GRC in the Cloud: Holding Vendors to Task

By Tony Kontzer  |  Posted 08-22-2011

GRC in the Cloud

In Summary:

Who: IT leaders from Unisys, biotech firm AMAG and forensic investigators Stroz Friedberg

What: Discussing the governance, risk management and compliance issues raised by enterprise use of public and private cloud services

Why: To provide perspective and advice on an often-overlooked aspect of cloud migrations

Amid all the handwringing during the past few years over the perceived security shortcomings of the cloud, much less attention has been paid to the relatively subtle areas of governance, risk management and compliance. The irony is that one of the biggest security concerns about the cloud--namely, the commingling of different companies' data in the same cloud environment--is equally important to GRC needs.

The spate of high-profile data breaches that hit companies such as RSA, Epsilon and Sony earlier this year provide a cautionary tale. Each company was heavily criticized for not responding quickly enough with details of the breaches.

Yet, if that data had been stored with public cloud providers, it could have taken several days just to figure out where the servers housing the data were located, further prolonging public response, says Eric Friedberg, co-president of digital risk management and investigations company Stroz Friedberg.

"We have seen clients have substantial logistical problems [with the cloud]," says Friedberg. "When they have to do any investigation of their data, the structure of cloud computing companies is not designed to be responsive to that query."

That nonresponsiveness-by-design can become a problem in many ways. For instance, a company that's being sued is often obliged to cease recycling backup tapes and to disable auto-delete functions in order to ensure investigative access to data. If that company's cloud provider doesn't allow such steps--either because it's unable to do so or because it's contractually bound to auto-delete the data of hundreds of other customers every other week--it can find itself facing significant legal exposure.

For guidance on how to protect your organization, read the accompanying article GRC: 7 Questions to Ask Your Cloud Provider.

"Legal teams shouldn't wake up to those risks when there's an incident," says Friedberg. "They should be aware of those risks ahead of time so they can be prepared to respond."

Some observers believe that such inherent cloud computing risks are due to the fact that cloud vendors have no motivation to offer the kind of
visibility into their environments that discerning enterprises should be demanding.

"Visibility is something [cloud providers] are not interested in providing to you," says John Pironti, president of IT consultancy IP Architects and an adviser for the Information Systems Audit and Control Association. "They want to be able to move things around to run their business more efficiently."

That's why Pironti advises his clients to limit their cloud endeavors to commoditized services such as CRM and human resources and remain in firm control of their mission-critical systems. He points to one client that had invested heavily in a new cloud service, replete with a huge advertising campaign, only to see the service rendered completely unavailable at launch when a four-day outage hit Amazon.com's Elastic Compute Cloud, taking down the service's cloud backbone.

"When it all works, it's great," says Pironti. "But when something fails, you may find yourself having challenges."

GRC in the Cloud: Putting the Brakes On

For all these reasons, some companies simply have no appetite for public cloud services, preferring to invest instead in private clouds that allow them to apply their own policies and controls. But even that level of control didn't provide enough peace of mind for Unisys, the $4 billion-a-year IT services provider that actually helps customers build their own clouds and provides an array of vertical software as a service (SaaS) offerings.

Unisys has been rethinking its entire internal services strategy because of the meteoric growth in demand for access among its more than 20,000 employees. Workers want to connect to corporate networks and applications not only from their
company-issued devices but also from their personal mobile devices, says Patricia Titus, the company's chief information security officer.

After embarking on an ambitious strategy to build a comprehensive private cloud, Unisys decided to take a hard look at the way consumer tools were seeping into the corporate environment; it then put the brakes on its cloud efforts.

"We wanted to stop the train from going really fast forward so we could research the whole consumer trend," says Titus. "The entire governance structure needed to change. We'd pushed through an unacceptable use policy."

Specifically, Unisys had underestimated the disruptive impact that mobile computing would soon have on its services, and it had to evaluate what users really needed access to and how they'd access it. This would allow the company to build services capable of supporting an array of devices out of the gate.

