How many cloud services — and which ones — are in use across your organization? Are sensitive data being stored in employees’ personal cloud accounts? Is IT running unauthorized apps or using a cloud vendor with inadequate security policies?
Many executive teams don’t know the answers to those questions. According to PwC, “such an incomplete picture of the cloud services in place challenges [an] organization’s ability to adequately address the risks associated with cloud services, including data security, customer privacy, reliability of critical business processes, and compliance risks.”
The project requires some high-level commitment. In its report, Managing Risk in the Cloud — the Role of Management,” the consulting firm lays out what role, ideally, each top-level executive should have in moving a company toward a secure, organized cloud services framework.
The chief information officer (CIO). The CIO leads the fact-finding mission to discover who is using what. “The effort requires extensive discovery of cloud services, including the applications running in them, the data they contain, where they’re running and how, who’s connected to them, who’s using them, and what sort of anomalous behavior patterns might be associated with their use,” says PwC.
The chief information security officer (CISO). The CISO is the gatekeeper, blocking or eliminating high-risk cloud services. “This phase can involve either policy or governance mandates and it immediately produces the benefit of reducing cloud risk,” says PwC.
The PwC report provided an example of a large U.S. healthcare provider struggling with cloud security issues. Through the discovery process, the company found that “not only all of the cloud services in use but also the presence of shadow IT; the inability to definitively block access to several blacklisted services; and rampant unauthorized data transfers due to lack of restrictions on maximum capacity uploads or downloads.”
The chief financial officer (CFO). CFOs, of course, have an interest in “moving unsanctioned cloud services into sanctioned ones and creating more cost-effective and more-business efficient cloud use,” says PwC.
The PwC report tells of a $5-billion retail firm that had a serious case of cloud proliferation: “hundreds of services” popped up in a financial report on cloud subscriptions. The CFO and COO subsequently focused on “remediation, culling of unwarranted or high-risk services, consolidation of redundant services, control policies, and enforcement processes.”
The chief compliance officer. The head of compliance ensures that the right control framework, monitoring, and assurance are in place for cloud activities, says PwC. “With cloud services right-sized to a manageable group, the CAE … can impose the right controls on the organization’s cloud use,” says the report. Which employees should have access to a new cloud platform service? How many should be able to change system or business parameters?
Securing the cloud may involve the entire C-suite. “But the rewards come,” says PwC, “in the form of trustworthy cloud services functioning in a way that fits the nature and strategy of the business.”