A strategic approach to cloud security
A strategic approach to cloud security should be driven by a governance and control framework created with the enterprise’s risk appetite in mind.
Enterprise security teams led by the Chief Information Security Officer (CISO) define the policies and controls, as well as managing them against the IT budget. They leverage an IT Governance, Risk, and Compliance (GRC) framework that defines the policies and assesses the controls in place to meet the audit and compliance requirements. The audit and compliance set are based on industry needs and regulatory requirements. The risk management part of the framework continuously assesses the effectiveness of the controls against the business goals. The following diagram shows the GRC control framework, which includes the policies, controls, audit, compliance, and risk management:
Figure 2.1 – GRC for the cloud
This also includes threat management and the continuous...
