Operating in the cloud can provide multiple benefits to businesses who take advantage of the opportunities. However, operating in the cloud also comes with greater risks than operating an on-premises IT infrastructure. For this reason effective governance in the cloud is of the utmost importance.
Remember the days when every business was operating an on-premises IT infrastructure? You had fixed capital costs and fairly constant operational costs, everybody was using the same software, and your network was protected by a firewall. Then came the cloud.
Now you can launch assets with the click of a mouse, take advantage of a wide range of software applications, and pay only for what you use—or, more accurately, pay only for what you provision. Unfortunately, the benefits of agility, flexibility, and affordability can have a price—security.
Who Has Responsibility for Security in the Cloud?
Contrary to what some business leaders believe, the responsibility for protecting corporate data in the cloud lies not with cloud service providers but with cloud customers. Cloud services are generally watertight when it comes to security, their security systems having been designed by experts.
By comparison, the security expertise of cloud customers is sometimes questionable. Indeed, a recent article published at CSOonline.com listed the most common causes of data breaches as:
- Human error
- Application vulnerabilities
- Poor security practices
- Insufficient identity, credential, and access management
- Insecure interfaces (UIs) and application programming interfaces (APIs)
These five causes achieved a higher threat rating than account hijacking (via a phishing scam or similar), malicious insiders, and non-targeted malware attacks. Had the article been published a little later, it could have included the more recent revelation that 7 percent of all S3 storage buckets on Amazon Web Services (AWS) have unrestricted public access and 35 percent are unencrypted.
How Does Governance in the Cloud Resolve these Issues?
The term governance in the cloud relates to the rules, policies, and processes used by businesses to operate in the cloud. These are the “what, when, who, and how” when it comes to cloud security, and govern factors such as what assets can be used, when assets can be used, who has access to assets, and how assets should be protected against malicious actors (both inside and outside the business).
Rules can be created that govern asset configuration, encryption key management, audit trails, user accounts with too broad a range of control, non-compliance with password policies, multi-factor authentication, and the resiliency to recover operations and data after an outage or data loss event—in fact any aspect of cloud security that prevents the most common causes of data breaches listed above.
The rules and policies are loaded onto a management platform that monitors cloud activity and automatically responds to violations with one or more preconfigured process (i.e. by notifying key personnel, terminating non-conforming assets, revoking account access, and/or requesting approval before allowing an event to take place). By automating responses, the human error element of data breaches is also eliminated.
Other Benefits of Governance in the Cloud
Enhanced security is not the only benefit of governance in the cloud. Rules, policies, and automated processes can also be applied to financial management, cost optimization, and asset performance management. Remember how we mentioned launching assets with the click of a mouse earlier? Those clicks cost money, and it is important to keep costs under control.
Similarly, it is important that every department takes advantage of software applications that can communicate with each other. Otherwise you end up with isolated “Shadow IT” environments that create obstacles to efficiency. Governance in the cloud can take care of that too by stipulating what apps are used by different departments in the performance of their roles.
