GRC in the Cloud

Tony Kontzer Avatar

Updated on:

In Summary:

Who: IT leaders from Unisys, biotech firm AMAG and forensic investigators Stroz Friedberg

What: Discussing the governance, risk management and compliance issues raised by enterprise use of public and private cloud services

Why: To provide perspective and advice on an often-overlooked aspect of cloud migrations

Amid all the handwringing during the past few years over the perceived security shortcomings of the cloud, much less attention has been paid to the relatively subtle areas of governance, risk management and compliance. The irony is that one of the biggest security concerns about the cloud–namely, the commingling of different companies’ data in the same cloud environment–is equally important to GRC needs.

The spate of high-profile data breaches that hit companies such as RSA, Epsilon and Sony earlier this year provide a cautionary tale. Each company was heavily criticized for not responding quickly enough with details of the breaches.

Yet, if that data had been stored with public cloud providers, it could have taken several days just to figure out where the servers housing the data were located, further prolonging public response, says Eric Friedberg, co-president of digital risk management and investigations company Stroz Friedberg.

“We have seen clients have substantial logistical problems [with the cloud],” says Friedberg. “When they have to do any investigation of their data, the structure of cloud computing companies is not designed to be responsive to that query.”

That nonresponsiveness-by-design can become a problem in many ways. For instance, a company that’s being sued is often obliged to cease recycling backup tapes and to disable auto-delete functions in order to ensure investigative access to data. If that company’s cloud provider doesn’t allow such steps–either because it’s unable to do so or because it’s contractually bound to auto-delete the data of hundreds of other customers every other week–it can find itself facing significant legal exposure.

For guidance on how to protect your organization, read the accompanying article GRC: 7 Questions to Ask Your Cloud Provider.

“Legal teams shouldn’t wake up to those risks when there’s an incident,” says Friedberg. “They should be aware of those risks ahead of time so they can be prepared to respond.”

Some observers believe that such inherent cloud computing risks are due to the fact that cloud vendors have no motivation to offer the kind of
visibility into their environments that discerning enterprises should be demanding.

“Visibility is something [cloud providers] are not interested in providing to you,” says John Pironti, president of IT consultancy IP Architects and an adviser for the Information Systems Audit and Control Association. “They want to be able to move things around to run their business more efficiently.”

That’s why Pironti advises his clients to limit their cloud endeavors to commoditized services such as CRM and human resources and remain in firm control of their mission-critical systems. He points to one client that had invested heavily in a new cloud service, replete with a huge advertising campaign, only to see the service rendered completely unavailable at launch when a four-day outage hit Amazon.com’s Elastic Compute Cloud, taking down the service’s cloud backbone.

“When it all works, it’s great,” says Pironti. “But when something fails, you may find yourself having challenges.”