Click to learn more about author Bo Lane.
Cybersecurity organizations should partner with business units to create a shared and flexible cloud governance model that better enables responsible cloud adoption.
Businesses cannot (and often will not) wait for security organizations to create inflexible governance frameworks for cloud adoption. After all, the cloud is supposed to be flexible and business-enabling. The high-speed transformation to remote work and the rapid increase in cloud workloads due to COVID-19 highlights that technical agility is key to both enabling business outcomes and surviving times of crisis. In recent months, software-as-a-service (SaaS) collaboration platforms, such as Zoom, have seen a spike in usage, and 59 percent of enterprise respondents to a recent survey by Flexera plan to accelerate cloud adoption because of the pandemic.
However, organizations must still protect their data, preserve user privacy, manage technology costs, and ensure business continuity. In some respects, these demands are even more important during uncertain times. A shaky financial climate increases pressure to control costs; a shift to remote work reshapes the cyber threat profile for the organization. Businesses need to control financial, operational, and security risks when facing the realities of a pandemic.
Accelerated Cloud Adoption in the Age of COVID-19: Why is Cloud Governance Important?
Many stakeholders are concerned with a variety of governance topics, mainly those that focus on the cloud. Cloud governance is a multi-disciplinary approach that ensures cloud resources are designed, delivered, and consumed in a manner that adequately addresses organizational risk. However, organizations face an increasing challenge since execution is usually siloed and often driven by different internal motivations.
Different groups use different tools, techniques, and taxonomy to address their respective needs. Without a coordinated effort, this creates redundant work for the business and undue overhead for cloud consumption. Isolated governance also creates spotty coverage of the various technical and non-technical risks that organizations should address.
Many business units within an organization care about governance:
- Cybersecurity teams care about security governance, ensuring that resources and cloud environments are compliant with regulatory or corporate policies and best practices
- Accounting cares about cost governance, ensuring that OPEX costs can be adequately controlled, tracked, and assigned to the right budgets
- IT and DevOps groups care about operational governance, ensuring that resources are deployed consistently and follow operational best practices
Cloud governance is key to realizing the benefits that cloud offers, including agility and elasticity, while minimizing unintended business or technical risks. However, risks are not limited to any one domain — cybersecurity, financial, or operational — and should be addressed collectively and holistically.
Cloud governance must be robust and adaptable to meet rapidly shifting business demands, not only in cybersecurity. As organizations continue to transform how they conduct business, there is a unique opportunity for cybersecurity stakeholders to take the lead in bringing together their peers from other parts of the business.
Security is often the primary driver for the governance of cloud adoption, so it is logical to have this group lead the charge to build consensus on the topic. A coordinated effort creates efficiency and consistency for these activities, reducing the redundant burden of siloed governance. A consolidated voice also lends credence to the notion that unfettered cloud usage in the name of business agility can ultimately be bad for business.
Guardrails vs. Handcuffs: Defining Flexibility in Cloud Governance
Building consensus for a multi-disciplinary cloud governance approach is necessary but not sufficient to enable business outcomes. A unified governance coalition could simply demand inflexible and prescriptive controls and processes that are incongruent with cloud agility. Just as important is how these teams choose to mitigate the various cloud risks for the organization.
Developing solutions “at the speed of business” requires a more flexible approach. It is important to squarely address the skepticism that additional oversight will create inefficiencies and delays for the business. Dictating strict controls inhibits the agility and creativity of teams. Inevitably, they will seek (and find) a way around the perceived roadblocks. Rather, putting up looser “guardrails” in the cloud enables teams to operate with more freedom, but still within parameters.
This model can provide a nice balance between constricted control and unfettered flexibility. These guardrails can take many forms but are often technical requirements implemented within a cloud platform (e.g., Azure Policy), manifesting well-written cloud security guidelines.
What Does Flexible Governance Look Like?
All major cloud platforms have the concept of tagging — metadata in the form of key-value pairs that can be associated with cloud resources. A cloud policy requires that all cloud compute resources (e.g., servers, containers) include tags for the internal cost center and the deployment environment (e.g., development, staging, production).
We can then configure the cloud platform to enforce this tagging policy for us, ensuring that the teams responsible for deployment will always provide the requisite information — a fairly low friction demand that provides value for different governance stakeholders. For example, accounting can accurately assign the costs to its department, operations can assign the requisite monitoring and service-level agreements for a production workload, and cybersecurity could have contextual information that can be useful in appropriately prioritizing a security incident or vulnerability remediation for different resources.
A Journey, Not a Destination
Following these ideas, organizations should be able to build a shared vision for cloud governance that effectively balances business flexibility with risk mitigation. They can continue to create more sophisticated tagging examples and implement governance-as-code, authoring and managing technical cloud controls like a software development project. They could even envision how this model could effectively govern the democratization of technology, through low-code and no-code development platforms.
The real test for this model is how it can evolve and adapt to change in the organization — as change has most likely already happened.