The cloud has brought a range of compelling benefits to businesses, helping them improve performance, become more agile and increase efficiency. For these reasons, and more, its adoption has accelerated since the early days of cloud computing. However, as with all new technology implementations and change management programmes, the cloud comes with its own risks. Awareness of these, and a sound governance, risk and compliance (GRC) approach to cloud implementations, is essential for businesses to minimise risk and maximise business performance through cloud.
Understanding risk
According to a Cloud Security Alliance report (2017), the top three critical issues to cloud security are:
- data breaches
- insufficient identity, credential and access management
- insecure interfaces and APIs.
Cloud adoption strategies must recognise these risks, assess the probability of business impacting issues arising from them, and have plans in place to mitigate any such occurrences. Failure to do so could mean not only the benefits sought from the cloud are not attained, but that the business fails to protect itself from damaging incidents that were potentially avoidable.
GRC on the cloud is a way of ensuring that risks are completely understood and can be more effectively managed through a robust technology platform and the effective execution of risk management strategies. It is also a way of smoothly managing change – something that impacts all industries – to address evolving requirements.
The GRC cloud platform
A risk-based approach when adopting cloud computing helps minimise risk and enables management of data and business-critical applications in the cloud to be consistent with the enterprise’s risk appetite and strategic objectives. While cloud security controls, threat monitoring, vulnerability scanners and other tools help minimise risk, a GRC cloud platform goes further than this by bringing all these risk and compliance factors together into a single source of truth, enabling enterprises to have an integrated view of their GRC profile in the cloud.
Aside from the scalability, cost-efficiency and agility of a cloud deployment, a cloud-based GRC platform also gives enterprises enhanced visibility into risk exposure and enables them to automate compliance and monitoring processes.
Managing change
Flexibility is a mainstay of businesses that are able to succeed in continually changing environments. Risk and compliance also continuously evolve – the type and nature of risks change as do compliance requirements and the regulations that businesses must abide by. Change has an impact on processes, ways of working, organisational structures and teams. To keep up, GRC management within enterprises must be flexible, configurable and scalable and it must enable action resulting from change to be handled cost-effectively, if the business is to adapt and grow.
Data: confidentiality, integrity, availability
One of the main benefits of cloud is its ability to store massive amounts of data and to provide anytime, anywhere, controlled access to it. Managing data confidentiality, integrity and availability is essential and each enterprise should have clear criteria and governance structures around this. The avoidance of data co-mingling is one such requirement and here, a multi-instance cloud architecture can be effective. It can maintain a separate full-stack environment, enabling the complete separation of instances to ensure data integrity.
Of course, data volumes continue to grow, and data sets can become fragmented. It is often a challenge to handle such data sets with traditional warehousing and business intelligence tools, let alone support the ways in which organisations need to use them in order for them to be effective. Data is the lifeblood of business and, through it, insights can be gained that can confer significant business advantage but only if it is stored, managed, maintained and accessed in the right way.
Tools and processes for data security, monitoring, maintenance and cost must be included in strategic planning, and in this, next gen IT strategies and techniques such as advanced analytics, visualization tools, and parallel data processing are starting to play a part.
Risk management for cloud data storage and governance must be robust and for this reason, enterprises are looking at GRC platforms on advanced cloud data centres in order to effectively identify, assess, and mitigate cloud computing risks, while ensuring compliance with data governance regulations.
Evolving technology platforms
With a GRC framework on cloud, enterprises can ensure that security risks are completely understood, change is smoothly managed, and that informed decision-making puts the organisation in the best possible place to reduce risk, while benefiting from the advantages of cloud in enhancing business performance.
As technology continues to evolve, it is essential that enterprises evaluate, implement and adopt the cloud in a risk-aware way. A detailed, robust and well-maintained GRC cloud programme, together with a technology platform that enables flexibility and scalability, can support businesses in these endeavours.
As MD and GM of the company’s UK and Ireland operations, Anna is responsible for strategy and driving the business in the region with a customer-centric approach to growth. Anna joined MetricStream with over twenty years of experience in global markets in GRC and the financial services industry at several companies such as BAML, Thomson Reuters, CME Group, Markit, Trunomi, and Aravo. Anna serves as a non-executive director for the Open Data Institute, and is a member of the Executive Leadership Council for Upwards, a Silicon Valley professional women’s organisation.
In 2016, Anna was named by Innovate Finance in the ‘Women Fintech Powerlist’.