Welcome!

@CloudExpo Authors: Jason Bloomberg, Pat Romanski, Liz McMillan, Kevin Benedict, Elizabeth White

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Blog Post

GRC and the Cloud - Governance, Risk Management & Compliance

Can traditional GRC practices adapt to the cloud computing environment?

As we become more technology dependent, more so in today's "cloud"-driven environment, IT security needs to evolve from the traditional sense of digital security.

We should see the advent and acceptance of a more holistic, flexible and adaptive model of security that focuses more on managing information security, people and processes in a natural evolution from the traditional model of implementation, monitoring and updating.

According to Teubner and Feller [1] "Governance is understood as securing a responsible corporate management, having its roots in value-based management."

With regard to Risk Management, Marshall Krantz said it best:

"Faced with threats from all quarters - recession and credit crunch, heated global competition, continuing Sarbanes-Oxley pressures - companies are making intensive risk management a top priority "[2]

We can also assert that Compliance constraints aim to ensure that an enterprise satisfies all pertinent legal reporting responsibilities and regulatory transparency demands.

With technologies evolving as rapidly as they are, combined with complexities caused by:

  1. The constant drumbeat of global integration

  2. Possibility of vendor conflicts of interest

  3. Increasing demands for transparency

  4. Multinational or country specific regulations

  5. and new organizational threats cropping up faster than measures for mitigation are implemented;

enterprises must take appropriate steps to integrate governance, risk management and compliance as part of their modus operandi. A main source of contention within IT governance, is the use of multiple vendors for IT resources, where the objectives of vendors may not necessarily align with that of an enterprise; this can lead to notable governance issues for an enterprise.

According to a SETLabs briefing [3] "Governance Risk and Compliance (GRC) is fast emerging as the next biggest business requirement that is most likely to ensconce itself in the psyche of enterprises."

The briefing also mentioned the concept of Integrated GRC. The aim of which is to improve collaboration between all identified stakeholder, as well as increase the level of GRC integration. This is turn will improve on legacy siloed GRC systems which has been shown to decrease transparency and agility in governance.

Its objective is directed at increasing market competitiveness, reducing risk and improving compliance.

From this we can gather that the traditionally accepted progression of GRC will also need to adapt and evolve; more so as enterprises engage more services within the sphere of cloud computing - in other words an adaptive approach to GRC.

It is understood that in terms of risk management, IT security etc, the board of directors holds ultimate responsibility when it comes to safeguarding enterprise assets. This does not mean that other individuals are exempt from responsibility, far from it, in fact there should be a top down approach to ownership and accountability when is comes to ensuring the safety of company assets.

Edward Humphreys [4] stated that "security incidents occurs because of flaws , gaps or vulnerabilities somewhere in management framework, chain of policy,direction and implementation."

As technologies evolve and cloud computing becomes more accepted and implemented one can question whether there will be a blurring of responsibilities between the technical and non technical aspects of information security management and by extension GRC.

Von Solms [4] made a statement a few years ago that "a separation between operational and compliance management of information security becomes essential." But will this work in today's environment, or do we need to adapt to evolving technologies that will span outside the traditional realm of GRC and IT Security Management?

My quest for an answer,at least relating to GRC and the cloud computing ecosystem led me to a company called Agiliance and a conversation with their CEO, Joe Fantuzzi about their Risk Vision OpenGRCTM platform. Accordingly, this

platform's foundation supports six integrated applications and over 100,000 controls via standards and regulatory content. It also allows a user the capability to create target reports, import and export files seamlessly,while preserving file structure; has SQL and web services APIs for I/O with any applications, databases, files and systems as well as gives a user access up-to-date laws and regulations with 100,000+ controls and sub-controls.

What caught my attention however was his explanation of their "Cloud Risk Management - RiskVision Cloud Risk Software Services."

