Expose the risk, protect your cloud

Getting out in front of the storm of risk

Across industries, cloud computing continues to be a fast-growing segment of overall information technology (IT) spending¹. For many businesses, it represents the new normal for enterprise IT.

As companies expand their presence in the cloud with hybrid or multicloud environments, new risks continue to emerge. Risk management leaders who fail to understand and address these cloud risks could expose their organization to increased reputational, financial, operational, and regulatory compliance consequences.

One way to gain assurance about risks in cloud computing is through system and organization controls (SOC) reports that cloud service providers can make available to their customers and their auditors. For many larger organizations, they are a cornerstone of conducting business, and for many startup companies, they can provide a competitive advantage.

Storm fronts of cloud risk: The shared responsibilities of service providers and user organizations

Managing risks in cloud computing is a shared responsibility. But the point where responsibility transitions from service organization to user organization can be a gray area, especially when multiple vendors and managed service providers are involved. Left undefined, a lack of clarity in this area can give a false sense of security to all parties concerned.

In general, service providers are responsible for their global infrastructure, including compute, store, and network components. Meanwhile, user organizations are responsible for their data, the security considerations for protecting that data, and assuring that controls are in place and aligned to their requirements.

As user organizations grow more reliant on cloud services, service organizations tend to take on increasing responsibility for security domains and elements of the technology, depending upon the delivery model.

For organizations wanting to effectively manage their risks related to the use of a service organization, it’s important to nail down this gray area so that there are no misunderstandings about which party is responsible for each aspect of security.

Forecasting the weather: Frameworks for assurance in the cloud

Once user organizations understand the potential cloud risks they face and know who has responsibility for those risks, they can focus on building a risk-based controls environment. They should map the risks they’ve identified in their specific environment to the controls report provided by each service provider to address any gaps that might exist.

Service organizations typically offer some form of report, such as an SOC report, to their customers. Recent trends we are seeing indicate that some user organizations are going even further by asking service auditors to provide additional assurance around various frameworks in the form of SOC 2+ reports.

Transcend a check-the-box approach

To unpack how to put cloud assurance into action with SOC reports; learn how collaboration can smooth the journey; and optimize your assurance in the cloud, download our paper, Assurance in the cloud.