Hybrid strategies common as organizations strive for cloud GRC

By Christine Parizo, contributing writer, SearchCompliance – TechTarget         May 14, 2014

Businesses large and small have moved significant chunks of their operations into the cloud, enticed by its flexibility and easy access. But the cloud also opens up businesses to data security and compliance vulnerabilities.

Letting governance, risk management and compliance (GRC) fall by the wayside isn’t an option for any company. Protocols must be implemented to safeguard data and ensure compliance, as well as to vet vendors well in advance of engagement.

As the end customer, shouldn’t you be provided with something to demonstrate that the company still meets all of your requirements? Jeff VanSickel, security and compliance practice lead, SystemExperts Corp.

Unfortunately, no common framework exists for cloud GRC. Data monitoring and data regulatory management professionals are seeing a slew of new requirements coming down the pipeline and need to be prepared, according to Evelyn de Souza, co-chair of the Cloud Controls Matrix Working Group.

One option that may serve as a starting point for organizations is the Cloud Security Alliance’s (CSA) GRC Stack. The GRC Stack is a set of four tools that help identify controls needed for cloud services providers as well as standardize the way organizations stay abreast of regulations, according to de Souza.

In particular, the Cloud Controls Matrix takes multiple frameworks and regulations and cross-matches them to a common framework. The Matrix is designed to address key areas of vulnerability in mobile security, mobile interfaces, application development and supply chain management, she said.

While best practices for managing GRC in the cloud depend on the industry and specific deployment models, most organizations turn to hybrid models to quickly reap cloud benefits. In that case, de Souza advises a brokerage model to track deployment and mitigate risk.

“Quite often, the business moved ahead [into the cloud] without IT,” she said. “It’s much [easier] to deploy a brokerage model with a standard profile that an organization can use … to ensure that cloud instances, whether public or private, can be better tracked.”

Know your cloud provider

Vetting providers is critical to maintaining cloud GRC. The CSA offers a Security, Trust and Assurance Registry (STAR) that lists providers and their security ratings as derived from the Cloud Controls Matrix.

“It’s a really good way for organizations, as they’re looking to move to a new cloud provider, to not have to start from scratch with research but take advantage of public knowledge,” de Souza said.

Assessing providers and their cloud security protocols varies by industry, but one common thread is to know what those requirements are and prepare a third-party risk management program accordingly, according to Jeff VanSickel, security and compliance practice lead at Sudbury, Massachusetts-based consultancy SystemExperts Corp. For example, in the healthcare world, third-party risk management goes by the “business associate oversight” moniker.

“It goes by a number of different names, but you want to put together a set of security requirements based on the services you’re going to get,” he said.


When evaluating cloud providers, asking the right questions can help organizations weed out those that aren’t able to meet their compliance and security requirements. Shriram Natarajan, vice president of technology consulting and cloud computing at Persistent Systems, offered the following questions to ask about products or services during the vetting process:

  • Does it have the ability to encrypt data at rest and in transit?
  • Does it have the ability to pull audit information via logs?
  • Does it include role-based access control?
  • Does it have the ability to map roles according to enterprise hierarchy, or a facsimile of the enterprise organizational structure?
  • Can it authenticate against a central system-of-record based on user roles and assignments?
  • Can it integrate with existing command-and-control systems?
  • Can it back up data off the cloud?
  • Does it have built-in disaster recovery capabilities?

Banks, for example, are required by the Gramm-Leach-Bliley Act to have well-rounded third-party risk management, according to VanSickel. This includes initial due diligence on the third party’s history, then extensive research on the security controls and services provided by the company, he said.

Additionally, the organization procuring cloud services will need audit capabilities. Health Insurance Portability and Accountability Act and Payment Card Industry customers need to recertify yearly to ensure they are still complying with regulations, and the cloud provider should be able to meet these requirements. “As the end customer, shouldn’t you be provided with something to demonstrate that the company still meets all of your requirements?” VanSickel asked. That means defining who will be responsible for audits: the organization, the cloud provider or even a third party.

“It’s important to understand and document the data flow,” said Kunwarjeet Panesar, principal architect and head of the GRC practice at global software development and technology firm Persistent Systems. That includes not only data ownership and auditability, but cloud and storage configuration as well. Anything not documented or not included in the contract doesn’t exist, and organizations that want to maintain GRC can’t use a contract template. A customized contract is a must to ensure their needs are met, he added.

Another approach to GRC is using the Plan, Do, Check, Act (PDCA) cycle, also known as the Deming Cycle, for cloud security and compliance management, according to Panesar. The Plan phase addresses the scope of security and compliance requirements, including regulatory and business requirement evaluations, and designing deployment accordingly.

The Do phase puts security and risk management into place by defining the security controls and risk management framework, Panesar said. This includes choosing encryption, security token, identity and access management and identity management options, as well as controls to detect and prevent intrusion, such as security incident and event management and data leak protection products.

In the Check phase, organizations define auditing objectives, while in the Act phase they mitigate vulnerabilities, Panesar said. This not only includes audits, but also continuous monitoring and security improvements.

Ultimately, mitigating risk is an ongoing process, and ensuring cloud GRC requires constant vigilance. As the threat landscape shifts along with regulatory requirements, choosing the right provider and staying abreast of operations will keep data secure and compliant.

About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.