Circle with amiba shape inside

Perspectives

Expose the risk, protect your cloud

Avoid a check-the-box approach with risks in cloud computing

In a boundaryless environment like the cloud, it can be all too easy to assume that certain cloud risks are someone else’s obligation. But having a clear understanding of assurance expectations and knowing who is responsible can help user organizations avoid the pitfalls that go with a false sense of security.

Getting out in front of the storm of risk

Across industries, cloud computing continues to be a fast-growing segment of overall information technology (IT) spending1. For many businesses, it represents the new normal for enterprise IT.

As companies expand their presence in the cloud with hybrid or multicloud environments, new risks continue to emerge. Risk management leaders who fail to understand and address these cloud risks could expose their organization to increased reputational, financial, operational, and regulatory compliance consequences.

One way to gain assurance about risks in cloud computing is through system and organization controls (SOC) reports that cloud service providers can make available to their customers and their auditors. For many larger organizations, they are a cornerstone of conducting business, and for many startup companies, they can provide a competitive advantage.

Learn more about assurance in the cloud

Elevations of cloud risk: Considerations for every phase

Risk has multiple dimensions that can appear during the different phases of the cloud journey, from design to execute to operate.

This section is an infogram

This message and the space it occupies will not be displayed when viewing this page either in Live, Preview, or "View as published" modes

Storm fronts of cloud risk: The shared responsibilities of service providers and user organizations

Managing risks in cloud computing is a shared responsibility. But the point where responsibility transitions from service organization to user organization can be a gray area, especially when multiple vendors and managed service providers are involved. Left undefined, a lack of clarity in this area can give a false sense of security to all parties concerned.

In general, service providers are responsible for their global infrastructure, including compute, store, and network components. Meanwhile, user organizations are responsible for their data, the security considerations for protecting that data, and assuring that controls are in place and aligned to their requirements.

As user organizations grow more reliant on cloud services, service organizations tend to take on increasing responsibility for security domains and elements of the technology, depending upon the delivery model.

For organizations wanting to effectively manage their risks related to the use of a service organization, it’s important to nail down this gray area so that there are no misunderstandings about which party is responsible for each aspect of security.

blue network icon

Forecasting the weather: Frameworks for assurance in the cloud

Once user organizations understand the potential cloud risks they face and know who has responsibility for those risks, they can focus on building a risk-based controls environment. They should map the risks they’ve identified in their specific environment to the controls report provided by each service provider to address any gaps that might exist.

Service organizations typically offer some form of report, such as an SOC report, to their customers. Recent trends we are seeing indicate that some user organizations are going even further by asking service auditors to provide additional assurance around various frameworks in the form of SOC 2+ reports.

teal frame icon

Transcend a check-the-box approach

To unpack how to put cloud assurance into action with SOC reports; learn how collaboration can smooth the journey; and optimize your assurance in the cloud, download our paper, Assurance in the cloud.

multi color circle with amoeba shape inside
Did you find this useful?