Home » CloudIndustry ResearchTechnology Insight » Managing risk in the Cloud; speed is nothing without control

Control – Repeatable action designed to manage risk within appetite and increases the likelihood of achieving objectives

Loosely coupled architectures require tightly coupled controls. Broadstones can help your business address your Controls challenge by:

  • Defining the risk position for your business, bringing together siloed stakeholder views and varying levels of understanding.
  • Meeting the new 2020 FCA regulatory requirement to have a Controls Framework in place.
  • Getting away from being audit response led and getting on the right side of the conversation with your regulator.
  • Create consistent, enterprise wide standards for how your business stays safe in the Cloud.
  • Stop your teams reinventing the wheel by promoting reuse of technology solutions to manage risk.
  • Clarifying how the teams and roles within your business come together to Own and Operate controls.
  • Getting your DevOps culture truly healthy and balanced; helping great developers become great systems operators by guiding them through their Controls journey.

How it Started

We are all making increasing use of Cloud, whether that is through migration of existing legacy technologies out of datacentres, building new applications in the Cloud or by adopting vendor provided Cloud based services. Cloud is now mainstream; a foundational part of every company’s technology estate.

Almost all the respondents to the 2020 Gartner Cloud End-User Buying Behaviour Survey indicated that their organisation plans to maintain or increase IT spending on cloud computing in the next 12 months. Gartner also state that 40% or all enterprise workloads will be deployed in Cloud Infrastructure by 2023, up from only 20% in 2020.

The COVID-19 pandemic has resulted rapid advancement of Cloud strategies, driven by the non-negotiable need to collaborate and move teams out of physical premises and datacentres and to be able interact with customers virtually to remain viable and profitable.

Like our client in this case study story, we know many businesses now adopting, or furthering the depth of their Cloud adoption, have an impossible shopping list for their Cloud needs; we want our Cloud to be the: safest, cheapest, most fully featured deployment with world class innovative, agile, provider agnostic, quickest to build, lowest maintenance system that is totally under our control to enhance and build upon.

Whilst Cloud does set a new normal for the levels of nimbleness businesses can realistically achieve, it does open new threat vectors for those businesses that hold their company information and end customers’ personal and transactional data within the Public Cloud.

Attacks and data breaches are very damaging to a compromised business. This becomes even more damaging when your business is operating within a regulated industry, and therefore is it vital that regulated businesses have a Control Framework for Cloud that is well adopted and operationally evident across their business. It is also poignant to note that ransomware attacks are increasing in many industries that have legacy estates so the need to modernise not only for all the reasons listed above but also to mitigate this growing trend. Ransomware continues to be successful because companies have not invested in creating a culture of defence or a sense of responsibility for data, workforces are not equipped to stand up against cyber threats, the threats from malicious outsiders only persist, and proper security controls are not implemented and maintained.

  • It is now a FCA regulatory requirement that businesses have a full Controls Framework.
  • In August 2020 Experian, a consumer credit reporting company, experienced a breach of data which has exposed personal information of as many as 24 million South Africans, and 793,749 business entities, to a suspected fraudster.
  • The UK’s financial regulator has fined Commerzbank £38m for money-laundering failures, including an “out-of-control” system for checking clients.
  • 160,000 violations reported to the data protection authorities, GDPR fines approach €200million in Europe.
  • Of the $36 billion in fines since 2008, roughly $10 billion of non-compliance fines were awarded in 2019.
  • Ransomware attacks were the most observed security threats in 2020, with one-third of all cyberattacks with an estimated global cost of $20 billion.
  • Downtime causes by ransomware attacks increased 200%, with costs being 23x greater than the ransom value.
  • With many new ransomware houses focussing on creating RaaS (Ransomware-as-a-service) this trend is not likely to abate anytime soon.

Focus from regulatory bodies on Cloud Controls has never been more important. Broadstones have helped a brand name Financial Services business address this challenge of remaining demonstrably in control whilst consuming Public Cloud and be prepared for constructive, evidence based discussions with their regulator.

