Cloud assurance - what questions to ask?
I was asked various questions a few days ago, about governance and compliance as it applies to moving data and processes onto the Cloud. This is really “Cloud Assurance” – assurance that the move to cloud hasn’t compromised service delivery.
So, I thought I’d post a few general thoughts (they only cover a subset of the issues) here.
What are the main laws and regulations that must be considered by UK organisations when it comes to storing data in the cloud?
Off the top of my head, GDPR is a good start. Not just because of immediate compliance but because of its requirements for a privacy culture generally and implied data protection/security, which mean that issues of data security and data identification really do have to be identified, thought about, and (presumably) addressed. You need to know what data you are storing, where it is stored, under what jurisdiction, whether it is “sensitive” data or not, who has access to it, what its lifecycle is (how it is created, do you have permission to use it and for what purposes, how do you destroy it when no longer needed).
Even if you have no sensitive data (unlikely), a GDPR audit will concentrate your mind on data governance and data risk management – and you can’t be sure that GDPR doesn’t apply to you until you’ve done the audit. Treat GDPR as a catalyst for achieving data governance generally, and identifying data with associated risk (you need to scope for all data, because if you aren’t storing it on the cloud now, you may be in the future) not as a compliance end in itself.
That said, if you are in a regulated company (and all companies are regulated, to a greater or lesser extent), you need to revisit compliance risk analysis for all regulated data, before putting it on the cloud. If you don’t know what regulations apply to your data before your move to the cloud, you have bigger problems than cloud migration.
What does a UK organisation need to do to ensure compliance?
That depends on its individual circumstances and what regs it needs to comply with. There is no magic “check box” solution to compliance on the cloud generally.
I think you should start with good configuration management (CM – which is NOT just software asset management), remembering that this should include everything critical to delivering a business service. You need to know what you have, where it is, who is responsible for it, how it impacts on service delivery (and for which services), what risks attach to it and so on.
If a business service is wholly or partly in the cloud, you need to know exactly which bits and how much of it is on the cloud, which cloud service providers are involved, what SLA’s apply, how business continuity will be handled, what constraints on geographic location of services/data are enforced etc. Think asset management, but assets include people, contracts, SLAs etc as well as hardware (in the cloud, this is virtualised), programs (cloud services), and data.
Adapting this to conventional CM is non-trivial, but remember that you don’t need one single “configuration management database”. You can, and should, have a configuration management service based on federated data sources – for example, if your essential cloud SLAs are documented (and, surely, they must be), just link to where this is.
If you want to talk to experts on CM in the cloud, and on virtualised asset management, remember that the BCS Configuration Management Specialist Group is having its Annual Conference soon, and this is an excellent place to find CM experts. The BCS CMSG Annual Conference is on May 15th 2019, in Covent Garden, London – find out more here. You can book to attend the conference here.
What are the key tasks and processes involved in a cloud compliance audit?
That’s a whole article in itself – firstly, compliance to what regulations? Compliance is not a general thing, you have to comply to something. Perhaps thinking of Cloud Assurance is going to be a useful starting place. As an overview, check out Cloud Assurance on the third tab on Paul Bevan’s article here.
What regular processes are required to ensure cloud compliance for your data?
Another whole article, but as a start, I guess transparency is vital. You should have access to all the stats you might need for the understanding of your data and its usage. And, if your data is on the cloud, make sure that its associated performance and access data (in the widest sense) belongs to you, not to the Cloud provider, and that it is available to you whenever it is needed, in a timely manner. You need to be able to visualise Cloud data location and usage, I think, before you can start to claim compliance to anything.
What questions do you need to ask a cloud provider to ensure cloud compliance?
Asking questions of your cloud provider is necessary, but not sufficient. Remember that you can outsource execution but not accountability and responsibility. That said, you might ask what external assurance that its SLAs are realistic, resilient and reliable it can provide you with. What security and process standards is it certified to, and with what scope, and when? Beware of companies claiming ISO2700x, ISO 20000, CMMI Level 5 certification etc but, it turns out, only for their Iceland (for example) branch, and without any re-certification since certification was first granted.
I think that certification (formal or informal – only pay for the certificate if it delivers a verifiable business benefit) is necessary for providing a scope and context for discussion of the issues around governance risk and compliance; but that is very far from sufficient. Remember all the ISO 9000 certifications that meant that a company could produce rubbish, but predictably and with good documentation – although ISO 9000 is still a good basis for discussing “rubbish improvement initiatives”.
Good security is imperative as a basis for any sort of Cloud governance: check out Fran Howarth’s article here, as a basis for asking questions about security.
Finally, as well as asking questions of your cloud provider, think what questions you could usefully ask your own staff before moving to the cloud. Perhaps you have hidden process workarounds, that no-one documented in-house, but may be overlooked when moving to the cloud. You must understand your status quo before you can move all or part of it to the cloud.