Mike Kelley, Global IT Sr Manager Information Security, Risk & Compliance, Dana Holding Corporation
Cloud services are a growing business interest with its appealing low barrier to entry model that requires minimal capital expenditure for implementation. It is an elastic platform that can scale according to changing business needs and enables rapid implementation of technology solutions. With respect to IT, the cloud presents an opportunity to transfer traditional operational services to Cloud Service Providers (CSP) allowing IT to focus on delivering services and solutions that provide a strategic advantage in the marketplace. Ultimately, the cloud is fundamentally changing the way IT supports the business transforming IT from a provider of services to a broker of services. It has also expanded the boundaries around information and systems, complicating the model for ensuring proper security measures are enforced.
In the past, IT has been the agent for changing how technology solutions support and enable the business. However, the CSPs have done an effective job marketing their products such that the business is now comfortable engaging them directly for solutions to address their needs which has led to an influx of cloud solutions requests. To deal with the ever increasing requests for cloud solutions, we have developed a Cloud Computing Playbook which is essentially a guide that explains what the cloud is and which processes and/or data that should or should not be in the cloud. The purpose of the playbook is to educate the business and also lay the foundation for evaluating whether or not cloud is the right model for implementing a particular solution.
There are inherent risks associated with moving to the cloud. The most prevalent is the lack of control and visibility into your environment. However, the principles of enforcing security have not changed even with the adoption of cloud services. We view CSPs simply as an extension of our business. Our current strategy of cloud adoption is tactical in nature, addressing specific business problems that have lower risk with respect to information security and compliance. In the meantime, we are strengthening our methodology for governing the adoption and consumption of cloud services.
Our current methodology for ensuring the secure adoption of cloud solutions begins with data classification. Requiring the business to classify data assigns accountability and also provides valuable input for downstream processes including evaluation against the Cloud Computing Playbook, contractual negotiations and CSP evaluation. Once a CSP has been selected, we submit a questionnaire that inquires about the CSP’s risk management program, security policies, organizational structure and internal controls, followed up by discussions with the individual responsible for information security. We also request certification reports that represent an independent assessment of the CSP’s internal controls as further support that the control environment is operating effectively. Depending on timing, contractual negotiations may be performed in parallel. We ensure every contract has a right to audit clause or the right to obtain a certification report on the effectiveness of their internal controls.
We are constantly updating our process to enhance governance over cloud adoption. Our cloud governance program will include a vendor risk management program designed to execute our contractual right to audit for monitoring ongoing risks associated with CSPs. We are also in the process of developing a robust Cloud Evaluation Criteria tool which includes business and technical criteria and is intended to ensure consistency in cloud adoption.