What we did

We were looking for an established lineage, a family tree, between Regulation, Risk, Policy, Standards, Controls and Assurance. We were looking for well establish processes in which Controls were evidenced as operating.

Broadstones quickly discovered that our client has little formally documented and operated controls. So, we needed to do two things; plug critical gaps quickly and build and implement a Controls Framework.

Identifying critical gaps. Step one. As the client did not have their own Control Framework, and had few documented Controls, we rapidly established a baseline position by measuring their control effectiveness against industry best practice and reference scoring by using the Broadstones Cloud Control Framework. Our assessment focuses upon crediting robust risk mitigation against control objectives in the enterprise Policies and Standards. Effectiveness was scored and gaps identified.

Figure1: example assessment – levels as per table colour. Areas are the categories of control.


Closing critical gaps. Step two. A remediation plan was produced based upon the gaps identified in the assessment. Each Control issue was assigned ownership to a stakeholder within the appropriate Control function. Broadstones built the plan to deliver enduring capability; not deploy tactical fixes and recognised and brought in existing, related initiatives that had a positive impact on Control, refocussing these where required into a meaningful and aligned remediation portfolio. We brought the client team on the journey with us, sharing experiences and educating.

Building a Control Framework. Step three. We worked to then build a Control Definition for the client; a common way to capture Controls is the foundation for consistency of understanding and evidenced operation. We worked with the client Risk function to ensure that the Control Framework could be extended in coverage and depth after the engagement. The relationship with the Risk function was vital to map existing defined policy and standards and through to the Controls, we worked to define that lineage for the Controls we build for the client.

Figure2: overall structure of the Broadstones approach


Implementing the Control Framework. Step four. For Broadstones, this was the transition point. By working collaboratively with the client team, building understanding, and showing how, meant that they were ready to undertake this part of the journey themselves, but we were still there to help them prepare for this step. Whilst the client led implementation of the Controls framework, Broadstones built a plan and approach, produced education materials, and held briefings to ensure successful deployment. This stage focussed on building mechanisms with supportive governance to demonstrable controls assurance and capture proactive reporting and for exceptions handling and acceptance.

Who We Are

Broadstones can help you safely use Cloud and demonstrably remain in control; it is not complex, and with a little support, experience and know-how we can help you to build and implement a tailored-to-you Controls Framework and get you on the front foot with your Regulatory conversations. We have also found that undertaking a Controls journey really helps to solidify your DevOps culture and get your product Owners focussed not just on functionality, but proactively managing risk to the business and being able to evidence and explain control operation and effectiveness to the likes of audit or compliance.

Cloud computing is a challenge to security, but on that can be overcome. Whitfield Diffie – American Cryptographer

Let us help you overcome it.




Broadstones’ Why – To ignite cloud and digital transformations.

With decades of experience and exposure of seeing digital and then cloud transformation done in ways that do not deliver the abundance of business benefits promised, Broadstones is driven to change that story for its customers with tailored, specific, efficient, and innovative services and products delivered in a straight-talking, respectful, insightful, and creative way.

Broadstones’ What – Services and Products

We can work with you however you need us to. We call that “Doing With” Services or “Doing For” Products. Whether just seeking advice and coaching all the way through to a bespoke managed solution, Broadstones approach your challenge as their own – providing solutions that are considered, innovative, secure, reliable, and engaging.

Broadstones’ How – the AAA of customisation

No two companies are the same, so no two solutions can be either. We ensure that what we do for you is customised in every way that matters. Tailored to solve specific real-world problems and realise tangible sustainable benefits quickly.


Author: Dillon
Dhillon represents the combined programmer and technical operator in one role. He writes the code, fixes problems, manages incidents, evidences controls within the platform and keeps the applications running for the client.

Tell us about your project

Contact us

Insights directly to your inbox