More and more, cloud is everywhere in IT — and increasingly, throughout the business. More and more, cloud is everywhere in IT — and increasingly, throughout the business. Today, 72 percent of organizations have at least one application in the cloud or a portion of their computing infrastructure in the cloud, according to IDG’s Cloud Computing Survey 2015, while 56 percent of organizations are still identifying IT operations that can move to the cloud. However, with the cloud comes concerns: Two-thirds (67 percent) of survey respondents said security is a significant concern for moving to the cloud, while compliance, as data moves out-of-house, may be the cloud’s biggest security challenge. Will data uploaded to the cloud remain compliant with legal and regulatory obligations such as PCI, FISMA and HIPAA? Who owns what parts of security and compliance, and what provisions to satisfy those obligations will get put into the contract with the cloud provider? In fact, these compliance issues can become a barrier that stops a CIO’s strategic cloud initiatives in its tracks, says Michael VanDenBerg, managing director, cyber services at KPMG. “Moving from on-premise IT and data centers to cloud services does mean giving up the posture of controlling all operational disciplines,” he points out. “It requires a mindset change that, for some, can be a blocker.” Cloud compliance challenges tend to fall into three main categories: Encryption and data protection. Organizations are concerned about the type of data that will be used in the cloud solution and how it will be encrypted and protected. For example, a company might have an established policy that says a certain type of data needs to be encrypted in transit. “You need to dig into what the real risks are,” says VanDenBerg. “Can they be satisfied through other means or do I need to wait for them (the cloud service provider) to offer encryption for this part?” Data retention and recovery. Another issue, particularly regarding SaaS solutions, is identifying the method to get your data back if you want to switch to another cloud service. “We are seeing more and more of this with our clients,” says VanDenBerg. “There is a responsibility on both sides to address data retention and recovery.” Identity and access management. Monitoring identity and access management is also a real concern for IT organizations, says KPMG director Kerri Murphy — that is, who is accessing the data and whether that access (such as timing) is appropriate. “This is a struggle for most of our clients, with so many products and security tools that tie into each cloud offering,” she says. Comfort with cloud is growing Still, technology organizations, particularly security organizations, are becoming more and more comfortable that the cloud is just the way business is now done. “It has taken time for organizational change and training, for the knowledge to permeate through,” says VanDenBerg, who adds that companies are also more comfortable because they realize they are putting their data and technology in the hands of a company “with a security staff 10-100 times size of theirs.” In addition, the rise of cloud access security brokers, or CASB technologies, now allow organizations to set up controls and monitor across multiple cloud service providers. “It provides a level of visibility that didn’t exist two years ago,” he explains. Finally, cloud service providers recognize that this is one of the top barriers that can prevent them from getting a deal done with clients, so they now offer flexible options that allow organizations to meet their high-priority compliance obligations. “Cloud service providers are offering almost all of the assurances customers want,” says Murphy. “They have put into their roadmap even more regulations and compliance frameworks that they will attest to in the future, whether you are in the federal government, oil/gas or banking — making efforts to comply with standards across the board.” How to select the right cloud service partner: 1. Invest in their reputation. Select a partner who will consider compliance and security part of their core business five, 10 or 15 years from now, says VanDenBerg. “You are Investing in the ability of the provider to come up with right solution to stay on top of industry trends,” he explains. “And at the end of the day, you need to do business with someone you can trust to have your best interests in mind over the long haul.” 2. Look for operational and technical transparency. The cloud service provider should make it clear how they approach compliance and security at every level, as well as their ability to provide monitoring or add-on services if you are paying for them. “We all know nobody’s perfect in this space, but you can expect transparency in how they deal with risk and resolve risk,” says VanDenBerg. “It’s about how the provider deals with fundamental issues such as monitoring and technical architecture, as well as how they communicate back and forth with you on an ongoing basis.” Take a holistic view of risk in the cloud As companies increasingly deal with cloud compliance, IT organizations need to take a holistic view of risk and monitoring that risk in the cloud — expanding on traditional vendor management programs and accounting for the risks of moving into the cloud. “We work with clients to develop a framework approach to this,” says VanDenBerg. “We set up monitoring controls and operational layers to make sure they understand what they’re responsible for regarding their data in the cloud and what the cloud service provider is responsible for. And, if the CSP is responsible, making sure it’s in the contract somewhere.” The right contracts are key when it comes to cloud compliance, adds Murphy. “We see a lot of clients getting burned when they review their contracts and realize that it does not cover some issues such as transparency and data retention,” she says. But, the bottom line is that cloud compliance is a mindset change that both IT and the entire business need to understand, she emphasizes: “Cloud compliance can become a hot potato passed back and forth, so if you’re a CIO, the whole organization needs clarity.” For more insights from KPMG on Cloud adoption, compliance, and security please see our recent thought leadership: Five key cloud computing risks As more enterprises conclude their cloud computing testing and assessment periods, they are looking to invest and shift towards implementation. This paper examines the rapid adoption and expansion of service offerings in the public and private cloud space as well as the risk cloud computing presents to enterprises. Clouds on the horizon CIOs have been tasked to plan and select Cloud Service Providers (CSP) in order to sort through the challenges and complexity of cloud adoption. To provide guidance with this, KPMG International has developed a CSP evaluation framework. Related content brandpost Sponsored by KPMG Is Frictionless Application Security Possible? Fueled by new techniques and methodologies such as agile, DevOps and CI/CD, the pressure on developers to deliver faster has never been greater. By Yen Hoe Lee Sep 03, 2020 6 mins IT Leadership brandpost Sponsored by KPMG The Road to Modern Delivery: Low code development, market speed, and the Future of IT In our conversations with IT leaders, migration to digitally integrated operating models has taken on new urgency. By KPMG Aug 21, 2020 7 mins IT Leadership brandpost Sponsored by KPMG Why so fast? Navigating your path to Market Speed COVID-19 has fundamentally changed the way organizations operate, what their customers and employees expect, and has created opportunities for business model innovation. By Sebastian McCabe Aug 13, 2020 6 mins IT Leadership brandpost Sponsored by KPMG Becoming Cloud-Smart: The C-Suite’s Role Strategies for Integrating Cloud into Business Operations By Teresa Meek Aug 10, 2020 6 mins IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe