To Succeed in 2021 and Beyond, Organizations Must Change Their Cloud Governance Approach

Industries are experiencing profound change, underscored by digital transformation and cloud computing that provide organizations unparalleled opportunities for value creation and growth.

Pundits reference the Fourth Industrial Revolution and the global COVID-19 pandemic as evolving conditions that have created a perfect storm for unprecedented, transformative change in almost every business sector.

For example, the financial services industry has experienced a complete overhaul with the rise of fintech over the last five years. According to TechCrunch, there are now over 20 fintech “unicorns” — startups worth over $1 billion. The types of organizations affected by the need for digital transformation span the gamut — from 100-year-old banks and insurance providers to the fintech startups mentioned above. Regardless of whether a business was born in the digital era or is now playing catch up, none can afford to ignore the effect caused by digital disruption. In my tenure at Goldman Sachs, I had the opportunity to take a firm focus on traditional capital markets, and using the cloud, transformed them by moving further into consumer markets to see incredible innovation and capture additional market share.

We see similar market shifts driven by technology occurring in the healthcare world, as well as in almost every aspect of the retail, education, and manufacturing sectors. Across the board, industries are presented with the opportunity of a competitive advantage through technology, creating incredible opportunity, while also representing a major source of risk. As organizations become more digital, how do they ensure that they are managing their risk as they accelerate public cloud adoption at scale? With the ephemeral nature of cloud and the general lack of cloud expertise, how do organizations protect themselves effectively against a growing threat landscape?

What have organizations done, to date, to accommodate or support the cloud?

How do we ensure organizations can change and differentiate in a world that is increasingly more complex technologically? Adaptation to this challenge has taken several forms. For example, the investment in shifting development practices for software into agile methodologies — from waterfall to CI/CD in order to support the velocity of change necessary to reduce risk through standardization. Infrastructure has seen a massive change as public cloud has moved towards ubiquity and become not only the defacto platform choice, but also the heart of where most transformation innovation is occurring.

Where we’ve not seen the necessary change occur is around the control architecture for security, risk, and operations. At the same time, we can generally agree that historically most institutions have designed their control and risk management functions based on a human control plane. As we move into a world where organizations who neglect to adapt and automate quickly will fail, the approach to managing this new control plane is crucial.

Pervasive Cloud Challenges

In my time at Goldman and working with many clients in my role as a senior advisor at McKinsey, I’ve seen the following cloud challenges as companies begin to fully embrace cloud:

  • Ownership – Because cloud requires operation in shared infrastructure, the ability to change and modify through organizational identities and defined policy responsibilities over which domains and scope must be managed through a robust cloud ownership structure.
  • Policy – The shift towards policy-as-code and a policy-based approach is required to manage cloud risk.
  • Attestation – Evidencing of compliance with security and regulatory controls.

Rethink Cloud Security Governance

Considering these challenges, how do we move governing security and risk from an outdated, human-centric methodology to an approach that feels more like our agile software methodologies? The answer? Organizations need to automate cloud governance. We need to move cloud governance from a periodic audit event to a continuous assessment of never trust and always verify.

At Concourse, we think there are four major components that need to be thought through, designed for, and ultimately implemented and industrialized to be operating at cloud scale:

  • Policy as Code – Policy as Code is required to automate governance to keep pace with cloud and cloud delivery. Policy as Code will enable an organization to move from subjective to objective risk assessments that are based on data, and are sustainable, repeatable, and auditable.
  • Business Context – Enterprises are complex organizations, spanning different business units, geographies, customers, applications, and data repositories. Businesses must have the ability to create multi-tenant environments and established policies that reflect the diverse needs of every part of the enterprise.
  • Address the Problem at the Application Layer – Historical assessments were based on the network layer information. It is critical to identify and address drift at the data layer to weed out the noise and focus on the information specific to your needs.
  • Continuous Lifecycle – A continuous life cycle around governance is required for an organization to be adaptive and keep up with the ephemeral nature of cloud.

Now that we’ve identified the major cloud challenges and the four key components for operating cloud at scale, how do we amalgamate this landscape so that there is facilitation of the veracity of the requirements at hand while taking into account they are not only continuously changing over time, but continuously improving as well?

To Operate Their Businesses Successfully in the Cloud, Enterprises Must Rethink Security Governance

The continued complexity associated with the growth of technology investments is only accelerating. Business leaders across all sectors are grappling with the strategic implications of this transformation, and Concourse uniquely brings perspective, and therefore the solutions, that offset that complexity and solve for the criticality of effective governance as organizations transform their businesses in the cloud.

To learn what changes are required for effective cloud governance so organizations can safely achieve digital transformation at scale, watch my webinar here.

Related Resources

Learn more about one policy architecture and Concourse Labs.