The use of cloud services has become ubiquitous due to its ease of user access, low costs and quick provisioning times. These attributes are some of the driving factors that contribute to the rapidly increasing number of cloud services used within organizations. Centralized IT groups are often unaware of their widespread use throughout the organization and have been unable to measure the pervasive nature of the problem.
Risk and the Numbers
In Skyhigh’s recent Cloud Adoption Risk Report of 5.9 million users and over 175 companies, their team of researchers revealed that the number of cloud services in use was startling. The numbers ranged from a low of 97 and increased all the way up to 2,154 cloud services per company with an average of 626. Even more surprising was that of the cloud services in use, only 11% had data encrypted at rest and only 4% are certified ISO 27001 compliant. These staggering numbers along with a Forbes article stating that 40% of IT expenditures are done outside of the purview of the IT department and CIO’s control. This indicates that there is a present and growing risk to enterprises that must be brought back into corporate governance and oversight for compliancy. These risks are present across all industries including the public sector, which has typically had tight controls and oversight. According to NASA’s audit report from July of 2013, auditors found that moderate-impact systems “moved to a public cloud operated for 2 years without authorization, a security or contingency plan, or a test of the system’s security controls” and reinforces the risk of unmonitored access to cloud service providers (CSPs).
The Risks at a Glance:
- Data Loss
- Data Breach or Leakage
- Service Availability
- Service Performance
- Change Management
- GRC Compliance
- Business Continuity
Securing and Embracing the Cloud
Cloud Service Providers (CSPs) provide value to an organization through cost savings, productivity enhancements, agility, business continuity among other benefits. To fully embrace and secure cloud services, IT should develop a catalog of secured and approved CSPs while making those services readily available to business users and negating the need for shadow IT clouds. To accomplish this the organization should:
- Bring in a 3rd party to discover the known and unknown CSPs currently in use in your company
- Evaluate the business requirements driving the utilization of each CSP
- Determine the business’ risk appetite and risk tolerance
- Evaluate the compliance of each CSP with the businesses Enterprise Risk Management (ERM) policies
- Develop a service catalog of approved CSPs meeting the ERM
- Integrate a Cloud Services Brokerage (CSB) provider to ensure the secure aggregation, integration and customization of each unique service and provider.
- Direct business users to the Cloud Services Broker to consume authorized cloud service
- Routinely audit the security policies of your brokered cloud providers
- Monitor for the utilization of unauthorized CSPs
- Monitor the business requirements against the services available through the CSB
As mentioned above, the first step to managing risk and regaining control of cloud utilization is the performance of a Cloud Advisory engagement to evaluate the current utilization of Cloud Service Providers (CSPs) and the risk they pose to the organization. The second step is to embrace the public and private cloud by making those services available to your business users through a secure Cloud Services Broker (CSB). The idea of a CSB is still rather new to the industry and Ryan Reed has outlined the CSB roles to help organizations understand how they fit into your current IT structure. Whether you are in the evaluate phase or ready to move forward with Cloud Service Brokerage, NTT DATA is here to help you through the full Cloud Lifecycle.
- Nathan Aeder, Senior Manager, Cloud Advisory Services – Senior Cloud Strategist