Changing The Cloud Security Conversation
A Risk Management-Focused Approach
Chris Rezek, Consultant
McKinsey & Company
Cloud computing is being rapidly adopted by enterprise IT, but concerns about trust are still inhibiting the rate of that adoption, particularly for financial services and public cloud.
To enable prudent cloud adoption, enterprises should expand scope beyond technology-focused security questions to include key risk management issues, such as transparency, governance, and compliance.
Bank executives should ask themselves four questions: How much value do we leave on the table if we do not adopt cloud? How pervasive is unofficial cloud adoption already, across the organization? What concentration risks do we create or avoid through managing distribution of data? Can we achieve cloud scale with in-house demand alone (i.e., private cloud)?
In addition, they should also ask vendors four questions: What level of transparency and control will the provider deliver? What third-party inspections and certifications are available? How will our compliance requirements be met for each jurisdiction? What level of access to physical and logical systems do we retain?
Instead of making binary, enterprise-wide decisions about cloud, organizations should understand and balance the benefits and risks of available cloud offerings. Adoption decisions should be structured around individual workloads and data and avoid enterprise-wide blanket cloud bans.
Banks should reduce legal exposure through a prudent contracting approach, while at the same time recognizing the essential novelty of the legal environment and unavoidable uncertainty. Key contract elements include the right to audit, right to transparency and reporting, coverage of compliance requirements, and visibility and consideration of the full supply chain (i.e., the cloud provider's service providers).
Cloud can deliver new benefits, along with new risks. Cloud solutions can improve transparency, simplify log and event management and enable more centralized planning. A business- and risk management-focused approach can enable banks to take advantage of efficient, flexible cloud solutions while still protecting data and delivering security.