Discovering Risk and Maintaining Your Cloud Governance Strategy
An effective cloud security strategy requires enforcement and accountability. This is where governance comes in. Basically, governance is about applying policies — the organizing principles and rules that determine how an organization should behave — relating to using services. In the cloud world, governance helps to define how multiple organizations behave, because multiple parties across different companies will be part of the governance plan.
IT governance is really a combination of policy, process, and controls. The role of IT governance is to implement, maintain, and continuously improve these controls. IT governance does the following:
Ensures that IT assets (systems, processes, and so on) are implemented and used according to agreed upon policies and procedures
Ensures that these assets are properly controlled and maintained
Ensures that these assets are providing value to the organization
IT governance, therefore, has to include the techniques and policies that measure and control how systems are managed. However, IT doesn’t stand alone in the governance process. In order for governance to be effective, it must be holistic. It’s as much about organizational issues and how people work together to achieve business goals as it is about technology. A critical part of governance is establishing organizational relationships between business and IT, as well as defining how people will work together across organizational boundaries. So, the best kind of governance occurs when IT and the business are working together.
Implementing a governance strategy
How does governance typically work? IT governance usually involves establishing a board made up of business and IT representatives. The board creates rules and processes that the organization must follow to ensure that policies are being met. These rules and processes might include the following:
Understanding business issues such as regulatory requirements or funding
Establishing best practices and monitoring these processes
Assigning responsibility for things such as programming standards, proper design, review, certifications, and monitoring applications
When you moving into a hybrid cloud environment, you want your governance board to deal with issues related to how your compute resources are handled on your premises, as well as deal with your cloud provider. Cloud governance is a shared responsibility between the user of cloud services and the cloud provider. Understanding the boundaries of responsibility and defining an appropriate governance strategy within your organization require careful balance.
A successful governance strategy in a hybrid environment requires a negotiated agreement between you and your cloud provider(s). Generally, several goals are involved in cloud governance, including risk and monitoring performance.
Your governance strategy needs to be supported in two ways:
Understanding the compliance and risk measures the business must follow: What does your business require to meet IT, corporate, industry, and government requirements? For example, can your business share data across international borders? These requirements must be supported through technical controls, automation, and strict governance of processes, data, and workflows.
Understanding the performance goals of the business: Perhaps you measure your business performance in terms of sales revenue, profitability, stock price, quality of product or service provided, and timely delivery. Your cloud provider needs to be able to support these goals and help you optimize your business performance.
Risks worth noting
Each industry has a set of governance principles based on its regulatory and competitive environment and its view of risk. There are different levels of risk. For example, in certain companies, information cannot be shared across international boundaries. In financial services, certain data practices need to be followed. In software development, there are risks associated with getting the product on the market on time. In the healthcare industry, there are patient privacy concerns.
Although a business’s CIO may work with the business to put together a certain set of rules to manage risks, everyone in the business must understand the risks. To make our point, suppose you have a corporate policy stating that no data from a credit card system can be used by the company’s marketing analysis systems. Now, suppose that the CIO discovers that the marketing analysis system used this information. In this case, the business is put at risk, and IT governance fails. Clearly, not only the CIO needed to know the rules set in place to manage risks.
Here is a list of risks to consider as you move into a hybrid model:
Audit and compliance risks: Include issues around data jurisdiction, data access control, and maintaining an audit trail.
Security risks: Include data integrity and data confidentiality and privacy.
Other information risks: Include protection of intellectual property.
Performance and availability risks: Include the level of availability and performance your business requires to successfully operate — for example, alerts, notifications, and provider business continuity plans. In addition, does the provider have forensic information, in case something does go wrong?
Interoperability risks: Associated with developing a service that might be composed of multiple services. Are you assured that the infrastructure will continue to support your service? What if one of the services you’re using changes? What policies are in place to ensure that you will be notified of a change?
Contract risks: Associated with not reading between the lines of your contract. For example, who owns your data in the cloud? If the service goes down, how will you be compensated? What happens if the provider goes out of business?
Billing risks: Associated with ensuring that you’re billed correctly and only for the resources you consume.
Measuring and monitoring performance
You can measure business performance by comparing production, sales, revenue, stock price, and customer satisfaction with your goals. You can measure IT performance by comparing server, application, and network uptime; service resolution time; budgets; and project completion dates with your goals. Businesses use all these measures to rate their performance compared with that of competitors and the expectations of customers, partners, and shareholders. In cloud computing, you need to measure the affect of IT performance on the business, which by definition now includes the performance of the cloud provider.
Of course, your own internal governance committee needs to answer the following types of questions to get started:
How can IT performance measures support the business?
What should management measure and monitor to ensure successful IT governance?
Are customers able to get responses to requests in the expected amount of time?
Is customer transaction data safe from unauthorized access?
Can management get the right information at the right time?
Can you demonstrate to business management that your organization can recover from anticipated outages without damaging customer loyalty?
Are you able to monitor systems proactively so that you can make repairs before faulty services affect rules and regulations?
Can you justify your IT investments to business management?
These questions need to be answered whether or not you’re using a cloud provider.
Making governance work
We believe that effective management of the cloud will be part people and processes and part technology. It’s really a three-part solution.
Your organization needs to set up a governance body to deal with cloud issues and to put processes in place to work with the business around enforcement (this body can be your existing governance board, if you like). This board will have oversight responsibilities and will collaborate with the business (it should include business members). It can also develop best practices.
Your organization needs to have governance bodies in the cloud that deal with standardization of services and other shared infrastructure issues. You need some sort of interface to this group. Your level of involvement depends on your level of involvement in the cloud.
Your organization also needs to have technology in the mix that helps your organization automatically monitor what happens in the cloud.