By now, most companies understand the benefits of moving data and applications to the cloud—even if they haven’t made the move yet. They’re likely also aware of the concerns; for example, a 2020 McAfee study showed that external attacks on cloud accounts increased 630 percent in the first quarter of that year. These attacks have a direct impact on the end users of the business, leading to customer data loss and customer identity theft. Cloud security failures leading to customer impacts can cause reputational damage to a company that can take years to recover from.
Companies can mitigate these security risks by implementing cloud security governance best practices across the enterprise. This allows them to take advantage of the all the benefits of operating in the cloud, while having the peace of mind that their company and customer data is secure.
What’s holding you back?
1. Lack of cloud roadmap or vision: Many institutions jump into the cloud without a dedicated strategy or plan, leading to a haphazard cloud infrastructure that is inefficient, costly, and most importantly insecure.
What you can do:
• Approach cloud adoption and operations based upon defined business drivers and create a specific, data-driven cloud adoption strategy that makes cloud security a priority throughout all stages of cloud adoption and beyond
• Practice security from day 1 by making cloud security a central focus point for all technical and business level strategic decisions, while also making sure that the developers are included in these decisions
• Maintain a maturity mindset. As your business matures, your cloud security should be maturing along with it, getting more and more sophisticated over time
2. Lack of centralized cloud governance leadership: Without cloud evangelism led by executive leadership, activities in the cloud occur in a vacuum with no accountability. Strong leadership support means establishing good governance, executing security audits, and enforcing violations in a timely manner.
What you can do:
• Establish a Cloud Center of Excellence that includes cloud governance led by an accountable executive with institutional authority
• Expand the Center of Excellence by adding cloud subject matter experts who can be cloud evangelists across the enterprise, advancing the maturity goals
• Dedicate expert resources to the various key aspects of cloud governance—risk management, issue management, security controls management, financial operations, project management support, and company-wide cloud training
3. Improper enterprise governance documentation: Many organizations do not maintain accurate or appropriate documentation of their enterprise IT governance—policies, standards, procedures, risks, and controls. These critical documentation gaps lead to audit blind spots, eventually leading to security breaches.
What you can do:
• Based on your cloud strategy goals, carefully document your company’s policies, standards, procedures, IT risks, and security controls based on industry best practices, as well as NIST 800-53 and FedRAMP guidelines
• Conduct periodic audits of all these documentation items to ensure that they have been documented according to implementation and operational realities on the ground and are kept updated
4. Poor risk-to-control mapping: Controls that aren’t aligned to an appropriately assessed IT risk leave vulnerabilities open to exploitation. Without proper risks to controls mapping, technical capital is spent implementing security controls that don’t actually mitigate any risks.
What you can do:
• Assess and score enterprise risks using the FISMA risk assessment & management framework
• Map current security controls to their associated risks and work with the control developers to determine if the mapping is accurate and whether further control implementations are required to mitigate the specific risk
5. Ineffective control implementations: Some organizations have controls implemented but not tested appropriately for effectiveness, which leads to an illusion of security. Control issues are not tracked to closure in a timely manner which leads to ineffective controls lingering in the system un-remediated, leaving attack vectors wide open for exploitation.
What you can do:
• Set up a dedicated control monitoring and testing team that constantly tests the effectiveness of controls and reports issues to the control developers to resolve
• Design, document and implement security controls in collaboration with the developers in the company, so that they are intimately involved with ensuring the security of the entire system from day 1
As you can see, the world of Cloud Governance can be complex and establishing effective cloud governance can be even more difficult. Infinitive’s team of cloud experts can help you understand the current state of your cloud security posture and work with you to build out a clear Cloud Maturity Roadmap, establish a Cloud Center of Excellence and help you implement the Standards, Policies, Procedures, Risks and Controls that will take your enterprise cloud security to the level it deserves to be.