Expose the risk, protect your cloud has been saved
Perspectives
Expose the risk, protect your cloud
Avoid a check-the-box approach with risks in cloud computing
In a boundaryless environment like the cloud, it can be all too easy to assume that certain cloud risks are someone else’s obligation. But having a clear understanding of assurance expectations and knowing who is responsible can help user organizations avoid the pitfalls that go with a false sense of security.
Getting out in front of the storm of risk
Across industries, cloud computing continues to be a fast-growing segment of overall information technology (IT) spending1. For many businesses, it represents the new normal for enterprise IT.
As companies expand their presence in the cloud with hybrid or multicloud environments, new risks continue to emerge. Risk management leaders who fail to understand and address these cloud risks could expose their organization to increased reputational, financial, operational, and regulatory compliance consequences.
One way to gain assurance about risks in cloud computing is through system and organization controls (SOC) reports that cloud service providers can make available to their customers and their auditors. For many larger organizations, they are a cornerstone of conducting business, and for many startup companies, they can provide a competitive advantage.
Elevations of cloud risk: Considerations for every phase
Risk has multiple dimensions that can appear during the different phases of the cloud journey, from design to execute to operate.
Storm fronts of cloud risk: The shared responsibilities of service providers and user organizations
Managing risks in cloud computing is a shared responsibility. But the point where responsibility transitions from service organization to user organization can be a gray area, especially when multiple vendors and managed service providers are involved. Left undefined, a lack of clarity in this area can give a false sense of security to all parties concerned.
In general, service providers are responsible for their global infrastructure, including compute, store, and network components. Meanwhile, user organizations are responsible for their data, the security considerations for protecting that data, and assuring that controls are in place and aligned to their requirements.
As user organizations grow more reliant on cloud services, service organizations tend to take on increasing responsibility for security domains and elements of the technology, depending upon the delivery model.
For organizations wanting to effectively manage their risks related to the use of a service organization, it’s important to nail down this gray area so that there are no misunderstandings about which party is responsible for each aspect of security.
Forecasting the weather: Frameworks for assurance in the cloud
Once user organizations understand the potential cloud risks they face and know who has responsibility for those risks, they can focus on building a risk-based controls environment. They should map the risks they’ve identified in their specific environment to the controls report provided by each service provider to address any gaps that might exist.
Service organizations typically offer some form of report, such as an SOC report, to their customers. Recent trends we are seeing indicate that some user organizations are going even further by asking service auditors to provide additional assurance around various frameworks in the form of SOC 2+ reports.
Transcend a check-the-box approach
To unpack how to put cloud assurance into action with SOC reports; learn how collaboration can smooth the journey; and optimize your assurance in the cloud, download our paper, Assurance in the cloud.
Recommendations
Third-party reporting proficiency with SOC 2+
SOC2+ reports and the focus on trust services criteria
Third-Party Assurance Services
Accelerate performance with a strong third-party assurance program