This is the first article in a two-part series about cloud computing. In October, look for part two, which will explore cloud governance — how organizations manage existing and future cloud initiatives.
Cloud computing is no longer considered an emerging technology. It’s here to stay. Organizations have reaped numerous benefits from using it. Alternatively, IT executives who haven’t jumped on the bandwagon to embrace the cloud have likely seen increased shadow IT and a loss of influence within the organization.
Once they embrace the cloud, IT executives must aim to build a secure, trusted and audit-ready cloud environment.
Catching a STAR
To achieve a STAR environment, organizations must ensure their environment has the appropriate controls to protect the confidentiality, availability and integrity of the systems and data that reside in the cloud. Appropriate procedural and technical protections must also be in place to protect data at rest, in transit and in use.
Also critical is establishing a cloud environment trusted to stand the test of time.
It should provide high availability and resilience to adverse events. Further, an audit-ready cloud environment should have continuous compliance and be certified to meet specific industry regulations and legislation.
Appropriate procedural and technical protection should be in place, documented and able to be verified for compliance purposes.
The following six domains contain controls and procedures required to support a STAR environment. The approach can be flexible and should accommodate different cloud deployment models:
- Organization. Organizations need to document roles and responsibilities associated with the use of cloud, have a clearly understood scope of services acceptable to operate in the cloud and train employees regularly on these guidelines.
- Technology. IT functions should design applications according to industry security standards, encrypt the data and implement role-based access and identity management solutions. While most of these choices can’t necessarily anticipate changes in technology, cloud design should anticipate that there will be change and be architected accordingly.
- Data. IT functions need to classify and inventory data, assign data owners and securely purge data no longer required. Cloud design must encompass the life cycle of data, and must address each potential risk and vulnerability point in the data supply chain.
- Operations. Business continuity management and resiliency program policies and procedures should include periodic review and testing. Additionally, policies and procedures for BCM, change management and data center security should be documented to formalize roles and responsibilities.
- Audit and compliance. Organizations should plan and execute audits in a way that minimizes business interruption. For maximum assurance, organizations should consider engaging a third party to perform the audit and certify the environment.
- Governance. There are many cloud options from which organizations may choose. Regardless of the deployment path organizations pursue, governance processes should be scalable, repeatable, measurable, defensible and constantly improving.
By creating a framework centered on these cloud control domains, organizations can create a cloud services environment that is secure, trusted and audit-ready.
The views expressed herein are those of the author and do not necessarily reflect the views of EY.
JOHN DISTEFANO is advisory principal, leader Central Region Advisory practice for EY. Distefano is the co-author of “Wireless Enterprise Architecture,” published by Wiley & Sons.