When considering what policies to implement for cloud governance, risk and compliance have to be finely balanced. If you focus on eliminating every risk to ensure regulatory compliance, you may end up impacting performance. It’s a thin line though… become too relaxed and you’ll likely end up failing a compliance audit.
One of the key stages of cloud governance is the development of a risk management strategy. To develop a risk management strategy, you first have to identify the risks to your cloud environment—either via a risk assessment or penetration test—and work out what risks you’re prepared to accept in order to avoid impacting performance by securing your cloud environment too rigidly.
Your appetite for risk will likely be influenced by the nature of your business and the consequences of failing to adequately secure your cloud environment. Potential consequences could include financial losses, legal action, reputational damage, and operational disruption while an investigation takes place to identify the source of the security failure.
If your business operates in an industry such as healthcare, legal, or finance, or collects, processes, or stores the data of EU citizens, it’ll be subject to regulations stipulating the minimum requirements for data protection. The financial consequences of non-compliance could be substantial in the event of a major data breach, but there could also be regulatory action if you fail a compliance audit.
Eliminating every risk is impractical and, in many circumstances, impossible. If you were, for example, to encrypt everything to ensure you complied with regulatory requirements regarding the protection of data, you’ll impact the performance of every data transmission and retrieval process. Furthermore, encryption is only as good as the policies implemented to secure encryption keys and login credentials.
We recommend you moderate your appetite for risk if your business operates in a regulated environment, even if it does impact performance. The option exists to address a loss of performance by provisioning assets with more powerful capabilities to compensate for the slower data transmission and retrieval processes, but that will result in an increase in costs.
When you already have the task of balancing risk and compliance, performing another balancing act may seem like too much—but it’s achievable with the right solution at your disposal. A cloud management platform such as CloudHealth is an ideal solution for balancing performance and cost because it enables you to input “what if” scenarios and analyze potential consequences.
If you intended to encrypt storage buckets tagged “PII” (advisable under any circumstances), CloudHealth would be able to calculate the performance and cost consequences as well as determine what encryption would mean to your security profile. If the consequences are acceptable, you can apply a policy to the CloudHealth platform to monitor your cloud environment and automatically encrypt any storage buckets tagged “PII”, saving you time and eliminating potential human error.
The “what if” capability can be valuable in many security use cases from developing your risk management strategy to adjusting the strategy as compliance requirements change. It can also be valuable in forecasting budgets for future projects, setting realistic expectations for the success of a future project, and adjusting operations as projects get underway and encounter unforeseen obstacles.