Scalable cloud governance, risk management and compliance


Published on

Cloud consumers are primarily worried about security. If you are a cloud provider, or cloud broker, learn how to get improve your trustworthiness to your customers efficiently and scalable, by integrating governance, risk management and compliance.

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Scalable cloud governance, risk management and compliance

  1. 1. Scalable compliance in the eyesof the customerA brief roadmap forcloud providers and cloud brokersPeter HJ van Eijk & Michiel SteltmanWe help IT businesses to quickly becomesuccessful cloud providers
  2. 2. Trust is the number oneobstacle for cloud usersThe key factor for overcoming the present inhibitors will be to gain*cloud+ users’ trust on security and compliance (Deloitte 2009)Cloud providers’commercial tacticsWhy these tactics don’t workReferences and “Branding” Cloud consumers want proof, if onlybecause regulations andaccountability force them toPrice erosion Leads to a ‘race to the bottom’React on customer inquiry Reacting takes time and effortOne-off and customerspecific auditsNot repeatable, not scalable
  3. 3. The business case forrepeatable and ‘continuous audit’Cloud Consumers want to base their provider selectionon a priori verifiable complianceCan the provider afford to have a separate audit forevery proposal or customer?The cloud consumer itself has to deal with a morefrequent audit obligationsDemonstrating compliance has to be repeatable andscalableSuccessful cloud providers enable the consumers’ GRCprocesses3
  4. 4. The future of Cloud Governance, Riskmanagement and Compliance• Collaborative effort between provider andconsumer• Continuous audit• As automated as possible• Integrated GRC: risk management in thewidest sense of the word drives governance– Compliance is a collateral benefit– Maturity level of organization rises4
  5. 5. How does professional riskmanagement work?• Risk based: professional risk managementprioritizes the most important risks– No superfluous or useless measures and controls• Professional risk management incorporates auditand compliance obligations– Anchor in operational process, instead of running atroublesome project for each audit• Professional risk management is repeatable andscalable– Champagne? Really? Did you expect the audit to be aone time effort?5
  6. 6. Integrated governance, risk managementand compliance: the big pictureHigh level risk, scope and value assessmentAssets and valueproposition at riskLegal and complianceobligationsRisk mitigation planSecurity and control testing and reviewExecution in operationContinuous reportsPickframework6
  7. 7. Example risksThreat Consequence/Risk Control/measureDisk full Denial of service (to customer)Measure/monitor (implying adefined Incident response)Server saturated Denial of service (to customer)Measure/monitor (implying adefined Incident response)No audit report available Loss of prospective customer Perform regular auditsCompliance: lack of a ‘control’ Loss of compliance Implement controlCapacity shortage for SLA Denial of service (to customer) Set up capacity planningMonitoring system fails Loss of visibility Make monitoring system redundantNo DR (disaster recovery)planned Loss of compliance Adapt architectureNo Auditing, Monitoring andAlerting Loss of visibility Set up LMR systemAll private cloud vulnerabilitiesas per industry best practice … ……7
  8. 8. CCM (Cloud Control Matrix), CAIQ (Consensus Assessments Initiative Questionnaire),Cloud Audit and CTP (Cloud Trust Protocol) are products maintained by CSA (CloudSecurity Alliance)Cloud compliance in real-timeGRC stackcomponentExample elementCCM CO-02: Independent reviews and assessments shall beperformed at least annually […]CAIQ CO-02.3: Do you conduct regular applicationpenetration tests of your cloud infrastructure asprescribed by industry best practices and guidance?Cloud Audit "It is 11 pm, do you know in which geography yourvirtual machines are running?"8
  9. 9. Want to know more?Do you want to know more about effective and efficientrisk management and compliance in de cloud?Join our webinar“Cloud Computing under control”“Control the risks in your cloud propositionand transform them into benefits for customers”Register at:www.CloudComputingUnderControl.comIf you liked this roadmap, pleaseforward it to a colleague or friend!