3 steps to creating a Cloud Governance Board team
Your entire team needs to understand the basic properties of cloud computing, and cloud security specifically.
Your company needs to understand the shared responsibilities involved with cloud computing. Many of your staff from accounting through to marketing want to be seen as helping the company by being more efficient.
What better way of being highly efficient than just getting it done by onboarding a Software as a Service (SaaS) application rather than waiting six months for your IT department to create something with ten percent of the functionality than what you get with five minutes on a registration page.
What does this mean?
Most likely, you have shadow IT today.
Where is your data now? Do you even know? Is it in Baltimore or Bangladesh? Is this opening your company up for regulatory issues and fines?
Addressing these questions will require executive buy-in.
Without it, you’re doomed.
This calls for the creation of what we call the Cloud Governance Board (CGB).
The CGB is ultimately responsible for the appropriate governance of SaaS through to Infrastructure as a Service (IaaS) implementations.
The CGB assumes the role of what the National Institute of Standards and Technology (NIST) calls the Cloud Broker function and other core functions.
Let’s take a look at the functions the CGB performs.
Identification of required cloud services
You don’t need 50 different Customer Relationship Management (CRM) solutions, right?
Then why do you allow it to happen?
The more systems you procure, the more locations your data is stored, the more expensive your risk management is, the more assessments are needed, the more oversight you need.
On-boarding of cloud services
Who is tasked with roles and sub-roles to implement required controls in all cloud services, from SaaS to IaaS? Do they know where to get this information? Who is in charge of provider assessments? What’s the process? Do you have a blanket approach that uses eight questions, or do you take a risk-based approach?
Would you believe me if I told you that some Cloud Solution Providers (CSPs) own the data you upload to their systems?
You should, because it’s true.
What contract reviews do your people do today? What contract terms are they looking for that might be a surprise? How do you know the responsibilities the provider assumes and those you retain if you don’t have trained people performing contract reviews?
Acts as a central repository of all cloud services
Do you have a single, authoritative source of all cloud services consumed by your company? Does it include the individuals who are assigned the role of continuously managing that relationship?
The first step in establishing a CGB is training members. One team, one book. The outline presented here is based on our own Cloud Governance Board program.
Once your team is gathered, they will take part in a three-step course, starting from awareness and education and ending in hands-on implementation of solutions using real-world scenarios.
Step 1: Awareness training
Everyone needs a common language regarding cloud services.
Is it a SaaS? What’s a SaaS? What distinguishes a SaaS from a Platform as a Service (PaaS) and an IaaS?
What’s the difference between a community cloud and a private cloud? What does the provider do, what accountability does your company retain? Is it based on the service model or the provider?
These are the core fundamentals that everyone in the CGB needs to know in unison with all other members.
Not different interpretations – one common understanding.
This is the first level of training. Call it awareness training, or call it cloud 101. It doesn’t matter what you call it, just get everyone through this initial session. This can be as short as a few hours.
The goal here is the high-level basics.
Who should attend: All members, from executives through to technical staff.
Duration: Half day
Step 2: CCSK-like training
This too is a high-level understanding, but goes beyond the awareness session and addresses risk management, compliance, legal, new technologies, etc.
I’ll make things simple and call this Cloud 201. This is the domain of the Certificate of Cloud Security Knowledge (CCSK) and our CCSK certification course can be added to the program for required staff.
Assuming that everyone has been through an awareness training session, this can be done in as little as a day.
Should employees take the CCSK exam and become certified to demonstrate your staff is knowledgeable and qualified when addressing cloud security in your organization?
That is your call. I would recommend it, especially if your people are client-facing as well as members of the CGB.
Who should attend: Every member of the CGB who will have anything to do with risk management, compliance, provider assessment, procuring, architecture or implementing cloud services.
Duration: 2 days
Step 3: Platform training
With your team now trained and empowered, we dive right into the configuration and maintenance of cloud security solutions within your enterprise.
There are two main training sessions targeted towards staff based on their role and responsibilities:
Managing risk and compliance
Risk management, audit, compliance and other “high-level” members should take a multi-day (two days should be sufficient) session that dives into cloud risk and compliance in a cloud environment and its impact on the business.
This session addresses all types of cloud service models (SaaS, PaaS, IaaS). This workshop should be heavy on scenario-based exercises performed by teams.
Technical staff should attend security focused training on a particular IaaS solution such as Amazon Web Services (AWS) and Azure.
This training will dive into the technical implementation of the platforms you use. This workshop should be heavy on the hands-on experience and lighter on the theory.
Many CSPs offer certifications as well as training.
Who should attend: Technical staff tasked with implementing cloud security services and platforms.
Duration: 2 days
Select our infographic below to enlarge or download the PDF version: