Vitamin Y: Cloud Symposium Recap – Governance, Risk and Compliance (GRC)

Context:

In April 2015, InsightaaS teamed with stakeholders from across the cloud community – enterprise and SMB IT management, global IT leaders and Canadian cloud service providers, integrators and consultants, academics, associations, training firms and other experts – to launch the Toronto Cloud Business Coalition. Dedicated to accelerating adoption and use of cloud in Canada, TCBC members formed working groups to identify key business issues and best practices addressing the ten most important cloud challenges.

Andrew Nunes, Fasken Martineau DuMoulin
Andrew Nunes, Fasken Martineau DuMoulin

After six months of discussion and review, TCBC’s working groups have begun publishing unique documents that provide essential guidance for senior C-suite executives, IT leaders, cloud practitioners and supply-side management. At the same time, TCBC is accelerating its ‘education and networking’ agenda by convening a series of events designed to stimulate discussion of best practices positions and requirements. The signature event on TCBC’s 2015 calendar was the inaugural Cloud Symposium, a ‘show within a show’ as part of DatacenterDynamics Converged Canada 2015 presentation. The event was a tremendous success, with more than 500 attendees and over 40 exhibitors. InsightaaS principals Mary Allen and Michael O’Neil moderated nine sessions at the event: the opening and closing plenaries, an entire track dedicated to working group topics, and sessions on IoT and analytics which combined expert panel perspectives with current InsightaaS research.

KeY issue and observations:

The keY issue: : “governance” has two meanings in the cloud: it applies in the traditional sense of applying enterprise standards to cloud activities, but the term “cloud governance” is also used to describe cloud data management and security practices. There is (or at least ought to be) a connection between corporate standards and cloud practices.

Important observations
Barney Baldwin, RBC
Barney Baldwin, RBC

Barney Baldwin, global head, market and trading risk technology, RBC: there is a tremendous knowledge gap, with tech companies and IT professionals on one end, and auditors, risk managers and corporate directors on the other. Arguably, the gap narrowed a bit with adoption of the internet, which raised overall IT literacy. However, in the past five years the gap has widened, and it shows no sign of letting up as big data and cloud technologies proliferate. How does one design control mechanisms around a constantly-evolving platform?

Stefano Tiranardi, national manager, enterprise security, Symantec: There is an ongoing challenge associated with balancing the attractiveness of information availability with the challenge of information production. Businesses moving workloads to the cloud need to maintain or add data-level visibility, and need to be conscious about how they automate access control.

Stefano Tiranardi, Symantec
Stefano Tiranardi, Symantec

Dave Collings, mid-market IT manager/consultant: In some environments, there is a great deal of business risk associated with cloud. For example, in manufacturing, data is constantly pulled from and pushed to core IT systems and shop floor equipment. If the connections between the systems and the equipment go down, the production process stops. Practically speaking, this means that core systems need to be located on premise, though there are cases where cloud can deliver benefit, such as back-up and productivity applications.

Andrew Nunes, partner, Fasken Martineau DuMoulin: Cloud compliance can’t reside exclusively within IT. There are many different functions involved in managing corporate processes around GRC. For example, in the event of a breach, IT will need to work to address data leakage – but at the same time, legal will need to review contracts, exposure and remedies; if customer information has been exposed, the PR team will need to communicate to the public, and sales/account managers will need to contact their clients; the CEO will need to have information available for shareholders, regulators and other stakeholders. It’s important that cloud GRC be integrated within corporate GRC.

Dave Collings, SMB IT Management
Dave Collings, SMB IT Management

 

The bottom line

The cloud business models, metrics and imperatives session, and the other Cloud Symposium panel discussions and the accompanying best practices guidance represent a new standard in IT research delivery. With the community approach to content co-creation and an emphasis on networking and outreach, TCBC and InsightaaS have created a model that delivers real value to stakeholders from all industries, and is designed to provide real support to end user adopters – which aligns with TCBC’s overall objective of accelerating adoption and use of cloud in Canada.

LEAVE A REPLY