Cloud computing has revolutionised how businesses operate but it has also given rise to new risks, challenging organisations to navigate security breaches, data privacy concerns and governance, writes Jackie Hennessey
While cloud computing offers some great benefits such as reduced costs, flexibility, and scalability, it also introduces a unique risk profile, including information security, data protection, service availability and increasing regulatory requirements.
Striking a balance between managing this risk and leveraging the power of the cloud is crucial. Effective cloud governance that promotes optimisation and does not create barriers to innovation can help organisations strike this balance.
Navigating the key risks of the cloud
Risks need to be governed and managed to ensure that cloud technology is being used responsibly and in compliance with regulatory expectations.
As a result, it is more important than ever to understand and mitigate these potential risks to leverage cloud computing safely.
Your first step to determining your cloud risk exposure is understanding the following six potential risk categories:
- People: Lack of available resources with the correct skill set;
- Data security: Failure to implement sufficient and appropriate security controls to protect data and prevent data loss through unauthorised access;
- Compliance: Failure to meet regulatory compliance requirements (including across multiple jurisdictions);
- Operational: Failure to implement cloud processes, systems and controls aligned with current policies;
- Financial: Failure to perform proper cloud spend management around unplanned spikes in transaction volume and traffic;
- Third-party: Lack of third-party oversight, including failure to acknowledge the increased risk of cloud vendor lock-in, vendor unreliability and dependencies.
Cloud management
Cloud-focused governance bodies
Cloud governance bodies will be required to develop, monitor and evolve cloud governance over time by leveraging existing governance forums or establishing new ones with responsibility for:
- Cloud governance – formulating initial cloud governance policies, monitoring compliance and reviewing exceptions and proposed changes;
- Cloud operations – managing day-to-day cloud operations, service provision and related issues.
Management of CSPs
The approach to managing cloud service providers (CSPs) should be formalised and include processes for:
- Ensuring CSPs have adequate controls in place;
- Onboarding and offboarding of cloud services from CSPs;
- Monitoring of performance in line with Service Level Agreements (SLAs);
- Oversight of outsourcing arrangements carried out by CSPs (i.e. sub outsourcing);
- Ensuring exit strategies are in place for the termination of services (both expected and unexpected).
Cloud strategy
A cloud strategy should be developed or considered as part of the technology and outsourcing strategies.
The cloud strategy will need to remain aligned with the business’s strategic objectives and be reviewed and updated periodically.
Data privacy and security
Data privacy and security policies and processes should be updated to consider the use of the cloud and additional controls that may need to be implemented as a result of this, such as:
- Sensitive data ownership and classification;
- Data flows and requirements for data transfer;
- Data loss prevention and rights management for cloud data at rest, in transit and in use.
Cloud capabilities
Mechanisms should be implemented to ensure ongoing resource availability with the right expertise and skill set.
Cloud policies and processes
Cloud policies and processes should be developed to define how the cloud is managed and monitored.
These policies and processes should be communicated to appropriate stakeholders across your organisation to support ongoing compliance.
Regulatory compliance
Regulatory horizon-scanning mechanisms should be in place to identify the regulatory compliance landscape and expectations for cloud services relevant to your organisation.
Jackie Hennessey is a partner in Risk Consulting at KPMG