GRC in the Cloud: Holding Vendors to Task
Reducing the risk the cloud presents clearly is a matter of diligence--whether that means scaling back a cloud strategy and looking more closely at emerging computing trends, as Unisys has done, or patiently holding vendors to task, the approach taken by AMAG Pharmaceutical.
AMAG, founded in 1981 as Advanced Magnetics, began its cloud evolution in 2008, eventually entrusting a wide range of systems--including HR and ERP, expense reporting, and paycheck applications--to third-party SaaS and hosting providers. In each case, Nathan McBride, executive director of IT for the biotech company, determined that whatever risks existed were not significant enough to prevent him from proceeding down the cloud computing path.
But when McBride discovered Egnyte's cloud-based file server offering, a crucial element was missing--the product didn't work with any external single-sign-on (SSO) product, and McBride wasn't willing to overlook that. The company was just eight months into sales of its current flagship product, Feraheme, an intravenous iron compound that helps treat iron deficiency anemia. Sales of the product have grown from $2 million in 2008 to more than $66 million in 2010.
With so much at stake, AMAG required sufficient governance capabilities to ensure that it could securely store critical regulatory data and be able to share it and collaborate with external partners and agencies.
McBride knew he didn't want to move forward with Egnyte without external SSO, so he assumed a more minimal risk, using Google Docs to establish a temporary document collaboration repository, complete with audit capabilities that helped mitigate security concerns. In the meantime, he made clear his reservations to Egnyte, which in turn joined forces with an SSO vendor, Okta, to develop a custom API that would enable AMAG's users to log into Egnyte through Okta's portal.
A few months later, AMAG went live with Egnyte, establishing it as the standard for department-level document storage. However, it also preserved its Google Docs environment as an option for users.
By being firm on his requirements, McBride had, in a way, wrestled the cloud so that he could ensure it afforded adequate governance for AMAG. He says that being so diligent with his vendors has helped him get past each of their flaws--and make no mistake, McBride points out, they all have flaws.
"We had requirement specifications, and when we applied that framework, there were lots of vendors who weren't up to snuff," he says. "If you're willing to mitigate those [flaws], you can still integrate those services into your business. It requires diligence like you wouldn't believe, but if you're willing to do it, the diligence just becomes part of your job."
There are far more companies in AMAG's shoes, depending on public cloud providers to serve as their introduction to the cloud. McBride's advice is to view cloud vendors as you would any other IT provider: as a partner that should be invested in delivering business results without compromising your company's governance and compliance efforts or testing its appetite for risk.
In the best GRC relationships between enterprise customers and cloud vendors, "It's a constant collaboration and communication partnership--where all partners know they have a stake--that makes it work," McBride says. "These vendors don't want to lose customers."