BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The proliferation of cloud use in the corporate setting has coincided with an increased focus on compliance regulations, hands-on data governance and risk management. Governance, risk and compliance (GRC) strategy is increasingly important to bottom-line success, forcing cloud services providers to adapt.
As the market has matured, cloud services providers have worked to improve services and tools that they offer in response to regulatory and risk concerns, said Steve Durbin, global vice president of the Information Security Forum. It has also caused organizations to examine closely how cloud services influence their own data management mandates, especially from a GRC standpoint.
It is a challenge that needs to be adequately addressed for anyone considering or using cloud service providers.
Information Security Forum
"With increased legislation around data privacy, the rising threat of cybertheft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing," Durbin said.
Compliance regulations, for example, often have very specific requirements for what data needs to be stored, and where. Emerging privacy rules require certain data management processes. And of course, rapidly advancing cyberthreats from a variety of sources require cutting-edge information security tools.
As a result, cloud services providers are taking steps to ensure their services coincide with customers' -- and potential customers' -- unique GRC needs. This includes reassuring customers about their providers' data center security, or that the stored information is encrypted.
A big change among cloud services providers in recent years: simply being more open about data management and processes, said Jon Ringler, senior director of data center operations at FTI Technology LLC, a global business advisory firm.
"Cloud service providers are becoming increasingly transparent to their end users, and are quick to share their controls and measures with them," Ringler said.
Still room for cloud service GRC improvement
Although cloud services providers are getting better at ensuring compliance and alleviating risk, there is definitely still room for improvement. As cloud providers' ability to provide access and resources continues to expand, the risks associated with their services will increase exponentially, Ringler said.
"As the amount of cloud service provider data breaches, security incidents and news headlines continues to grow in number, scope and costs, the need for security and compliance is placed at the forefront of cloud service provider executive management," he said.
New privacy-related rules and regulations are another major concern. Organizations are now not only expected to protect their data, but that of their customers -- particularly when it is shared with third parties.
Durbin suggests that, when organizations are deciding on a cloud services provider or tool, they should conduct an information risk assessment to ensure the provider is equipped to adhere to privacy issues.
"Otherwise, the persistent pressure to adopt cloud services will increase the risk that an organization will not comply with privacy regulations," Durbin said.
As new threat vectors evolve and security tools mature, cloud customers must conduct regular reevaluation of cloud services, and update policies and procedures accordingly, to maintain GRC posture. "Improvements can be made and are being made, because what was compliant today is out of compliance tomorrow," Ringler said.
Risk management is the utmost concern. For every advance in technology, there should be similar improvements among service providers to offer tools allowing for more effective risk alleviation in the cloud environment.
More on cloud data management
Provider research, due diligence required to maintain cloud compliance
Cloud service level agreements reduce risk, improve data recovery
"Organizations need to ensure that they have the highest possible degrees of resilience in place to manage their cloud-based services and to deal with any loss or breach that may arise, either on their side or at the service provider end," Durbin said.
One obstacle to achieving cloud GRC: cloud services are still at a relatively early stage of maturity, said Paul Burns, president at Neovise LLC.
"Many Infrastructure as a Service providers, for instance, don't provide a lot of options for their customers," Burns said. "They may get to control some firewall rules but don't get access to all the security logs that show what types of attacks they have faced."
Cloud customers are becoming increasingly demanding when it comes to security, and the future of service providers will depend on delivering secure, reliable services, Burns said. It does help that cloud services providers are now often measured against the same regulatory standards that their customers are.
"Decisions must be made depending on the types of data and applications you need to protect," Burns said. "At a minimum, you want to look at how access and identity assurance are provided."
Of course, the responsibility for security and compliance doesn't rest solely with the cloud provider. Instead of questioning the cloud provider's GRC priorities, the organization is responsible for ensuring that corporate security and compliance needs are met for data that they share with them, Durbin said.
"The answer to that will vary from organization to organization, industry to industry, but it is a challenge that needs to be adequately addressed for anyone considering or using cloud service providers," Durbin said.