Head in the Clouds - Security, regulatory and compliance

Trusting a vendor with your client data and your critical business applications can be a stretch for some organizations. Security, risk and compliance considerations may be serious impediments to moving swiftly to the cloud.  There is often not a week that goes by without some major enterprise announcing that it has been breached and sensitive data has been compromised. As well, heavily regulated industries must be sure that cloud providers do not expose them to regulatory failings that could impact their ability to continue to do business or cause serious reputational damage.

For the security, risk and compliance people, there is pressure from the organization to move into the cloud but due to complexity and lack of control it’s simply easier to say “no”. For these internal departments, it’s like being the goalie in a hockey or soccer game. They can only fail and the puck/ball is invisible – they don’t know what the next attack will be and where it will come from.

Three years ago, cloud service providers did not have an in-depth understanding of the security, regulatory and compliance environment that major financial institutions operate in. The cloud providers’ security posture may have been adequate for small and medium sized businesses but enterprises had more rigorous requirements. Cloud service providers did not understand that many institutions chose to interpret the same regulations in different ways. The provider may believe that their solution meets regulatory and compliance requirements but the customer’s risk and compliance people disagree. As a result, many enterprises chose to use secondary security and DLP services to augment a cloud service. This may be problematic as the organization may be paying for two services to basically do the same thing and multiple security agents on a desktop can conflict.


As well, multinational enterprises may run cloud transformation programs with global impact. Now the cloud solution needs to be capable of meeting security, regulatory and compliance considerations in a number of different jurisdictions. Addressing all of these concerns may involve many people sitting around the table with different needs and agendas. The complexity of dealing with so many stakeholders across a global organization can impede progress and impact the schedule.


It is vital, that the internal security, risk and compliance teams meet with key cloud vendors as early in the engagement process as possible. This becomes a mutual education session for the vendor and the internal teams. The internal teams can educate the vendor on the enterprise’s risk tolerance profile and the vendor can bring their experience dealing with many similar customers and their interpretation of risk and compliance.


The good news is that today, major cloud vendors have substantially beefed up their security and risk posture. Typically they are actively engaged with regulatory bodies in all the major jurisdictions. Engaging the regulators is mutually educational as the vendor gets to understand the regulators’ objectives and then influence the regulations. The regulator gets to better understand the services and the potential impact (good and bad) of the new regulations. And the regulator gets to understand the limitations of the technologies. As a result, security and compliance has become less of a risk when moving to major cloud service providers. Mature cloud service providers have large security and compliance departments and they often detect threats (and start to address them) long before an individual enterprises would see the attack on the boundary of its network. For many organizations the cost of managing security in house has become prohibitive and the ability to attract and retain high caliber staff is limited. Moving to cloud means that they can leverage the billions of dollars invested by major cloud providers in security and in the talent necessary to protect their cloud assets.


However it’s also important to consider the proliferation of shadow cloud services by the business units. This may be a greater risk to the organization in terms of security, data loss and compliance than picking an established, large corporate cloud vendor. For niche shadow cloud services, the buyer may not know where the company data actually resides. Does the niche service provider use AWS or is the company’s data sitting on a server in someone’s basement? Is the data stored in Canada? Is it encrypted? Within the enterprise, there needs to be education, and governance in place. There needs to be active monitoring to ensure that when individual business units engage with tier 2 and tier 3 cloud service providers, the organization is not exposed to security risk and data loss.


Security has moved away from a perimeter based approach to a many layered security architecture where identity and role based permissions ensure authorized access. Consuming cloud services can be a vehicle for better overall end-to-end enterprise security which includes on premise networks and infrastructure. It’s also worth noting that some major security breaches with cloud service providers have occurred as a result of bad actors penetrating a corporate network and then gaining access to the cloud services. Security and vigilance does not diminish or go away as a result of cloud consumption.


Typically, enterprise cloud providers operate on a principle of “shared responsibility” when it comes to security and risk. The customers’ perception of the cloud provider’s responsibility may differ. Cloud customers may believe that their assets in the cloud are totally locked down and protected but the cloud provider offers different flavors of security. The cloud “front door” is locked by the cloud provider but granular access within the cloud “building” is up to the customer. The cloud customer needs to understand the options and implement them appropriately, or data can be vulnerable. For an enterprise organization, setting up a secure cloud and managing it, is not trivial and should not be underestimated.


Finally, the organization must have a data management policy. This needs to identify data that could be classed as the organization’s “crown jewels”. Data that would be subject to regulatory or compliance rules (for example: PIPIDA, GDPR) needs to be identified. As well, an archiving, and defendable data deletion strategy needs to be in place. If data is not valuable to the organization or is not retained as part of a regulatory requirement, then holding on to it is potentially a liability and a cost. While cloud needs to be the end goal for all IT services, the reality is that there may always be some data and services that stay on premise. For example, a major financial institution may have no risk appetite to put merger and acquisition data in the cloud.


From an emotional perspective, engaging cloud service providers may feel like the organization is giving away its crown jewels. Some foot-dragging, obfuscation and possibly an abundance of caution may prevail.


Simon Morris is a Digital Transformation leader at KPMG.  When his head’s not in the clouds, he is riding his bike, carving turns on his snowboard, or helping his son build water cooled computers. He can be reached at simonmorris@kpmg.ca