One of the areas that has to be covered by GRC is cloud computing, but I suspect that this is an area that is dragging behind. Lots of organizational leadership, the people who are responsible for implementing a GRC strategy, are still a little foggy when it comes to cloud management, security and overall adoption. However, as Vibhav Agarwal wrote in a CloudTweaks piece:
[A] ’cloud-ready’ security and compliance program is the need of the hour, to manage the risks and the complexities due to cloud adoption. This will enable organizations to face cloud challenges which, according to RightScale’s 2016 State of the Cloud Report, include compliance with regulations, a lack of resources and expertise, governance and control and security.
Agarwal suggested that to improve governance and compliance and lessen risk, organizations should take steps to assess cloud service providers, improve cloud asset visibility, assign business ownership to cloud assets, and know the cloud’s landscape as well as its risks. All very good suggestions. But I’m going to add one: Improve your overall cloud security posture. Agarwal wrote:
Inevitably, there are risks with cloud environments as there are with all storage and retrieval systems, both electronic and manual. Businesses must understand the cloud threat landscape, effectively evaluate and mitigate risks and protect themselves and their interested parties from exposure.
It’s one thing to know where the risks are. But what are you doing to mitigate those risks or address them before they become full-blown threats? Probably not much, according to research by Netwrix Corporation. The study found that nearly half of organizations surveyed see their own employees as their biggest security threat, but yet, they are not ready to address the insider threat because they have only partial visibility into activity in their IT infrastructures, a situation that has not changed much since 2016. Perhaps the most alarming statistic, in terms of GRC, is that two-thirds of IT staff have top management’s support for security initiatives for the cloud. Again, business leadership has to buy into cloud ownership and they are the ones who should be charged with GRC strategy. How do you get to cloud security if management isn’t buying in?
This is a very good example of why the IT team has to be an integral part of the GRC team and a voice about the framework. It’s also important to understand how your employees are playing a role in your cloud security breakdown, as Michael Fimin, CEO and co-founder of Netwrix, said in a formal statement:
Although most actual security attacks were external, cloud customers mostly blame their own users for incidents in the cloud and see them as the biggest threat to security. Why? Even if insiders are not malicious, they still can unwittingly help attackers get into the environment, whether due to a lack of knowledge about risks, negligence or mistakes. To address the human factor in all its forms, organizations need a complex approach that includes at least three components: employee training, top management support for security initiatives, and pervasive visibility into user activity to detect attacks and minimize the damage.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba