Top 5 specific actions for governance

Top 5 must-do actions to control governance in the cloud — CyberForged

Good morning everyone! Today we are going to end the governance theme by giving the Top 5 must-do actions to control governance in the cloud. We will see which are the actions that we must take into account when it comes to control everything that happens in the cloud. In any case, if you want to see these points in more detail, we recommend that you go to these articles where we go into more detail on governance issues.

Shall we go?

Identify the shared responsibilities

As we talked about in the previous article, we must keep in mind that in the cloud, responsibilities are shared with the provider depending on the service and deployment model we are in.

In any case, what we must always keep in mind is how these responsibilities are distributed and, above all, we must know that our company remains responsible for all the data we acquire from customers. This responsibility can never be transferred to the supplier, although it can be shared. In fact, legally your company is responsible if there is a data breach, even if your company then sues the supplier for damages.

Besides being clear that we are the “shared” responsible, we must have very clear all the roles inside and outside our company: Product Owners, Authorization Officials, CISO, CSO, Administrators… There are many frameworks that talk about this type of roles such as ISO/IEC 27017, NIST RMF ….

We must be clear about all the roles inside and outside our company.

We must understand which part of the responsibility is ours and which part belongs to the provider.

Understand your contracts

Lately in cyberforged, we have mentioned a lot about contracts and how they are in some cases the only tools that allow us to be sure that a specific provider will comply with the minimum security that we need for our business. This will help us immensely to control the governance in the cloud.

It is very necessary that there is at least one person in our company who is able to have all the contracts with all the suppliers of our company controlled. In addition, this type of contract control (or centralization) exercise can serve to avoid redundancy in contracts and not spend more money than necessary.

It is also very important to know what is in each of the contracts so that, in the event of a data breach, it is clear to us what responsibilities we can ask the supplier and what kind of incident response procedures have been agreed upon.

There should be at least one worker in our company who has all the contracts under control, watching for redundancies or failures.

Continuous cloud provider assessments

We saw yesterday in this article that we should always perform continuous assessments of the services offered by the providers. This is because, if we only analyze a provider in depth at the time of signing the contract, we will be ignoring the risk of providers continually updating their products.

A cloud service may pose little risk to our company in one version and be a high risk when it is upgraded due to new features added. This type of situation happens all the time.

Perform continuous analysis of your cloud providers’ capabilities to avoid changes in the risk scenario.

Align risk strategy

Within the cloud there are different products and different ways of doing things: In AWS KeyVault and its Azure counterpart do not necessarily work the same and do not necessarily have the same functionality and features.

We must create a risk strategy aligned with each of these products since it is not the same to trust the provider to keep a photo of our vacation in a storage than an encryption key of the most sensitive data of our company in a KeyVault.

We must create specific risk profiles for each of the situations we encounter in our cloud operations.

Manage residual risk

Finally, when we have made the assessment of a provider and we are clear about the risks inherent to the use of its services and products, we must manage the residual risk.

Let us remember that the residual risk is the risk that remains after applying the countermeasures that the provider itself has (internal firewalls, internal network encryption, etc.) to the generic risks. It is up to us to manage this type of risk, using different tools such as encryption or BYOK.

We must treat residual risk as a priority because it is our responsibility to accept or mitigate it.

These are the 5 actions that are mandatory when managing cloud governance, what do you think, do you think they make sense? Let me know in the comments!

Originally published at on April 27, 2021.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store