Developing And Enforcing A Cloud Security Governance Framework

CloudHealth Tech Staff
Published:
Nov. 21, 2019
6 minute read

Whereas some businesses find developing a cloud security governance framework the hardest part of cloud security governance, other businesses encounter difficulty enforcing their frameworks. We discuss the best way to start developing a framework, what the framework should consist of, and how it should be enforced.

A cloud security governance framework is pivotal to the success of a business’s operations in the cloud; yet many businesses struggle with either developing a framework, incorporating the necessary elements into the framework, or enforcing the framework. Sometimes, this is due to businesses not fully understanding the objectives of cloud security governance, which we shall attempt to address first.

Governance could be defined as the ability to provide strategic direction, track performance, allocate resources, and make adjustments to ensure organizational objectives are met, without breaching the parameters of risk tolerance or compliance obligations. In the context of cloud security governance, this means having the policies in place to facilitate security best practices in the cloud.

However, developing policies to facilitate security best practices is not a standalone exercise. Security policies have to take into account other business objectives such as performance, cost optimization, and compliance. Therefore, the participation of every area of the business is essential—particularly at the executive level—so everybody has realistic expectations of what can be achieved in the cloud.

Creating a Cloud Center of Excellence

Bearing in mind that cloud security governance involves every area of the business, the best way to start developing a framework is to create a “Cloud Center of Excellence”—a team comprised of stakeholders representing each area of the business, responsible for developing a framework for all cloud operations, governing the IT infrastructure, and building out best practices throughout the business.

In some businesses, the Cloud Center of Excellence has been built around an existing DevOps team; but this is not necessarily the best approach. While cloud computing is generally “owned” by the IT department, there are stakeholders across the business that should be involved in the team (i.e. finance, procurement, etc.) as decisions made by the team will affect these stakeholders’ day-to-day operations.

With representation from all areas of the business, the team is in a better position to assess the current state of the business’s cloud presence. Even team members with little cloud experience will be able to contribute towards the creation of cloud governance policies to address such issues as shadow IT, the misuse of cloud services (whether deliberate or unintentional), and access management. 

Developing a cloud security governance framework

Initially, the Cloud Center of Excellence should be fairly small in size with limited objectives. A mistake sometimes made by businesses is to set too broad a scope of objectives at the beginning of the process, which can result in a scenario known as “analysis paralysis” where nothing is achieved at all. The ideal Cloud Center of Excellence should start small and expand when appropriate.

With regard to developing a cloud security governance framework, the best way to approach this stage of the process is for the team to get a complete understanding of the business’s current operations in the cloud, identify the risks, and prioritize policies to address them. To understand the business’s operations, the team will need complete visibility of the business’s cloud activities in order to:

  • Identify sensitive or regulated data
  • See how data is being accessed and shared
  • Detect “Shadow” Line of Business IT
  • Audit configurations for IaaS services
  • Uncover malicious user behavior

Once the Cloud Center of Excellence can see where the biggest risks exist, they can create cloud security governance policies to address current risks and anticipated future risks. Notwithstanding other business objectives, the policies should address security issues such as data protection, encryption, access controls, and any other concerns that have been uncovered during the investigative stage.

Enforcing cloud security governance policies

As policies are developed, they need to be enforced. The enforcement of cloud security policies needs a combination of people, processes, and technology working together—the people being stakeholders and the executive level, the processes being the procedures for amending policies when necessary, and the technology being the mechanisms that monitor compliance with the policies.

Each one of these factors is equally important, yet some businesses still experience difficulties in enforcing their frameworks due to a lack of support from stakeholders and the executive level, failure to plan ahead for amending policies when necessary or implementing inadequate technologies for monitoring compliance with cloud security governance policies.

Whereas the first two issues are out of our control, CloudHealth is the ideal solution for not only monitoring compliance with cloud security governance policies but also for preventing users from operating outside policy parameters. CloudHealth uses a process called policy-driven automation to effectively monitor and enforce cloud security governance policies, in which our cloud management platform is configured with business-specific policies, triggering certain actions to take if a policy is violated. 

To find out more about CloudHealth, or to see a demonstration of policy-driven automation in action, don’t hesitate to get in touch and speak with one of our cloud security experts. Our team will be happy to provide advice about creating a Cloud Center of Excellence and developing a cloud security governance framework, and can further explain how you can enforce cloud security governance policies effectively by taking advantage of CloudHealth’s policy-driven automation capabilities.