Organizations are increasingly moving to the cloud and cloud service providers are maturing. This wonderful technology solves many digital issues and offers new opportunities, but it is important to see the cloud as a tool. A tool whose responsibility always remains with the organizations that acquire these services.
Organizations making the move to the cloud go through three phases. The common denominator for each phase is a focus on efficient use, security and compliance. At the same time, each phase has a number of specific concerns.
Does the vendor's offer match our needs? What type of cloud is involved? How do we make sure we include the controls now? In the run-up to the cloud, these are important questions for organizations to answer. With the note that cloud vendors and implementation partners generally focus purely on the functional and operational part of cloud processes and on processing in the cloud. They generally pay less attention to a theme that is important to their customers: compliance.
The major pitfall in setting up the cloud is the so-called "elevator and shift" behavior, whereas setting up requires at least a partial redesign of the process and technology moving to the cloud. Otherwise, you either do not leverage the (promise of the) cloud, or you keep the same problems or you create even bigger problems than existed before. The key is to make a clear analysis and determine the business requirements; what do you have now and what do you want to achieve? The next step is a risk assessment, based on questions such as: are we allowed to do this by legislation, regulations or internal policy? What risk do we run if we bring XYZ to the cloud? What measures should we take to address reliability, integrity and confidentiality risks?
Once in the cloud, the priorities are operational management and maintaining oversight. It is not only a matter of selecting the right controls and paying attention to security monitoring, but also of keeping them continuously effective. There must always be someone also operationally responsible for execution; how is that arranged? After all, working in the cloud requires different capabilities than "on premise. The question for organizations working in the cloud is also: what do we still need to organize and arrange ourselves? And: how do we keep a grip on all the running processes? In that context, user access is a major concern. A major risk, for example, is that the transition to the cloud without the right measures leads to increased access for all users within the environment. It takes specific expertise to properly set up that access and limit it to those actually authorized.
An underrated issue with cloud is compliance and accountability. In practice, audits often point the finger at the cloud provider, but organizations remain responsible for the verifiability of their data. This also means being able to demonstrate to regulators - with assurance and certification statements - how processes are set up, where data comes from and how they keep control of everything.
An important note here is that the cloud is not the solution to all problems with IT and in the application landscape. Not everything is immediately taken care of. As with on-site IT facilities, not all functionalities are standard. It is important to combine different cloud solutions/services in the purchased service or license. At the same time, organizations need to be careful not to let themselves be talked into all the available functionalities that they do not need in practice. Often these are also expensive licenses, concluded for several years, so it pays to be keen on all the small print. With the goal of safe and efficient use of the cloud.
The trick is to make the most of the benefits of the cloud while at the same time exercising sufficient control, with the aim of managing risks; from setup to use and accountability. With this in mind, working in the cloud requires a specific, pragmatic and integral approach. Not only for a broader perspective on the technological possibilities of the cloud but - perhaps precisely - also on the operational, change management and financial consequences of the measures to be taken.
