Board Matters Quarterly, April 2014
Putting your trust in the cloud
Building a secure environment
Cloud computing is fundamentally different from traditional enterprise computing. It is technology on demand: you use only what you need, when you need it and how you need it delivered.
While cloud computing offers many benefits, there can be risks.
"The IT department, management and board members are shifting their focus from saying “no” to cloud computing to saying “yes,” but in a way that adds value to the business and protects it from mounting cybersecurity risks".
Some fear that communicating data over a shared network will increase their vulnerability to cyberattacks, or that cloud service providers offering the same infrastructure to multiple clients in multiple locations will not be able to maintain confidentiality of all the data.
Still others express concern that data may be transported across borders and may expose them to legal and regulatory requirements in jurisdictions with which they’re unfamiliar.
These concerns are valid and venturing into the cloud without understanding the security, privacy and regulatory considerations will put the company at risk.
There is a tendency with cloud solutions to rely on the vendor (or cloud service provider) to ensure that these concerns are addressed. But boards must realize that it is management’s responsibility to address the risks of moving to a cloud environment.
Boards should be thinking “cloud first” when contemplating their IT solutions but they must do it with eyes wide open and consider the risk implications.
Understanding the issues
Some employees may already be using cloud computing, without consulting the IT department. This phenomenon, called “cloud creep,” is blurring the boundaries of corporate networks and potentially making them less secure. Business units that want to use cloud computing may defy the IT department and procure the service themselves.
The IT department, management and board members are shifting their focus from saying “no” to cloud computing to saying “yes,” but in a way that adds value to the business and protects it from mounting cybersecurity risks.
Reaching for STAR
Because banning cloud services may not be a viable option, developing a cloud framework that results in a secure, trusted and audit-ready (STAR) environment may make you more confident about your decision to say “yes.”
The components of a STAR environment are as follows:
Secure: A secure cloud environment has the appropriate controls to protect the confidentiality, availability and integrity of the data that resides in the cloud. Appropriate controls exist to properly protect data at rest, intransit and in use.
Trusted: A trusted cloud environment is designed to stand the test of time. It should provide high availability and must be resilient to adverse events.
Audit-ready: An audit-ready cloud environment has continuous compliance and is certified to meet specific industry regulations. Appropriate procedural and technical protection is in place, documented and can be verified for compliance and regulatory purposes.
Widespread consumption of cloud services isn’t on its way; it’s here. Early adopters of cloud services have already gained competitive advantages.
Organizations that can think “cloud first,” while managing risks using a clear and well-understood model, will benefit from the efficiencies, cost savings and additional capabilities that the cloud can deliver.
Boards and audit committees should understand the company’s approach to addressing the opportunities and the challenges related to cloud computing, and they should be familiar with the framework for addressing the potential risks.
Questions for the board to consider
- Does the board understand what data is currently stored in the cloud and has management discussed with the board what controls are in place to protect the most sensitive data?
- Has the company defined and implemented standards so its systems integrate with cloud technologies in a secure manner and have these standards been communicated throughout the company and to the board?
- What happens if something goes wrong in the cloud? Does the company have a backup and restoration strategy, and has it been reviewed with the board?
- How does the board know that what the cloud provider is telling the company is reliable? When was the last time a quality control audit of the cloud provider was performed and/or the controls were independently verified?