Achieving high level of governance risk and compliance (GRC) standards in the Cloud is necessary given the speed and scale it accords; hyper-connected business environment; and stringent regulatory imperatives. While GRC is used in the same breath each function is separate and forms the basis of a security architecture and operational processes.
Governance provides the broad contours of a programme that is aligned with business vision at a strategic level while risk management binds specific controls from the assessed risks and provides information to make decisions. Compliance is business specific and refers to the adherence and monitoring of controls for specific governance requirements.
While Cloud presents unique opportunities to mitigate risks and strengthen governance—greater transparency, workflow automation, programmatic controls and auto-remediation—technology is one of the three pillars to achieve GRC goals. A comprehensive approach encompassing people, processes and technology is required wherein organizations sensitize employees to build a culture of adherence; institute processes to increase accountability while deploying technology to proactively detect and prevent risks.
Cloud benefits which promotes speed, agility and autonomy becomes a bane for GRC administrators when unrestricted and decentralized access creates Cloud sprawl, compromising visibility and accountability.
Speed being a defining metric in the Cloud era, product teams often ignore rules and quality issues in a hurry to achieve goals. While best practices exist, time to market takes precedence and compliance becomes a small matter in that race—magnifying risks that take much time and effort to remediate and which could be used to create value instead.
A report by Gemalto and Ponemon Institute which surveyed global respondents found 49% of Cloud services are procured by businesses directly and about 47% of the data stored in Cloud is not managed by IT. More importantly about two-third of the surveyed organizations are storing customer data in the Cloud with only 43% having defined roles and accountability for safeguarding information stored in the Cloud.
Given the inherent Cloud characteristic achieving GRC in Cloud may appear contradictory but a thoughtful approach integrating oversight, execution and adequate controls help achieve governance and compliance goals.
High performing companies have incorporated technologies and practices that facilitate speed and agility while conforming to governance. Based on our experience here are a few recommendations to achieve a robust GRC framework.
IDENTIFY COMPLIANCE REQUIREMENTS: Align compliance requirements based on business objectives such as HIPPA, GDPR, and define the rigor required to achieve those objectives. Compliance initiatives must facilitate business to grow while mitigating risks.
PRIORITIZE OBJECTIVES: Objectives that are critical to business; those which can be achieved as opposed to those that are desirable but difficult to achieve.
FORMALIZE POLICIES: Policies to support business objectives; compliance and ethics program; controls to address the organization’s risks.
MONITOR & TEST: Define periodicity of testing; point in time testing, combined with continuous monitoring.
REPORTING: Dashboards that display breaches versus organization’s risk appetite and emerging risks. Get better grasp on data for easy reporting and audit purposes.
REMEDIATION & ESCALATION: Protocols for remediation and escalation.
Once you have defined the risk appetite and governance framework, AWS Cloud offers several mechanisms to employ automation and achieve GRC goals effectively.
IDENTITY AND ACCESS AUTOMATION: Deploy IAM capabilities through a central portal to grant access based on roles, employing least privilege policy.
SECURITY AUTOMATION: Automate security tasks and achieve custom GRC requirements with CloudFormation templates. Use auto-remediation mechanisms to revoke user access; terminate resource; isolate affected resource for forensic analysis using AWS Lambda.
POLICY ENFORCEMENT: AWS CloudWatch, Config, CloudTrail continuously track and monitor adherence. Align stakeholder roles and responsibility with compliance requirements specifying which services, features and resources are approved.
CENTRAL MONITORING: Third-party tools such as CloudHealth, compatible with AWS Cloud help monitor the complete environment at the macro and micro level to identify trends, monitor resource usage, cost, performance and security adherence and violations by different teams.
Ultimately an effective GRC program allows business to scale up and down wherein core processes support cost-effective compliance and business goals. It is a thoughtful approach streamlining what exists within the organization while preparing for the future; simultaneously protecting and creating value with proactive rather than reactive behavior; and identifying opportunities with new levels of visibility, control and auditability.