Then Unisys did what Titus says too few IT organizations do today: It asked its users what they needed. The results? Users wanted access to a far smaller subset of applications than IT had originally thought. This significantly lowered the company's expectations for its first forays into the cloud, which Titus characterizes as "pre-pilot."

Rather than try to migrate as many apps as possible to the cloud, Unisys focused instead on optimizing the most-desired apps for a variety of form factors. In doing so, it established seven categories that each device--from laptops to tablets to smartphones--had to satisfy to be given access to the company's network.

For instance, supported devices had to be able to use public-key infrastructure to meet Unisys' requirements for a secure network connection.

Once it settled on the devices it could support, Unisys began building customized versions of its first cloud applications. So far, these apps have been limited to relatively lightweight services, such as those for booking travel or tracking weather. In the process, the company gained important insight into the need to mitigate certain risks on mobile devices.

For instance, it learned that instead of enabling users to increase type size at will, it needs to build apps that automatically generate a fixed, readable type size that can't be easily seen by so-called shoulder surfers. This will become more important as the company migrates increasingly sensitive apps to the cloud.

Titus' takeaway from all this is simple: Take a measured approach to the cloud. Although many companies are jumping in with both feet, Titus is much more comfortable taking it slowly so she can minimize possible disruptions to the business.

"It's difficult for me, from a compliance perspective, to say, 'Let's everyone run to the cloud,'" says Titus. "We have a rigorous change management process, and I don't want to put that at risk."

GRC in the Cloud: Holding Vendors to Task

Reducing the risk the cloud presents clearly is a matter of diligence--whether that means scaling back a cloud strategy and looking more closely at emerging computing trends, as Unisys has done, or patiently holding vendors to task, the approach taken by AMAG Pharmaceutical.

AMAG, founded in 1981 as Advanced Magnetics,
began its cloud evolution in 2008, eventually entrusting a wide range of systems--including HR and ERP, expense reporting, and paycheck applications--to third-party SaaS and hosting providers. In each case, Nathan McBride, executive director of IT for the biotech company, determined that whatever risks existed were not significant enough to prevent him from proceeding down the cloud computing path.

But when McBride discovered Egnyte's cloud-based file server offering, a crucial element was missing--the product didn't work with any external single-sign-on (SSO) product, and McBride wasn't willing to overlook that. The company was just eight months into sales of its current flagship product, Feraheme, an intravenous iron compound that helps treat iron deficiency anemia. Sales of
the product have grown from $2 million in 2008 to more than $66 million in 2010.

With so much at stake, AMAG required sufficient governance capabilities to ensure that it could securely store critical regulatory data and be able to share it and collaborate with external partners and agencies.

McBride knew he didn't want to move forward with Egnyte without external SSO, so he assumed a more minimal risk, using Google Docs to establish a temporary document collaboration repository, complete with audit capabilities that helped mitigate security concerns. In the meantime, he made clear his reservations to Egnyte, which in turn joined forces with an SSO vendor, Okta, to develop a custom API that would enable AMAG's users to log into Egnyte through Okta's portal.

A few months later, AMAG went live with Egnyte, establishing it as the standard for department-level document storage. However, it also preserved its Google Docs environment as an option for users.

By being firm on his requirements, McBride had, in a way, wrestled the cloud so that he could ensure it afforded adequate governance for AMAG. He says that being so diligent with his vendors has helped him get past each of their flaws--and make no mistake, McBride points out, they all have flaws.

"We had requirement specifications, and when we applied that framework, there were lots of vendors who weren't up to snuff," he says. "If you're willing to mitigate those [flaws], you can still integrate those services into your business. It requires diligence like you wouldn't believe, but if you're willing to do it, the diligence just becomes part
of your job."

There are far more companies in AMAG's shoes, depending on public cloud providers to serve as their introduction to the cloud. McBride's advice is to view cloud vendors as you would any other IT provider: as a partner that should be invested in delivering business results without compromising your company's governance and compliance efforts or testing its appetite for risk.

In the best GRC relationships between enterprise customers and cloud vendors, "It's a constant collaboration and communication partnership--where all partners know they have a stake--that makes it work," McBride says. "These vendors don't want to lose customers."