No, The Cloud Isn't Secure: Here's Why Cloud Governance Matters

A cloud governance strategy is required to develop a joined-up understanding of the company’s cloud footprint and the cloud security tools needed to cover the gaps between the various data services. Explaining this to the business effectively will increase understanding and the likelihood of support for strong governance. Here are four core messages CIOs need to drive home:

• Every cloud service provides varying levels of security
• Traditional tools like firewalls and malware protect user devices, not the cloud
• Each new cloud service increases risk to the business
• Cloud makes business operations smoother, but unmanaged cloud can be a disaster

Drive home those messages as part of a cloud governance promotional campaign (along with some useful statistics on the cost of poor cloud adoption and governance) and support will be forthcoming. 

What is cloud governance?

Any growing company sees various departments and teams clamoring to adopt cloud services to deliver the tools they need to operate efficiently. However, ad hoc adoption creates business and security risks. By formalizing and structuring how cloud services are adopted across the business, from storage to compute, applications and services and new trends like microservices and containers, the risks can be limited and interoperability can be ensured.

Cloud governance creates the controls to manage the growth of cloud services across the business and formulates a list of questions that need to be answered before a cloud service is adopted.

• Where is the data stored?
• Can it be kept on foreign servers?
• How is it encrypted in transit?
• Is your cloud service compatible with our current services?
• How do we enable additional security tools?

By defining cloud service rules, access and security best practices, a company can limit risk and ensure growth is sustained. There are plenty of examples of strong cloud governance plans published for CISOs and CIOs to refer to. Training for IT teams like Microsoft’s Azure Architect Technologies or from other providers help understand how to deliver “advice for stakeholders and translating business requirements into secure, scalable, and reliable cloud solutions.”

The benefits of a strong cloud governance include:

• Making it simpler for a company to manage its cloud footprint, ensuring data can move between applications, is protected, secure and encrypted as it moves between services and users
• Reduces the risk of shadow IT where teams adopt their own services that create security risks and could promote data silos, data breaches and inconsistent data across the business
• Ensures budget management and reduces the effort required for IT to manage cloud resources

The key benefits of a cloud governance framework

As more firms work remotely, the cloud provides great flexibility, whether used as a private, hybrid, public or multi-cloud. As far as workers and teams are concerned, they want an application or service that makes their job easier when it comes to productivity, sharing data and collaborating.

But uncontrolled adoption creates security risks. Adopting external services means the business can easily lose oversight of costs and can adopt overlapping or even competing applications. This creates compliance risks when it comes to protecting data, and there’s also the growing risk of data loss through internal and external threats.

Cloud governance strategies help define which teams and workers have access to specific services. It helps identify all the cloud services in use, which are most valuable, which are cost drains or insufficient to meet business needs and which might be worth more investment.

This approach helps protect data and ensures that when people leave or move, their access is changed to maintain integrity. It also highlights the issues to business leaders, making them aware that there are risks to cloud adoption that need to be managed.

Linking compliance guidelines to each service ensures that product/service owners understand their obligations under GDPR and other data regimes to protect that data and ensure it’s suitably managed at all times. Regular audits are essential to ensure the business remains compliant, and can limit the damage should there ever be a data breach.

As mentioned, shadow IT is a growing risk. With strong governance and use of cloud management tools, CISOs and IT can block requests to adopt services that can damage the business. Cloud management tools can identify if any shadow IT services are being used, and help bring them under control.

With cloud services come dashboards to monitor user levels, activity and security. Governance schemes can ensure clear visibility for the business, providing clarity and identifying where value can be improved.

A governance map of all cloud services can also identify where security gaps exist that can be covered through cloud access security brokers (CASBs), cloud security posture management (CSPM) and other tools.

Whatever version of the cloud your business uses, from simple services like Google Docs and Slack to powerhouses like Amazon AWS to Google or Azure, the risks are growing as data travels and more users have greater power. Through cloud governance, you can limit those risks and ensure the business remains in charge of its cloud footprint, rather than having to do some expensive catching up if the cloud rages out of control.

Further reading:

• Everything You Need to Know About Cloud Security
• The State of Cloud Security 2021 [Infographic]
• Cloud Tokenization vs. Cloud Encryption: What's the Difference?
• 5 Major Cloud Security Breaches and How to Boost Your Defenses Against Them