Learn About Our CCSK X CCSP Training Week

3 steps to creating a Cloud Governance Board team

Your entire team needs to understand the basic properties of cloud computing, and cloud security specifically.

Your company needs to understand the shared responsibilities involved with cloud computing. Many of your staff from accounting through to marketing want to be seen as helping the company by being more efficient.

What better way of being highly efficient than just getting it done by onboarding a Software as a Service (SaaS) application rather than waiting six months for your IT department to create something with ten percent of the functionality than what you get with five minutes on a registration page.

What does this mean?

Most likely, you have shadow IT today.

Where is your data now? Do you even know? Is it in Baltimore or Bangladesh? Is this opening your company up for regulatory issues and fines?

Addressing these questions will require executive buy-in.

Without it, you’re doomed.

This calls for the creation of what we call the Cloud Governance Board (CGB).

The CGB is ultimately responsible for the appropriate governance of SaaS through to Infrastructure as a Service (IaaS) implementations.

The CGB assumes the role of what the National Institute of Standards and Technology (NIST) calls the Cloud Broker function and other core functions.

Let’s take a look at the functions the CGB performs.

Identification of required cloud services

You don’t need 50 different Customer Relationship Management (CRM) solutions, right?

Then why do you allow it to happen?

The more systems you procure, the more locations your data is stored, the more expensive your risk management is, the more assessments are needed, the more oversight you need.

On-boarding of cloud services

Who is tasked with roles and sub-roles to implement required controls in all cloud services, from SaaS to IaaS? Do they know where to get this information? Who is in charge of provider assessments? What’s the process? Do you have a blanket approach that uses eight questions, or do you take a risk-based approach?

Contract negotiations

Would you believe me if I told you that some Cloud Solution Providers (CSPs) own the data you upload to their systems?

You should, because it’s true.

What contract reviews do your people do today? What contract terms are they looking for that might be a surprise? How do you know the responsibilities the provider assumes and those you retain if you don’t have trained people performing contract reviews?

Acts as a central repository of all cloud services

Do you have a single, authoritative source of all cloud services consumed by your company? Does it include the individuals who are assigned the role of continuously managing that relationship?

The first step in establishing a CGB is training members. One team, one book. The outline presented here is based on our own Cloud Governance Board program.

Once your team is gathered, they will take part in a three-step course, starting from awareness and education and ending in hands-on implementation of solutions using real-world scenarios.

Step 1: Awareness training

Everyone needs a common language regarding cloud services.

Is it a SaaS? What’s a SaaS? What distinguishes a SaaS from a Platform as a Service (PaaS) and an IaaS?

What’s the difference between a community cloud and a private cloud? What does the provider do, what accountability does your company retain? Is it based on the service model or the provider?

These are the core fundamentals that everyone in the CGB needs to know in unison with all other members.

Not different interpretations – one common understanding.

This is the first level of training. Call it awareness training, or call it cloud 101. It doesn’t matter what you call it, just get everyone through this initial session. This can be as short as a few hours.

The goal here is the high-level basics.

Who should attend: All members, from executives through to technical staff.

Duration: Half day

Step 2: CCSK-like training

This too is a high-level understanding, but goes beyond the awareness session and addresses risk management, compliance, legal, new technologies, etc.

I’ll make things simple and call this Cloud 201. This is the domain of the Certificate of Cloud Security Knowledge (CCSK) and our CCSK certification course can be added to the program for required staff.

Assuming that everyone has been through an awareness training session, this can be done in as little as a day.

Should employees take the CCSK exam and become certified to demonstrate your staff is knowledgeable and qualified when addressing cloud security in your organization?

That is your call. I would recommend it, especially if your people are client-facing as well as members of the CGB.

Who should attend: Every member of the CGB who will have anything to do with risk management, compliance, provider assessment, procuring, architecture or implementing cloud services.

Duration: 2 days

Step 3: Platform training

With your team now trained and empowered, we dive right into the configuration and maintenance of cloud security solutions within your enterprise.

There are two main training sessions targeted towards staff based on their role and responsibilities:

Managing risk and compliance

Risk management, audit, compliance and other “high-level” members should take a multi-day (two days should be sufficient) session that dives into cloud risk and compliance in a cloud environment and its impact on the business.

This session addresses all types of cloud service models (SaaS, PaaS, IaaS). This workshop should be heavy on scenario-based exercises performed by teams.

Platform implementation

Technical staff should attend security focused training on a particular IaaS solution such as Amazon Web Services (AWS) and Azure.

This training will dive into the technical implementation of the platforms you use. This workshop should be heavy on the hands-on experience and lighter on the theory.

Many CSPs offer certifications as well as training.

Who should attend: Technical staff tasked with implementing cloud security services and platforms.

Duration: 2 days

Select our infographic below to enlarge or download the PDF version:

Intrinsec Cloud Governance Board solution infographic

Get started on building your own Cloud Governance Board

Learn more about our CGB program, contact us, or activate our live chat widget to get started equipping your company with a strong cloud governance approach.

Posted under:

Graham Thompson is an Information Security professional with over 25 years of enterprise experience across engineering, architecture, assessment and training disciplines. He is the founder and CEO of Intrinsec Security, a leading training company that is solely focused on delivering leading authorized IT security training from partners such as the Cloud Security Alliance, ISC2, ISACA, EC-Council and CompTIA.

CCSK | CCSP: The Industry’s Leading Cloud Security Certifications - learn more

Upgrade your Skills. Secure your Potential.

Our experts provide hands-on and on-demand training that helps IT and data security professionals meet today's cyber security challenges and prepares you for a successful future.

Training Schedule Contact Us