More and more, cloud is everywhere in IT — and increasingly, throughout the business. Today, 72 percent of organizations have at least one application in the cloud or a portion of their computing infrastructure in the cloud, according to IDG’s Cloud Computing Survey 2015, while 56 percent of organizations are still identifying IT operations that can move to the cloud.
However, with the cloud comes concerns: Two-thirds (67 percent) of survey respondents said security is a significant concern for moving to the cloud, while compliance, as data moves out-of-house, may be the cloud’s biggest security challenge. Will data uploaded to the cloud remain compliant with legal and regulatory obligations such as PCI, FISMA and HIPAA? Who owns what parts of security and compliance, and what provisions to satisfy those obligations will get put into the contract with the cloud provider?
In fact, these compliance issues can become a barrier that stops a CIO’s strategic cloud initiatives in its tracks, says Michael VanDenBerg, managing director, cyber services at KPMG. “Moving from on-premise IT and data centers to cloud services does mean giving up the posture of controlling all operational disciplines,” he points out. “It requires a mindset change that, for some, can be a blocker.”
Cloud compliance challenges tend to fall into three main categories:
Encryption and data protection. Organizations are concerned about the type of data that will be used in the cloud solution and how it will be encrypted and protected. For example, a company might have an established policy that says a certain type of data needs to be encrypted in transit. “You need to dig into what the real risks are,” says VanDenBerg. “Can they be satisfied through other means or do I need to wait for them (the cloud service provider) to offer encryption for this part?”
Data retention and recovery. Another issue, particularly regarding SaaS solutions, is identifying the method to get your data back if you want to switch to another cloud service. “We are seeing more and more of this with our clients,” says VanDenBerg. “There is a responsibility on both sides to address data retention and recovery.”
Identity and access management. Monitoring identity and access management is also a real concern for IT organizations, says KPMG director Kerri Murphy — that is, who is accessing the data and whether that access (such as timing) is appropriate. “This is a struggle for most of our clients, with so many products and security tools that tie into each cloud offering,” she says.
Comfort with cloud is growing
Still, technology organizations, particularly security organizations, are becoming more and more comfortable that the cloud is just the way business is now done. “It has taken time for organizational change and training, for the knowledge to permeate through,” says VanDenBerg, who adds that companies are also more comfortable because they realize they are putting their data and technology in the hands of a company “with a security staff 10-100 times size of theirs.” In addition, the rise of cloud access security brokers, or CASB technologies, now allow organizations to set up controls and monitor across multiple cloud service providers. “It provides a level of visibility that didn’t exist two years ago,” he explains.
Finally, cloud service providers recognize that this is one of the top barriers that can prevent them from getting a deal done with clients, so they now offer flexible options that allow organizations to meet their high-priority compliance obligations. “Cloud service providers are offering almost all of the assurances customers want,” says Murphy. “They have put into their roadmap even more regulations and compliance frameworks that they will attest to in the future, whether you are in the federal government, oil/gas or banking — making efforts to comply with standards across the board.”
How to select the right cloud service partner:
1. Invest in their reputation. Select a partner who will consider compliance and security part of their core business five, 10 or 15 years from now, says VanDenBerg. “You are Investing in the ability of the provider to come up with right solution to stay on top of industry trends,” he explains. “And at the end of the day, you need to do business with someone you can trust to have your best interests in mind over the long haul.”
2. Look for operational and technical transparency. The cloud service provider should make it clear how they approach compliance and security at every level, as well as their ability to provide monitoring or add-on services if you are paying for them. “We all know nobody’s perfect in this space, but you can expect transparency in how they deal with risk and resolve risk,” says VanDenBerg. “It’s about how the provider deals with fundamental issues such as monitoring and technical architecture, as well as how they communicate back and forth with you on an ongoing basis.”
Take a holistic view of risk in the cloud
As companies increasingly deal with cloud compliance, IT organizations need to take a holistic view of risk and monitoring that risk in the cloud — expanding on traditional vendor management programs and accounting for the risks of moving into the cloud. “We work with clients to develop a framework approach to this,” says VanDenBerg. “We set up monitoring controls and operational layers to make sure they understand what they’re responsible for regarding their data in the cloud and what the cloud service provider is responsible for. And, if the CSP is responsible, making sure it’s in the contract somewhere.”
The right contracts are key when it comes to cloud compliance, adds Murphy. “We see a lot of clients getting burned when they review their contracts and realize that it does not cover some issues such as transparency and data retention,” she says.
But, the bottom line is that cloud compliance is a mindset change that both IT and the entire business need to understand, she emphasizes: “Cloud compliance can become a hot potato passed back and forth, so if you’re a CIO, the whole organization needs clarity.”
For more insights from KPMG on Cloud adoption, compliance, and security please see our recent thought leadership:
As more enterprises conclude their cloud computing testing and assessment periods, they are looking to invest and shift towards implementation. This paper examines the rapid adoption and expansion of service offerings in the public and private cloud space as well as the risk cloud computing presents to enterprises.
CIOs have been tasked to plan and select Cloud Service Providers (CSP) in order to sort through the challenges and complexity of cloud adoption. To provide guidance with this, KPMG International has developed a CSP evaluation framework.