Building trust in the cloud
Creating confidence in your cloud ecosystem
Cloud computing has reached a tipping point as many organizations have either adopted or are planning to adopt some form of cloud computing technology — whether IT knows and manages it or not.
Ease of access is one of many reasons individuals, business units and departments are using cloud service providers with increasing frequency. Yet, despite the rapid escalation of cloud services use, many IT executives remain hesitant to endorse a “cloud-first” approach.
Worse, there are some who refuse to adopt any cloud-based services at all, citing security and privacy concerns, operational challenges or inability to control information.
Unfortunately, this attitude can increase an organization’s risk rather than mitigating it. To meet fierce competitive demands and new business requirements, many organizations have found internal stakeholders will procure cloud computing services directly, without involving IT experts, leaving the associated risks unmanaged.
So what should IT executives do?
The best option is to develop a holistic cloud trust strategy — one involving key stakeholders from both the business and IT to provide a secure cloud ecosystem with the proper checks and balances that enable a controlled and cost-effective investment in the cloud.
Instead of saying “no you cannot,” IT executives need to learn how to confidently say “yes we can.”
IT executives need to consider the full range of risks involved in their on-premise and externally hosted cloud environments that comprise their ecosystem. Your cloud ecosystem should have a:
Trusted design. A cloud ecosystem with trusted design has the right controls in place to safeguard and protect the underlying computing and information assets. The controls are designed to address the key areas of risk and are strong enough to match the threats to the environment. Both the CSP and CSC are responsible for designing effective cloud controls to manage risk in their respective environments.
Trusted execution. A cloud ecosystem with trusted execution has the right controls in place and is operating effectively per the trusted cloud design. The controls are working as intended and are strengthened when risk indicators rise. The CSP generally has responsibility for control execution while the CSC is accountable for governing and verifying the control objectives are met.
Trusted certification. A cloud ecosystem with trusted certification has been independently tested and verified that the controls are in place, functioning as designed, operating effectively and have been attested to by a certifying body. The CSP has responsibility for attaining the trusted certification status while the CSC reviews and understands the scope and relevance of the certification on the consumed service.
Using the EY Cloud Trust Model as a foundation, organizations can create a cloud trust life cycle framework through which they can build and implement a trusted cloud ecosystem.
This framework will:
- Assess and monitor by evaluating the organization’s current risk profile and then developing a plan to address key areas of exposure
- Improve and enhance by executing remediation activities that support the plan
- Certify and comply by obtaining third-party assurance that the organization’s cloud ecosystem is secure, trusted and audit-ready
Those in charge of IT departments should view cloud services as another tool in their toolbox. By developing a cloud trust model, IT professionals can turn fear of the cloud into an opportunity to address increasingly complex security and privacy challenges.
Organizations that remain skeptical of cloud computing and its competitive advantages risk falling behind their competitors. Those that have embraced a cloud-first approach that manages risks through the EY Cloud Trust Model are benefiting from the efficiencies, cost savings and additional capabilities that cloud brings.
It is time for every organization to embrace a cloud-first perspective or endure the strategic and financial risks that accompany a do-nothing approach.
For more details about creating confidence in your cloud ecosystem, including details about each of the six cloud control domains, download the full report.