5 Cloud Governance Best Practices
Effective Cloud Governance is essential for managing risk and ensuring security when adopting cloud. In this post, Cloud Consultant, Sebastian Scherer, identifies five best practices to keep in mind when you develop your Cloud Governance policy.
According to a recent report from data security company Lepide, the three most common causes of a data breach are insider threats due to misuse of privileged access; weak and stolen passwords; and unpatched applications. In other words, the most common security threats are often the fault of the organization itself.
As organizations adopt cloud, they must consider a systematic approach for managing the risks associated with cloud usage, commonly known as “cloud governance.” Cloud governance typically involves a set of rules an enterprise creates, monitors and amends as needed to govern a cloud deployment in order to control costs, improve efficiency and avoid known security risks.
Creating and enforcing governance policies is key to preventing security missteps. A strong governance policy is even more critical when a company operated in the cloud at scale. Without rethinking your governance processes, it is impossible to achieve the agility, speed and cost savings benefits possible in the cloud. Here are five best practices to keep in mind as you develop a cloud governance policy.
- Align your cloud governance policy to your business objectives. For example, if you want to be agile, don’t implement an extremely rigid governance policy. If you’re a heavily regulated bank, your governance policy obviously needs to be tight. Keep your business objectives in mind as you develop your governance policy and find some common ground between a strong governance policy and the flexibility to innovate. On top, you need to ensure implementing the appropriate financial governance to track your cloud spend, allocate costs internally to the relevant business unit or application team and to avoid costly surprises. Cloud governance ideally falls between the strategy and implementation phases and is created in parallel with your technical solution design.
- Include strong access management. Strong access management means understanding who needs access to what and ensuring only those who truly need it can access sensitive data or applications. Rules and roles should also be clearly defined, so you know who has access to what and why. Providing everybody in your organization access to everything in the cloud is a recipe for disaster.
- Keep audit and compliance in mind. Cloud computing audits have become more common as people realize their data is more commonly hosted by third-party organizations. Cloud computing audits provide assurance and lower the risk of information being lost, hacked or accessed by unauthorized users. The best policy is to be prepared. Make sure your governance policy incorporates any external rules an outside organization or regulator might enforce on you and contains stipulations for how you will handle an audit should the need arise.
- Employ automation where it makes sense. Incorporating automated systems into your cloud governance framework can ensure violations of your policies are more easily caught. For example, if an employee attempts to deploy a new app that hasn’t been appropriately vetted, an automated system can alert the IT team to that action and stop the employee from continuing until the proper steps are taken.
- Customize your governance rules to match your data. That means taking a close look at what types of data you store, where you store it, and how you protect that data. Many enterprises have data that ranges from public information such as your last annual results to restricted data, like intellectual property or R&D information. Customize your governance policies, so your most valuable or sensitive data follows stricter governance rules than your public data.
Perhaps the most important advice, when it comes to cloud governance, is simply this: don’t skip it. Some fast-paced companies feel that a governance policy will simply slow them down and prevent them from innovating quickly. But once that company reaches a certain scale or needs to comply with external requirements or compliance regulations, the lack of a governance policy will ultimately cost them more time and money.
A better approach is to innovate and iterate using a protected, sandboxed environment and anonymous data. Then, as you move closer to production and the use of legitimate customer data that may be subject to regulation, tighten up your governance policies. This will enable you to innovate quickly without overt risk. Ultimately, success means finding a balance between innovating quickly and implementing strong governance policies that will protect your data, your customers, and your company.