Emerging GRC patterns around Cloud

With Microsoft making a big bet on its Azure Cloud based services, the impact and implications for Governance, Risk & Compliance (GRC) space makes for a very interesting case. I will share some interesting industry patterns around GRC on an ongoing basis as i come across them. Today i  start off with - Cloud GRC and Cloud based GRC services.

Cloud GRC - As companies in regulated industries look to adopt Cloud for relevant operating models and workloads, Cloud Governance, risk and compliance (GRC) is a key consideration. Typically firms list security, privacy, reliability, and operational control as key issues. There are baseline expectations that both existing as well as emerging certifications and standard attestations would be applied and stretched to the Cloud such as SAS 70, FISMA, ISO 27001, HIPAA, PCI DSS etc. There are also some evolving standards being worked on at bodies such as the ISO, ENISA etc. Microsoft itself addresses these issues through the coordinated and strategic application of people, processes, technologies, and experience. The result is continuous cloud security advances within the Microsoft cloud environment. For e.g. Windows Azure contains a risk-based program that hunts down and labels security and operational threats. It also keeps a detailed set of security controls updated and maintained at all times. Windows Azure operates a compliance framework that helps ensures organizational controls are designed correctly and operating as they should be.

You can find more information via this link. and whitepaper (Securing Microsoft's Cloud Infrastructure).

Cloud based GRC services - In many industries, regulatory reporting and risk assessment requirements are spread across the value chain or the supply chain. Many of these currently are supported by disparate, inconsistent and exist at country or functional level silos hosted by respective dept., suppliers. In such cases, Cloud based GRC Services lend themselves very well. An integrated Cloud based approach could help enable rapid deployment across the value chain for efficiencies. For e.g. European Environment Agency reporting and tracking is done across 32 member countries on Microsoft Azure.

Cloud as an enabler to develop and run applications with unbounded scalability and ease-of-use, lends itself very well to GRC due to rapidly changing regulations. Common GRC related activities such as stress testing, inspection, audit neccessiate temporary periodic spikes in need for collaborative workspace, computing needs and business records archiving. Currently the response to this is ad-hoc and puts a lot of pressure on the organization to manage this need. A Cloud based computing cycle, inspection, audit workspace, archiving workspace could very well fit here to manage the peak loads. For e.g. Risk specialist firm RiskMetrics, a division of MSCI, offers Monte Carlo Risk simulations from Azure to its customers during peak loads. I have blogged about this case earlier.

With such a Cloud based flexible platform, one can easily scale up or down to meet the demands of risk management and regulatory reporting. With the pay-for-use business model, one does not waste money on services one will not use 90% of the time.

Stay tuned as I cover more specifics on industry adoption in my following blogs.

Do you see similar patterns ?