As the Cloud evolves to become GRC-enabled, there are likely to be events that force its evolution. I am thinking of a few, and you may have many others. They may happen sequentially, but a more likely to happen simultaneously for all practical purposes…
1.
Bad things
happen early on, forcing adoption of GRC-enabled cloud services. Cloud consolidates lots of information in one
world, making it attractive to those who would benefit from exploits. Clouds
will be tested by some of the best criminal minds, not to mention the best
intentioned humans who simply mess up.
We will learn where the holes are leveraging analytics and modeling, through
the virtualization layer's highly granular monitoring capabilities, combined
with security information and event monitoring that is extended to the cloud. We
will patch and fret our way into smaller and smaller threat surfaces. These events
will be forcing functions that cause cloud vendors to leverage economies of
scale not only for cost reduction, but now for GRC-enablement, certification
and dynamic risk management.
2.
Cloud
vendors stratify into layers of increasing GRC-enablement. Cloud vendors will differentiate themselves
based on their ability to offer various levels of GRC-enablement, based on the visibility,
compliance and access needs of the customer. At first this will be coarse
grained, but as organizations are able to understand and define their needs
more granularly, services will naturally segregate information and entities by
their classifications and allow them free movement within cloud segments that
are matched precisely to those needs. Eventually service will be so superior it
will be far cheaper for organizations to contract with a GRC-enabled cloud than
retrofit their legacy IT environments, and increasingly, their internal clouds.
Cloud vendors will seek long-term, high value relationships with high switching
costs by leveraging technologies for data center monitoring, data encryption
and tokenization, federated identity management and strong authentication to
prevent fraud, detect malware and demonstrate compliance.
3.
Cloud
vendors band together to create classifications that enable
chain-of-trust-custody. Federation
between clouds will develops rapidly as the rules of engagement become more
automated and understood, leveraging federated identity management, encryption
and more. Insight into, understanding of and protection from the ‘dark cloud’ will be possible through
unified efforts of cloud owners and providers.
4.
Organizations
understand their needs more granularly.
Organizations formalize information governance and learn to classify
elements dynamically and accurately, based on business impact analysis that is
rationalized and current, in a feedback loop with threat and vulnerability
analysis. Information and assets will be able to be intelligently and
automatically allocated to the cloud environ that meets information governance
requirements.
What further scenarios do you imagine? What cloud eddies and
currents can you see along the way?
Let’s continue the dialogue….. it’s time.
