Governance is always a tricky conversation, it is difficult to implement, and usually even more complex to monitor. This holds true whether you are running your computing in cloud, or on premises although the former does have a few extra caveats to take into account.
My personal view has always been that anything in IT, is similar to a puzzle. Each system (puzzle) is designed from a set of components (pieces), and to best build the puzzle, one at least needs to know how many pieces there are, and how they fit in. Governance is one of these systems, and usually forms as a corner piece to any other system. So lets start of this series with a high level view of how governance is implemented, and the crucial driving factors for it.
Taking a 10,000 foot view at governance
When we take a high level look at what governance looks like on premises and in the cloud, then we can categorize the activities as depicted below.
Keeping in line that we are still looking at this scenario from a high level overview, lets review the common points between the two models.
External requirements placed on a company could either be standards like International Standards Organization (ISO), or regulatory requirements like Payment Cards Industry (PCI), Service Organization Control 2 (SOC2). Other requirements which fit into this category are laws like HIPAA (for the US) and GDPR (for Europe). This gets very complicated in a multi national, as their is no one size fits all approach. The mentioned items, are but a drop in the ocean of compliance, being without it can result in hefty fines, breakdown of client trust, and could result in companies closing their doors.
Risk management, is about identifying which risks the company is exposed to, and identifying which ones have to be mitigated (high risk), and which ones receive a lower priority. In an ideal world, companies would mitigate all risk, but this is just not feasible based on a cost-to-benefit. These should all be noted in the risk register.
Policy & Compliance
This is step is translating the company policy, and external requirements, into controls which is implemented. At this point I am sure that you can tie it back to your own experience, database encryption, transport encryption, physical security, logical security, etc. These are the policies put in place to mitigate risk. The compliance aspect comes into play when we need to report on, and measure the effectiveness of our policies.
What makes the cloud different?
To a large extent, not much. However, all it takes is one misconfigured setting for a significant data breach to occur. A storage account marked as public instead of private, complete public access to a SQL Azure Database, unencrypted VHD’s, etc. Sure, this can happen on premises as well, although it is just easier for a mistake like this to happen in the cloud, and this is why good governance is important.
Listed below is some resources which is very helpful whether you have transitioned workloads to Azure already, or whether you are looking to start doing so.
- Cloud Security Alliance
- Cloud Security Alliance is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
- Their Cloud Control Matrix provide a set of controls, and how it relates to a multitude of standards and regulation, helps with the scope of what a multi national might need to be compliant with. It is quite useful from a measuring perspective, and to have the facilitate having the right conversations with your business partners.
- Cloud Adoption Framework (Azure)
- The Microsoft approach to cloud adoption. Insightful, and once again, this is to facilitate the conversation with your business partners.
What is next?
Hopefully this has served as a good introduction on the aspect of governance and what some of the business pressures are. As we progress through out this series, we will break down the components for cloud governance, and how we can use Azure functionality to apply and comply with policy.