About the author: Sam Abadir, Vice President of Industry Solutions at Lockpath, a provider of integrated risk management solutions.