This service made allowances for ensuring an accountable implementation of enterprise policy and security assessments within the cloud, as well as, implementing compliance and risk scores with incident management that measure and test enterprise risk, compliance posture, threat levels,vendor risk and policy conformity.

Fantuzzi also spoke about the company's vision for deployment into the cloud and defined their take on Cloud Risk Governance Stages,where he demonstrated their target assessment for both public and private cloud environments in terms of cloud adoption states of readiness, operations and audit.

From an observational viewpoint, its Cloud Risk Operational Monitoring portion appeared to be effectively positioned for application within the cloud ecosystem.

Walking thorough the product, Fantuzzi also demonstrated allowances for seemless functional operations within several virtual environments, with threat/vulnerabilities connectors that were aligned with ongoing technical and vulnerability checks.

One purpose was to ensure continuous compliance checks as well as maintain ongoing monitoring for potential attacks - zero day or otherwise.

He also mentioned an objective of this product is to provide a user with prioritized risk actions and a 360 view of risk posture. Important factors when is comes to ensuring proper governance and management of risk in our compliance driven environments.

I am certain that those of you familiar with NISTs Standards Acceleration to Jumpstart Cloud Adoption of Cloud Computing (SAJAAC), can see this product aligning and growing with SAJAAC as the cloud ecosystem evolves and possible see it as a good utility for both the public and private cloud environments in terms of a cloud step regarding GRC management.

References

[1]Teubner, A. and Feller, T. 2008. Information Technology,Governance and Compliance Wirtschaftsinformatik. 50, 5 (2008), 400-406.

[2] Krantz, M. 2008. Survival in the Age of Risk http://www.cfo.com/article.cfm/11917608/1/c_2984351?f=related

[3] SETLabs Briefings Vol 6 No 3 2008.Pg 39

[4] Edward Humphreys :Information Security Management Standard: Compliance, governance and risk management. Elsevier Information Security Technical Report 13 (2008) 247-255

[5]Information Security Governance - Compliance Management vs operational management - S.H. (Basie) von Solms: Elsevier Computers and Security (2005) 24, 443-447

[6] Joe Fantuzzi CEO Agiliance. www.agiliance.com

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
SYS-CON Events announced today that Akvelon will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Akvelon is a business and technology consulting firm that specializes in applying cutting-edge technology to problems in fields as diverse as mobile technology, sports technology, finance, and healthcare.
Connecting to major cloud service providers is becoming central to doing business. But your cloud provider’s performance is only as good as your connectivity solution. Massive Networks will place you in the driver's seat by exposing how you can extend your LAN from any location to include any cloud platform through an advanced high-performance connection that is secure and dedicated to your business-critical data. In his session at 21st Cloud Expo, Paul Mako, CEO & CIO of Massive Networks, wil...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
As more and more companies are making the shift from on-premises to public cloud, the standard approach to DevOps is evolving. From encryption, compliance and regulations like GDPR, security in the cloud has become a hot topic. Many DevOps-focused companies have hired dedicated staff to fulfill these requirements, often creating further siloes, complexity and cost. This session aims to highlight existing DevOps cultural approaches, tooling and how security can be wrapped in every facet of the bu...
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, d...
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SS...
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
The goal of Continuous Testing is to shift testing left to find defects earlier and release software faster. This can be achieved by integrating a set of open source functional and performance testing tools in the early stages of your software delivery lifecycle. There is one process that binds all application delivery stages together into one well-orchestrated machine: Continuous Testing. Continuous Testing is the conveyer belt between the Software Factory and production stages. Artifacts are m...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Cloud resources, although available in abundance, are inherently volatile. For transactional computing, like ERP and most enterprise software, this is a challenge as transactional integrity and data fidelity is paramount – making it a challenge to create cloud native applications while relying on RDBMS. In his session at 21st Cloud Expo, Claus Jepsen, Chief Architect and Head of Innovation Labs at Unit4, will explore that in order to create distributed and scalable solutions ensuring high availa...