Making a secure transition to the cloud | KPMG | IE
close
Share with your friends
Making a secure transition to the cloud

Making a secure transition to the cloud

Making a secure transition to the cloud

As the world becomes more and more connected, organisations are increasingly adopting cloud-based services to meet their business needs. Cloud computing is a very clearly- defined computing model with essential characteristics such as pervasive, convenient, on-demand, measured, network access to a shared pool of configurable computing resources. It is a game-changing technology, which is driving – and will continue to drive – cost reduction and innovation across organisations.

Risks and concerns

While the potential benefits of cloud computing are compelling, the use of cloud computing services is driving new risks, security and privacy concerns, and opportunities that impact all elements of the business ecosystem. There is no doubt that organisations need a strategic, flexible and end-to-end security, risk and compliance capability to enable secure cloud transition and business cloud transformation.

Furthermore, regulators are becoming increasingly more interested in cloud computing. It is understood simply as a version of IT outsourcing and with that comes legal and regulatory requirements which must be monitored, reported and adhered to.

As part of cloud adoption and transformation, organisations must identify and prioritise threats and risks; then design, implement, and operate risk and cost-appropriate controls to address them. Legacy security, risk, control and compliance capabilities are not sufficient to address cloud risks. Organisations must evolve their security, risk, control and compliance capabilities to enable cloud transformation of the business and benefits realisation. It is good practice to ensure that an organisation’s cloud security capabilities address these key guiding principles: 

Business and stakeholder mindset

Legacy security mindsets won’t work. Security must operate with an agile business risk advisory mindset with understanding of cloud architecture and operations. Cloud is fundamentally changing all aspects of the digital business ecosystem. Security focused on technology will fail to deliver the required benefits; it must instead meet the current – and enable future – needs of a broad range of stakeholders.

Risk-focused

Security exists to reduce business risk. Cloud security must enable and provide solutions to understand and reduce risks to acceptable levels. Existing capabilities are often insufficient to address new cloud security risks. A continuous threat and risk management capability and secure operations capability should therefore be developed for current and planned cloud deployments.

Protect the cloud

Cloud security architecture and solutions should address security across multiple levels and use cases (infrastructure as a service, platform as a service and software as a service).

Cyber and privacy compliance

Cloud security capabilities should be implemented and operated to demonstrate and enforce cyber and privacy compliance to appropriate frameworks and regulations. Cloud adoption and transformation will likely mean expanding the use of third-party suppliers and collecting, storing and transacting user data across geographic and political boundaries. Organisations are responsible for ensuring compliance and protection of user data across the global landscape. The cloud security strategy must include a process whereby the organisation will achieve and maintain compliance to privacy laws, principles and regulations. 

Agile, on-demand and seamless

While security fundamentals still apply, the security technology, process, people and delivery models must adapt to enable cloud adoption and operations.

Invest smart

Legacy investments are not enough. Agile, application programming interface (API) driven and purpose-built solutions for the cloud are required (security as a service, for example).

Security guidance

There are many industry-leading control frameworks that can be adapted to ensure organisations are managing the risks associated with cloud computing. Cloud security should align to common control domains, such as those addressed in leading control frameworks.

The Central Bank of Ireland also released guidelines in September 2016, which deal with IT outsourcing risk (including cloud service providers) and these should not be ignored in the context of outsourcing to the cloud. In particular, organisations should note the requirement to complete adequate due diligence and the requirement to have appropriate contracts in place with cloud service providers. In addition, the European Banking Authority recently released a set of recommendations relating to the reporting and monitoring requirements for organisations that are outsourcing to the cloud. The principle of proportionality should be applied throughout the recommendations and the recommendations should be considered in a manner proportionate to the size, structure and operational environment of the organisation as well as the nature, scale and complexity of its activities.

The recommendations include guidance on the security of the data and systems used. They also address the treatment of data and data processing locations in the context of cloud outsourcing. Organisations should adopt a risk-based approach in this respect and implement adequate controls and measures, such as the use of encryption technologies for data in transit, data in memory and data at rest.

Regulatory interest

It is clear that regulators are interested in the growing utilisation of cloud environments. Regulators are not averse to cloud computing, but their new and increasing focus on the area of outsourcing means organisations must ensure that they manage the risks associated with cloud computing to address regulators’ expectations. Table 1 summarises some of the areas of focus and regulator expectations. All areas should be included in the scoping phase and those most relevant to your cloud journey should be selected for assessment.

Conclusion

To summarise, transitioning securely to the cloud is not a piecemeal, one-time endeavor. Organisations need to adapt a strategic, flexible and well-planned approach to enable cost-effective adoption of multi-cloud environments and business cloud transformation. Organisations need to ensure that the adaptation of a cloud environment is beneficial for them from a long-term strategic perspective. Now, more than ever, it is crucial for organisations to have a fully-aligned business and IT strategy in place to drive the business forward in a fast-changing technological world.

Table 1: Areas of regulatory focus

Area Expectation
Cloud security, governance, risk & compliance (GRC)

  • Identify regulatory, privacy and security requirements associated with the particular cloud outsourcing arrangement including the business process being supported.
  • Implement a cloud governance and security framework including the documentation of policies and procedures where appropriate.
Cloud strategy
  • Define and document a cloud strategy ensuring overall business and IT strategy alignment.
  • Complete cloud service provider selection and sourcing due diligence procedures in line with organisation procurement and sourcing policies and procedures.
Cloud architecture and integration
  • Define system performance and interface requirements as defined
    by the relevant end user.               
  • Define cloud integration strategy.
  • Understand and define application structure and placement.
Cloud migration
  • In order to move services to the selected cloud provider smoothly, ensure there is a clearly defined migration plan and program governance in place to include people and process change management.
Running cloud IT
  • Ensure adequate contracts in place with documented and defined exit strategies.           
  • Carry out regular performance assessments against defined key performance indicators to ensure the cloud service is providing adequate services as well as value for money. Ensure the right to audit clauses are executed on a regular basis.

This article originally appeared in the February 2018 edition of Accountancy Ireland and is reproduced here with their kind permission.