Migrating to the cloud requires a change of mindset for compliance and audit

The most significant challenge for regulated customers migrating to the cloud is admitting they need to do things differently

As more enterprise customers migrate to the cloud, there are a number of focus areas required to ensure a successful migration strategy — especially for regulated industries.

While many organizations tend to focus on the economics or security of cloud adoption — it’s critical to understand the entire Governance, Risk and Compliance (GRC) framework for a more holistic approach to well-managed migrations.

Failure to include the critical areas of a broader GRC framework as part of your initial plans will create a much slower migration path, and you’ll regret the missed opportunities to build GRC capabilities directly into your technical designs from the beginning of your program.

The most significant challenge for any customers is to admit that they need to do things differently. No matter how well managed you are outside of a cloud environment — the people, process and technology affected by your migration require an objective review of your current controls.

Risk Frameworks for Cloud Adoption

There are a number of risk frameworks available that provide guidance on cloud adoption, but none of them offer a truly comprehensive risk assessment of each service provider nor the risks for individual services.

While no framework is perfect, there is general guidance on a 3-step risk evaluation process that organizations should follow:

Common Cloud Risk Evaluation Process

The NIST Risk Management Framework, SP 800–37, Rev.1 also provides a good place to start for evaluating your overall approach to cloud adoption. The NIST framework recognizes the need to assess the risk management approach of your credential service providers (CSPs) — as well your own.

Evaluating Risks
There are two components of evaluating risks with your GRC program:

1. “Of The Cloud” is specific to what your CSP does to manage their responsibilities in running the underlying infrastructure and services.
2. “In The Cloud” consists of all the controls that a company must implement to appropriately manage their cloud resources and applications.

It is critical that both areas be evaluated as part of your holistic approach to documenting, evaluating and mitigating or accepting all relevant risk to cloud adoption.

During the evaluation process, there are common risks that enterprise encounter which can be grouped into the following nine focus areas:

9 Key Risk Evaluation Areas For Cloud Adoption

Continuous Compliance Team

Implementing a Continuous Compliance (CC) team for your cloud adoption program is the most effective and sustainable approach for enterprises to evaluate and manage the assessment of risks.

The team should include the people and process to establish overall governance and ensure compliance, and know how to leverage the cloud technology which offers real time logging and monitoring across all your resources.

Within your organization, it’s recommended for this team to align closely with your operations team and serve as a line of defense — facilitating the ongoing monitoring, remediation, audit preparation, and overall governance.

Your compliance team should work directly with your development and security organizations to ensure all of the committed controls are being followed — and the company is always ready to demonstrate compliance.

To provide visibility to your current state of compliance, it’s important this team also understands how to access and manage the available tooling that governs your overall cloud environment.

Continuous Compliance Tools

Continuous Compliance tools need to provide your organization a single source of truth for all cloud-based GRC data points — with real-time monitoring and remediation recommendations.

Continuous Compliance tools should enable:

• Continuous monitoring of all IT compliance, corporate governance and regulatory compliance controls, both technical and non-technical.
• A centralized source of Governance, Risk and Compliance (GRC) information for cloud environments.
• Enterprise-level visibility of compliance via executive and operational dashboards.
• Real-time alerting of control failures and recommendations for remediation.
• The most up-to-date policies from regulatory organizations, ensuring compliance frameworks are updated upon release.
• Continuous synchronization of new provider services, capabilities and application deployments with regulatory compliance frameworks.

A good cloud native Continuous Compliance tool will allow you to merge the controls of your CSP, with the controls you directly manage — into a single representation of your entire cloud risk posture.

The best tools provide visualizations for the status of all the controls environments, allow for individualized dashboards for specific lines of business, audit standards, and audit personnel — both internal and external.

Being able to demonstrate real time evidence of controls compliance across your entire cloud resource pool — at any time — to all internal and external stakeholders will enable faster and better managed cloud adoption at scale.

For enterprises that include these requirements as part of their initial cloud adoption and migration plans, a holistic approach to your assessment framework, team, and tools can result in massively reduced time, cost, and complexity of audit preparation.

John McDonald currently works at Amazon Web Services (AWS) guiding the financial services sector with their migration of sensitive workloads and regulated data into the cloud, and was previously the Head of Enterprise Cloud Program Governance & Risk Management at Capital One.