4 Steps To Reducing the Risks of Moving to a Cloud Computing Provider
This guest article was written by Chris Caldwell, CEO of LockPath. LockPath’s governance, risk and compliance software helps organizations manage the risk surrounding their cloud implementations.
Moving to the cloud can be a cost-effective proposition for small and mid-size businesses. However, in today’s cyber-security climate, it is critical to determine how to manage the risk that comes with moving to the cloud. If you don’t have the right governance, risk and compliance (GRC) strategy in place, the cloud computing implementation could become a complete disaster from a security perspective. So what’s a mid-sized business to do?
Once you move to a cloud computing provider someone else will manage your data, but it is still ultimately your responsibility. Having an effective governance, risk and compliance (GRC) strategy in place can help your transition to the cloud go smoothly.
Laying the groundwork to create a sound GRC program involves four key areas:
- Take a fresh legal analysis of your organization’s liability exposure. For example, Service Level Agreements (SLAs) should address any and all risks to your data while it lives in the cloud – from how the cloud vendor will store and protect your data, to how/when you will notified in the event of a breach. In addition, a strong “Right to Audit” clause gives your organization the right to have an external auditor verify that your cloud provider is in compliance with the specifications you have set forth.
- Ensure your vendor risk management program accounts for the new risks that come with moving to the cloud. Organizations such as Shared Assessments have created standardized vendor questionnaires featuring cloud-focused questions to help you more effectively manage the relationships and lower risks.
- Determine data portability and retention in your contract. Make sure you fully understand the policies around secure deletion, data retention/requests and what happens to your data if you sever the relationship or the cloud vendor is aquired/goes out-of-business.
- Determine how you will control which users are allowed to do what in which cloud applications.
Often, you are at the mercy of your cloud provider’s identity management capabilities so it is extremely important to investigate these features and plan how your organization will enforce identity management policies.
Protecting your company’s data, and reputation, is just as important in the cloud. Mid-sized organization must extend proven GRC approaches to cloud decisions and strategies.
Serious about cloud computing, but unsure how to securely make the transition ? Register for a free webinar on the "4 Critical Steps When Moving To Cloud”
