As the Cloud evolves to become GRC-enabled, there are likely to be events that force its evolution. I am thinking of a few, and you may have many others. They may happen sequentially, but a more likely to happen simultaneously for all practical purposes…
1. Bad things happen early on, forcing adoption of GRC-enabled cloud services. Cloud consolidates lots of information in one world, making it attractive to those who would benefit from exploits. Clouds will be tested by some of the best criminal minds, not to mention the best intentioned humans who simply mess up. We will learn where the holes are leveraging analytics and modeling, through the virtualization layer's highly granular monitoring capabilities, combined with security information and event monitoring that is extended to the cloud. We will patch and fret our way into smaller and smaller threat surfaces. These events will be forcing functions that cause cloud vendors to leverage economies of scale not only for cost reduction, but now for GRC-enablement, certification and dynamic risk management.
2. Cloud vendors stratify into layers of increasing GRC-enablement. Cloud vendors will differentiate themselves based on their ability to offer various levels of GRC-enablement, based on the visibility, compliance and access needs of the customer. At first this will be coarse grained, but as organizations are able to understand and define their needs more granularly, services will naturally segregate information and entities by their classifications and allow them free movement within cloud segments that are matched precisely to those needs. Eventually service will be so superior it will be far cheaper for organizations to contract with a GRC-enabled cloud than retrofit their legacy IT environments, and increasingly, their internal clouds. Cloud vendors will seek long-term, high value relationships with high switching costs by leveraging technologies for data center monitoring, data encryption and tokenization, federated identity management and strong authentication to prevent fraud, detect malware and demonstrate compliance.
3. Cloud vendors band together to create classifications that enable chain-of-trust-custody. Federation between clouds will develops rapidly as the rules of engagement become more automated and understood, leveraging federated identity management, encryption and more. Insight into, understanding of and protection from the ‘dark cloud’ will be possible through unified efforts of cloud owners and providers.
4. Organizations understand their needs more granularly. Organizations formalize information governance and learn to classify elements dynamically and accurately, based on business impact analysis that is rationalized and current, in a feedback loop with threat and vulnerability analysis. Information and assets will be able to be intelligently and automatically allocated to the cloud environ that meets information governance requirements.
What further scenarios do you imagine? What cloud eddies and currents can you see along the way? Let’s continue the dialogue….. it’s time.