The migration to the cloud is occurring faster than ever in an era of widespread remote work and increased need for speed and agility in conducting business. As enterprises move away from on-premise servers and embrace cloud computing and SaaS applications, enterprise cloud champions must account for the resulting risks and compliance hurdles. Below are some key cloud questions that should be addressed for effective cloud governance.
How can we accelerate our move to the cloud?
By now, the question for most organizations isn’t whether to move to the cloud – it’s where they are on the journey and how quickly it can be done. The COVID-19 pandemic and shift to remote work is prompting many organizations to expedite their cloud migrations. Enterprises should consider going beyond the usual budgetary investments: if the management team had more resources, what could they accomplish? It might be better to invest more initially and move faster.
What percentage of our business-critical applications are currently running on the cloud?
After being told X percentage of apps are running on the cloud, a logical follow-up question for cloud champions is whether there are plans to make that total 100%. If not, why? If so, when will the last server be turned off?
Have we done a risk assessment related to our present and future use of cloud?
Any major transition done on an aggressive timeframe poses new risks. There should be a way for management to show the board that cloud-related risks have been assessed and the appropriate mitigations have been put in place. It is also important to call out which risks, if any, exceed the organization’s risk appetite.
Have we implemented DevSecOps to develop and deploy cloud applications?
Migration to cloud without DevSecOps doesn’t make sense. DevSecOps is the way to successfully implement cloud applications from the standpoints of both security and quality. For organizations on this path, cloud champions should ask what percentage of our CI/CD pipeline is fully automated? Does it include automated unit tests, integration tests, security tests, security checks and audit artifacts, and can security leaders show a simple chart reflecting the DevSecOps capability progress over time?
Have we had an independent cloud audit?
If enterprise leaders are only hearing from internal staff, they likely will not have the level of confidence needed regarding their organization’s cloud procedures and implementations. Independent reviews are critical, and cloud audits performed by credentialed auditors will typically surface significant security and/or compliance shortcomings. Pentests can provide an additional, useful cross-check, but they typically are not as thorough as an audit.
To see more questions and answers on key cloud governance topics, download the infographic on the Certificate of Cloud Auditing Knowledge (CCAK) page.