Although most businesses understand the concept of security governance in cloud computing, many often struggle to enforce cloud governance policies. This can be due to the manner in which the policies are developed, a failure to implement policy guardrails, or both.
Many organizations lack the visibility into their cloud environment that allows them to maintain the same degree of control over network activity, application performance, and data security as in an on-premises environment. Indeed, visibility was rated the top cloud security challenge in the 2019 Oracle/KPMG Cloud Threat Report.
The first step to navigating the visibility challenge is implementing a cloud management platform that monitors activity in the cloud via agents. However, visibility alone will not make a cloud environment secure. In order to address cloud security challenges effectively, businesses need to ensure their teams adhere to their cloud security governance policies.
What is security governance in cloud computing?
Security governance in cloud computing is a framework of policies designed to dictate what cloud resources can be used, how they should be used, and who can use them. They can also enforce rules governing how individual resources should be secured to prevent their misuse by malicious actors.
Additionally, it’s essential to approach security governance in cloud computing as an extension of existing on-premises security governance. Having separate policies for on-premises activities and security governance in cloud computing will not work—especially in hybrid cloud environments in which applications from different infrastructure interact with each other.
Who designs security governance policies?
Security governance in the cloud should not be the sole domain of the IT department. Because of the self-provisioning nature of cloud computing, users can deploy resources in the cloud with the click of a mouse. The user may not be aware of whether resources are sanctioned by the IT department, or even the security risks of how they are using those resources, when they are just trying to “get the job done.”
Consequently, the role of developing security governance policies should be shared between a Cloud Center of Excellence—a team comprised of representatives from all departments affected by the organization’s cloud usage, such as engineering, IT, and security, who can weigh in on what resources their teams need to use and how they should use them.
Enforcing the security governance policies
It is then the responsibility of the Cloud Center of Excellence to build out and share best practices throughout the business. Individual representatives need to explain to members of their departments what policies are in place, why these policies are in place, and the sanctions for violating the policies. In theory, security governance policies eliminate shadow IT; but in practice, they often don’t eliminate human error.
However, the speed and scale at which resources can be deployed in the cloud makes it virtually impossible to enforce security governance in cloud computing manually. The key is to leverage automation that monitors compliance with the policies and prevents users from operating outside policy guardrails.
Using policy-driven automation to enforce governance policies
Policy-driven automation is a process in which a cloud management platform is configured with the business’s governance policies and the actions the platform should take if a policy is violated. The actions can range from a notification to the IT department for a minor violation to the automatic revocation of a user’s login credentials for a serious policy violation.
Between the two extremes, the platform can auto-correct some of the more common and easily addressable mistakes (e.g. initiate a function to encrypt an unencrypted storage volume tagged PII), initiate an approval workflow (e.g. seek permission before allowing a non-conforming resource to be launched), or prevent the deployment of resources that do not conform to a predetermined structure (e.g. a VM created from a faulty image).
Other governance applications for policy-driven automation
Policy-driven automation is not limited to enforcing security governance in cloud computing. Many organizations use automation to alert administrators when costs are spiking unexpectedly, committed use discounts are used inefficiently, and when the organization can capitalize on opportunities to optimize cloud costs. In many cases, the platform can be configured to address certain governance issues automatically, such as deleting unused resources.
However, while it is important that policy guardrails are put in place to ensure compliance with governance policies, it is also important that individual departments have a say in the development of the policies and visibility into how they are applied. The failure to consider what’s best for the business—rather than what’s easiest for the IT department—can end up causing new problems that prevent other departments from being able to to meet business objectives.