The GRC-enabled Cloud – governance, risk and compliance may be simpler, faster, cheaper, more trusted – eventually

When we talk about the Cloud, whether it is an internal cloud and external cloud (i.e. public cloud) or a private cloud (i.e. hybrid cloud), we are inevitably led to consider GRC. To date the Cloud GRC discussion has been limited to issues of privacy, trust, reliability and availability, narrowly focused at times on security. This is typical when profound changes are underway driving any paradigm shift, and this evolution to the Cloud is truly profound for IT. It changes not everything, but nearly everything.  It is as transformational for IT, and perhaps more so, than the movement from centralized to distributed client server computing in the 90’s.

Going forward, we need to broaden the Cloud discussion to imagine the scenarios where the Cloud is GRC-enabled, at the appropriate level, matching the precise needs of its diverse and distinct user communities. It’s time to reframe the discussion in a way that frees us to think strategically and practically about how the Journey to the Cloud may actually evolve. By doing this we can be proactive and creative, and avoid the inevitable backtracking and reworking that occurs when we react piecemeal to profound change. Let’s Rise Above the Clouds for a moment, and ‘blue sky’ GRC concepts one by one. 

Governance in the Cloud.

What would a Governance-enabled Cloud look like? Governance translates directly through policy to authority, behavior and access in the Cloud.

Policy would need to be based not only on business and regulatory requirements, but on best practices that can be translated from written edicts through instantiations of configurations for all in-scope technologies. For example, applications would specify their operational policies; hosts would specify their control capabilities and hosting would occur when policies match control capabilities. 

Classification Schema would need to underpin the policies that govern behavior of entities, in particular, applications, information or virtualized environs.  Entities would need to know their GRC profile, that is, how they are classified and what their attendant configuration and protection requirements are, and by extension, what the characteristics of their target cloud environs must be. 

Chain of Trust-Custody. We know about chain of custody in the legal and even information security sense.  When clouds negotiate handoffs in this dynamic, fluid eco-system, the chain of trust would need to be carried with it, logged, analyzed, and be auditable. If the chain should break, it must either stop the movement or self-heal. Policy shapes the rules of interaction and policy enforcement would be able to break bindings dynamically.

Risk Management in the Cloud.

What would a Risk Management-enabled cloud look like? Risk translates directly to the probability or likelihood that a threat will have a negative impact on an entity.            

Business Impact Analysis (BIA) would need to be continuous and based on known and accepted levels of risk tolerance, at many levels of granularity, running from business process through the stack to applications, information and cloud environ. BIA would be based on not just availability(A), as we see today in business continuity, but also on confidentially(C) to ensure privacy and integrity(I) to ensure data quality, as well. This BIA-CIA profile would map into the governance classification schema, and be a foundation stone to facilitate trust.

Threat and Vulnerability Analysis would need to be dynamic, absorbing new threat-vulnerability pairs, and determining probabilities by sensing their context through the type of e-discovery, instrumentation and configuration controls monitoring that is possible at granular levels through the hypervisor. We have this type of technology today at the network level within the internal cloud; we need to extend it across cloud eco-systems. 

Risk Analysis and Remediation would need to be dynamic; near-real time.  Blocking and quarantining technologies will be part of the solution but most importantly, human-machine and machine-machine visibility into configuration postures, coupling and service levels will enable just-in-time remediation. 

Compliance in the Cloud.

What would a Compliance-enabled cloud look like? Compliance translates into understanding how policy enforces regulatory and business requirements in the cloud, through the use of controls. 

Control Rationalization and Normalization would need to be more automated.  Conflicting controls would be rooted out and overlapping controls allowed to persist only in those environs where deeper levels of defense are required, based on classifications and policy. 

Control Implementation would need to be dynamic when possible. Human intervention will bottleneck processes, and where communication is machine-machine, collaborative decisions will need to be negotiated through rules or inference. Compliance will involve knowing such things as where information resides (or has resided), where it has been transmitted (to, from or through regulatory boundaries) and how it is protected (at rest or in flight, notified, consented or ‘safe harbor-ed’).