Home » Managing risk in the Cloud; speed is nothing without control
Client Stories

Managing risk in the Cloud; speed is nothing without control

Control - Repeatable action designed to manage risk within appetite and increases the likelihood of achieving objectives

Loosely coupled architectures require tightly coupled controls. Broadstones can help your business address your Controls challenge by:

  • Defining the risk position for your business, bringing together siloed stakeholder views and varying levels of understanding
  • Meeting the new 2020 regulatory requirement to have a Controls Framework in place
  • Getting away from being audit response led and getting on the right side of the conversation with your regulator
  • Create consistent, enterprise wide standards for how your business stays safe in the Cloud
  • Stop your teams reinventing the wheel by promoting reuse of technology solutions to manage risk
  • Clarifying how the teams and roles within your business come together to Own and Operate controls
  • Getting your devops culture truly healthy and balanced; helping great developers become great systems operators by guiding them through their Controls journey

How it Started

We are all making increasing our use of Cloud, whether that is through migration of existing legacy technologies out of datacentres, building new applications in the Cloud or by adopting vendor provided Cloud based services. Cloud is now mainstream; a foundational part of every companies technology estate. Almost all of the respondents to the 2020 Gartner Cloud End-User Buying Behaviour Survey indicated that their organisation plans to maintain or increase IT spending on cloud computing in the next 12 months. Gartner also state that 40% or all enterprise workloads will be deployed in Cloud Infrastructure by 2023, up from only 20% in 2020. The COVID-19 pandemic has resulted rapid advancement of Cloud strategies, driven by the non-negotiable need to collaborate and move teams out of physical premises and datacentres.

Like our client in this story, many businesses now adopting, or furthering the depth of their Cloud adoption, have an impossible shopping list for their Cloud needs; we want our Cloud to be the: safest, cheapest, most fully featured deployment with world class innovative, agile, provider agnostic, quickest to build, lowest maintenance system that is totally under our control to enhance and build upon. Whilst Cloud does set a new normal for the levels of nimbleness businesses can realistically achieve, it does open new threat vectors for those businesses that hold their company information and end customers’ personal and transactional data within the Public Cloud. Attacks and data breaches are very damaging to a compromised business. This becomes even more damaging when your business is operating within a regulated industry and this is why is it vital that regulated businesses have a Control Framework for Cloud that well adopted and operationally evident across their business.

  •       It is now a regulatory requirement that businesses have a full Controls Framework
  •       In August 2020 Experian, a consumer credit reporting company, experienced a breach of data which has exposed personal information of as many as 24 million South Africans, and 793,749 business entities, to a suspected fraudster
  •       The UK’s financial regulator has fined Commerzbank £38m for money-laundering failures, including an “out-of-control” system for checking clients
  •       160,000 violations reported to the data protection authorities, GDPR fines approach €200million in Europe
  •       Of the $36 billion in fines since 2008, roughly $10 billion of non-compliance fines were awarded in 2019

Focus from regulatory bodies on Cloud Controls has never been more important. Broadstones have helped a brand name Financial Services business address this challenge of remaining demonstrably in control whilst consuming Public Cloud and be prepared for constructive, evidence based discussions with their regulator.

What we did

We were looking for an established lineage, a family tree, between Regulation, Risk, Policy,  Standards, Controls and Assurance. We were looking for well establish processes in which Controls were evidenced as operating.

Broadstones quickly discovered that our client has little formally documented and operated controls. So we needed to do two things; plug critical gaps quickly and build and implement a Controls Framework.

Identifying critical gaps. Step one. As the client didn’t have their own Control Framework, and had few documented Controls, we rapidly established a baseline position by measuring their control effectiveness against industry best practice and reference scoring by using the Broadstones Cloud Control Framework. Our assessment focuses upon crediting robust risk mitigation against control objectives in the enterprise Policies and Standards. Effectiveness was scored and gaps identified.

Closing critical gaps. Step two. A remediation plan was produced based upon the gaps identified in the assessment. Each Control issue was assigned ownership to a stakeholder within the appropriate Control function. Broadstones built the plan to deliver enduring capability not deploy tactical fixes and recognised and brought in existing, related initiatives that had a positive impact on Control, refocussing these where required into a meaningful and aligned remediation portfolio. We brought the client team on the journey with us, sharing experiences and educating.

Building a Control Framework. Step three. We worked to then build a Control Definition for the client; a common way to capture Controls is the foundation for consistency of understanding and evidenced operation. We worked with the client Risk function to ensure that the Control Framework could be extended in coverage and depth after the engagement. The relationship with the Risk function was vital to map existing defined policy and standards and through to the Controls, we worked to define that lineage for the Controls we build for the client.

Implementing the Control Framework. Step four. For Broadstones, this was the transition point. By working collaboratively with the client team, building understanding and showing how, meant that they were ready to undertake this part of the journey themselves, but we were still there to help them prepare for this step. Whilst the client led implementation of the Controls framework, Broadstones built a plan and approach, produced education materials and held briefings to ensure successful deployment. This stage focussed on building mechanisms with supportive governance to demonstrable controls assurance and capture proactive reporting and for exceptions handling and acceptance.

Broadstones can help you safely use Cloud and demonstrably remain in control; it isn’t complex, with a little support, experience and know-how we can help you to build and implement your Controls Framework and get in front of your Regulatory conversations. We have found that undertaking a Controls journey helps to solidify your DevOps culture and get your product Owners focussed not just on functionality, but proactively managing risk to the business and being really ready for audit.

Tell us about your project

Contact us

Insights directly to your inbox