In recent years, IT governance frameworks and cloud computing security have been bundled together under the heading “information security governance”. This is a good term for businesses migrating to the cloud to use when one set of policies governs both the on-premises IT infrastructure and the cloud environment.
It’s no wonder businesses get confused about governance in the cloud. A comparison of six established IT governance frameworks in 2017 (COBIT, ISO 27000, ISAE 3402, etc.) found three different definitions of cloud computing and six different definitions of governance. Not surprisingly, the explanation of how each framework applies to cloud computing takes up a lot of pages!
To further confuse matters, a study published in 2018 defined IT governance as a subset of corporate governance because corporate governance is responsible for managing risk. This study also acknowledges the different types of IT governance frameworks, and notes that each attempts to deal with cloud computing security (under the heading “information security governance”) in a different way.
Unfortunately for businesses attempting to get to grips with IT governance frameworks and cloud computing security, there's no right or no wrong definitions. A framework is just a framework—the basic skeleton around which each business builds its own governance policies and procedures based on the objectives of the business’s strategies.
Where IT governance frameworks and cloud computing security meet
To best explain where IT governance frameworks and cloud computing security meet, let's take an example of a business that has not yet migrated to the cloud. Because it is operating an on-premises IT infrastructure, costs are mostly fixed, the network is secured, and users can only run approved software, applications, and programs. Here,governing the IT environment is relatively simple.
Then the business considers migrating some of its operations to the cloud. It does its homework and finds some of its applications are suitable for a lift and shift migration. However, during the assessment process, a few small security issues are discovered. The issues would not be critical in the on-premises environment because it is protected by a firewall, but there is no such protection in the cloud.
Consequently, the business adds a policy to its existing IT governance policies stipulating that resources must not be launched in the cloud when these issues exist. It is important to note the business is not creating a new set of governance policies for its cloud operations, but adding a new policy. This is the way IT governance frameworks and cloud computing security are supposed to work together.
The difficulty in enforcing cloud governance policies
Problems start when it comes to enforcing cloud governance policies. This is because in an on-premises infrastructure, the IT department can see everything, but that’s not possible in the cloud. In the cloud, multiple businesses share the same multi-tenanted infrastructure in cloud service providers’ data centers, and there is no visibility of cloud activity below the level of abstraction for the sake of privacy.
Because of the self-provisioning nature of cloud computing, individual users and departments can deploy assets with the click of a mouse. IT departments have no oversight of the software, applications, and programs being used, leading to the potential for further security issues—not to mention the potential for spiraling costs and performance inefficiencies.It is very difficult to enforce cloud governance policies when you cannot see what is going on.
The solution is to implement a cloud management platform such as CloudHealth that not only provides total visibility of the cloud environment (via lightweight agents) but which also has policy-driven automation capabilities that can be used to control the conditions under which assets can be deployed in the cloud. The platform can also be configured to control what assets are deployed in the cloud, and by whom. CloudHealth re-unites IT governance frameworks and cloud computing security.