07 - Governance

Cloud governance is the term used to describe managing the functioning and security in the cloud. Though majority of the operations are under the control of the vendor, the primary governance rests with the organization. And this is actually tough in situations of public and hybrid cloud scenarios. The controls are usually mixed up and maintaining clear cut lines for the governance is very difficult. For the proper governance to ensure security and privacy, encryption methods and security tools are implemented by the organizations.

Security Threats and Mitigations

A strict governance of the public and hybrid clouds is required owing to the security risks associated. The major security risks identified are data confidentiality and data integrity.

  • Data Confidentiality – This risk varies for different users based on the terms of service set forward by the cloud vendor. And if the vendor has reserved the right to change the policies, when required, this risk is magnified. And any information that you store or transfer in the cloud is eventually stored on a physical system elsewhere. And often it is subject to the laws of the country. This poses a high risk of data confidentiality in the cloud. If proper security measures are not adopted by the cloud vendor the data confidentiality of the company is surely at risk.
  • Data Integrity–This is critical for the proper functioning of any data center. Loss of bits can happen in cloud computing, which eventually results in data corruption. And a tailing major problem is that a corrupted file can affect rest of the metadata. Though the cloud vendors offer varying levels of data protection, they do not own the liability for any security issue or integrity of your data.

Mitigating the security threats in cloud computing is nearly impossible. But you can take effective steps to mitigate the risks to a big extent. Some of these steps are as follows:

  • Review and monitor policies and security measures adopted by the Cloud vendor
  • Implement good data encryption technologies
  • Conduct a risk analysis to assess the security of the cloud
  • Develop a governance plan that is data centric

Privacy Concerns and Resolutions

Cloud computing is a global service but Privacy policies and Data Protection laws are not similar globally. So the problem of privacy concern in the cloud arises. Cloud safety and cloud governance are entirely different and cloud safety becomes one of the goals of cloud governance.

To safeguard the privacy of data sent over the cloud, organizations should take strict steps and actions. These can be the following:

  • Authentication and Authorization – To access any data, authentication must be required. Without proper authentication, none should be able to access the data sent over the cloud. Another aspect is implementing authorization techniques. Only users authorized to access certain data should have access to it. The authorization can be relevant to job titles or designations also.
  • Data Encryption – Encrypting the data before sending it out in the cloud makes it lesser susceptible to hacks and thus increasing the privacy of the organization’s data.
  • Stronger Policies –Organizations must focus on creating stronger internal security and privacy laws. Also review the policies of the cloud vendor and strictly monitor any updates or changes to the policies.

Compliance

Cloud compliance is the process of having your data compliant with the laws and regulations when sending it over the cloud. Sometimes organizations classify data and decide to keep the highly confidential data on internal networks or on private clouds hosted within the office premises. Make sure that the data is compliant with the cloud vendors SLA and compliance checklists.

In some cases, there can be Geographic Compliance issues. With international storage and transmission, this issue arises. In some countries, private data need to be disclosed to the governmental agencies. These should be looked into carefully when opting for the international storage.

Similarly there are lots more compliance issues dependent on the type of data, cloud, and even functional industry. The remedy to resolve the compliance issues is to have a transparent association with your cloud vendor and keep monitoring your data for any discrepancies which may run you into trouble.

Licensing

In cloud computing, different vendors across the globe charge the users differently for the software licenses. The charging can be based on the number of users, processors or systems on which the software is used, or based on the actual usage. At times it is not very easy to calculate the actual number of license required in a cloud deployment.

Some ways to reduce licensing issues is to negotiate and arrive at agreements on a suitable licensing model with the vendors before entering the SLA. Maximizing the use of Open Source software is another way to bring down licensing cost in cloud computing.

Some companies like Microsoft are creating dedicated software licensing models for the cloud vendors. Microsoft has monthly billing plans while IBM has long term and hourly billing plans. This shows that software companies are designing the licensing and billing strategy for products targeting the cloud users.

Audit

In general, Auditing is the process which involves the tracing and logging of major events during an analysis time. This result is taken to validate the performance and security of system. Auditing of data security, privacy, and data integrity is common and a very effective tool in Cloud Computing.

The Internal Auditors must evaluate the risk assessments and investigate in the specific risk areas to safeguard the intellectual property of the organization. Internal audit should function as an assurance function and help the management to identify and understand the risks of leveraging the services of the cloud. The process should also be strong enough to identify if proper steps are in place to mitigate the risks associated with cloud computing. The audit should also evaluate the regulatory requirements regularly and identify if these are being met by the organization and the vendor.

Some of the most popular cloud audits are the following:

  • ISO 27001
  • SAS 70
  • FedRAMP

Like us on Facebook