Wednesday, November 17, 2010

Governing Governance, Risking Risky Analysis Paralysis & Complying With Compliance In Successful Cloud Computing Initiatives

The Cloud Security Alliance, just announced a new stack to address issues of governance, risk management and compliance for the nascent but exploding cloud computing industry. InformationWeek has a good short news report on the subject.

I consider this welcome news, from two perspectives - as an individual professional opinion; and as the opinion of someone leading vertical solutions and service provider offers planning & management, at an industry-leader cloud technology company.

Cloud Computing has been fortunate that its hype only slightly exceeded the real world benefits it provides, and its ad-hoc, vendors and clients deciding what's best for them, implementation of governance, risk and compliance management were "just good enough" to keep the ball rolling. For early adopters, and for those seeking immediate TCO (Total Cost of Ownership) and ROI (Return On Investment) value of next generation data center models, with highly converged virtualized infrastructure, this was not a show stopper.

But, for the Cloud industry to evolve to the next stage, where it literally can explode to the stage, which would make the latest set of analyst predictions, such as those quoted in the article above, actually likely to come true, governance, risk and compliance issues had to be addressed sooner rather than later.

The challenge in every new paradigm (or even what some consider a repackaged old paradigm enabled by technology capabilities that enable the concept to take off this time) is to balance between extremes along those three lines of concerns.

I have called attention to these topics in the past in print and online. My concern has been that overly excited buyers, and sell-at-all-costs vendors could lead to risky behavior on one side of the spectrum, while analysis paralysis would keep a huge majority from losing out on the benefits of cloud computing.

What is needed, as I have said before, is a pragmatic and practical approach; rather than utopian and impossible drives for perfection, that cannot be achieved in one, much less, three areas of importance like GRC. Add to that the complexity and impossibility of agreement, a situation in which every stakeholder brings their own colored and colorful viewpoint.

The need is for comprehensive, but not onerous, approaches to governance; risk management without seeking absolute, "perfect", impossible to achieve, levels of "zero risk"; and compliance standards that enable enterprise and service provider moves to cloud models, rather than being roadblocks. These are are all essential steps without tripping up clients or vendors.

The CSA's latest contribution to successfully achieving these is a free GRC stack, a set of toolkits, for enterprise customers, vendors of cloud & security solutions, as well as those tasked with auditing IT. The toolkits are, Cloud Audit, Cloud Controls Matrix and the Consensus Assessments Initiative Questionnaire (Apparently they did not spend much time on coming up with a better name for this last one!). You can download the GRC stack free.

This is not, by any stretch of the imagination, GRC nirvana. There will be many significant areas, from Department of Defense related federal requirements, to the extremely granular levels of security an increasingly networked global financial system requires, and many others.

But, I hope, and remain confident, that this will be the first in an ongoing series of steps towards ever-improving quality of governance, risk management and compliance standards, which will help cloud vendors and users alike.


Imran Anwar is founder of Internet email in Pakistan, co-founder and co-owner of the .PK ccTLD of Pakistan, and founder of the credit card industry there. As a New York based technology, media and business professional he is often seen and heard on global media like CNN, Fox News, Express TV, WWRL and many others. These are Imran's personal opinions and do not necessarily reflect those of any employer, employer's parent companies, clients, family members or other persons or organizations. Phew!



Technorati Tags: , , , , , , ,


Post a Comment