Gartner predicts that by 2028, cloud computing will shift from being a technology disruptor to a necessary component for maintaining business competitiveness. While most organisations consider the cloud a technology platform, strategic thinkers see the technology as a disruptor or capability enabler.
However, unbridled technology creates opportunities for abuse or misuse that may eventually result in more harm than good for all parties concerned.
The National Institute of Standards and Technology's (NIST) Cloud Computing Framework provides security and privacy guidelines for cloud deployments. The NIST framework includes guidelines for risk management, incident response, and access control, which are crucial aspects of cloud governance.
The Hong Kong Monetary Authority has outlined specific expectations for authorized institutions regarding cloud adoption. Their guidelines stress the importance of a governance framework that allows institutions to assess risks and make informed decisions about cloud strategies. This includes conducting thorough due diligence on cloud service providers (CSPs) and understanding the shared responsibility model inherent in cloud agreements.
What cloud governance is in 2024
Brian O'Neill, chief operating officer for transformation, technology & operations, and global head for group transformation at Standard Chartered, acknowledges that as a Bank, Standard Chartered is accelerating its transformation to become a client-focused, data-driven digital bank.
"As we double up on previous efforts to simplify, standardise and digitise our business, we are maintaining momentum on simplification and harmonisation of our technology estate, integrating platforms using the cloud where appropriate, and investing in our engineering capabilities and best-in-class tools to provide secure and resilient technology."
Brian O'Neill
He believes that cloud governance is essential in ensuring that "we are able to effectively manage our cloud services and optimise the value that we extract from them. Careful management is required to ensure the most efficient use of these services as well as adhering to our internal standards and regulatory requirements."
Who is in charge of cloud governance?
Given the scope and impact of cloud technologies on the business, who should be in charge of cloud governance? Besides the chief technology officer and chief information officer as obvious choices, others may include the chief information security officer, data protection officer, etc.
O'Neill opines that cloud governance should be centralised, ideally reporting to a function discrete from technology teams—such as a cloud office, a governance or risk function under the chief operating officer, or something similar.
"The deployment and usage of cloud technology cuts across third-party risk management, technology, data and cyber requirements, so teams must be familiar with most, if not all, of these areas. Familiarity with audit and risk management also helps," he elaborated.
How do cloud governance and data privacy go hand in hand?
Cloud governance and data privacy are inextricably linked. Effective cloud governance must incorporate robust data privacy controls to protect sensitive information.
O'Neill points out that data privacy requirements are a critical consideration with today's technology. "We need to ensure that we not only rigorously apply these requirements to our systems, but also ensure our cloud service provider (CSP) partners meet the same high standards.
"Fortunately, cloud technologies come with a range of implementation options, and CSPs are able to both demonstrate adherence to privacy standards via certification and then sign up to legally enforceable contract clauses to protect the data."
Brian O'Neill
He explains that as a Group, "we mitigate data and digital risks in several ways. For instance, we track the evolving regulatory landscape affecting key areas such as data and cloud management, digital assets and AI, including country-specific requirements, and actively collaborate with regulators to support important data initiatives."
Challenges facing cloud governance today
There is no shortage of obstacles towards full development and observance of cloud governance. From skills shortage and gaps to siloed operations, regulations chasing rapidly evolving technologies, and the proliferation of shadow on the back of democratised technology and data.
"CSPs are hyperscale and provide infrastructure and services via software, so a key challenge is a need to adapt internal processes and risk management to deal with both the unique characteristics of these third-party relationships and move from managing cables and boxes in a data centre to managing software development and integration," said O'Neill.
He also highlighted the need to ensure IT continues to support the business's cloud ambitions. "As a Bank, we develop targeted learning journeys to upskill and reskill our colleagues to build future-ready skills such as cloud management. At the same time, we continually monitor for material risk events, learn from them, and then backtest our resiliency capabilities," he added.
He cautioned that breaking new ground typically means a lack of a proven blueprint – it's a blue ocean. "There are currently no industry standards or ISO certificates for cloud governance so how you design, build and adopt your governance depends entirely on the scale of your ambitions and how you want to ensure risks are effectively managed," he posited.
Any best practices to better align data, cloud governance and business goals?
O'Neill suggests reusing and deduplicating data whenever possible and using only one source of truth. "Wherever governance frameworks occur, they also need regular assessments to ensure they are 'fit for purpose' – we find it critical to challenge these frameworks appropriately to meet our internal standards and regulatory obligations," he suggested.
He points out that these frameworks must also define key control and risk indicators and provide meaningful and accurate information for senior management and Board consumption.
"In terms of delivering for our business, in 2023 we deployed cloud technology to improve how we serve our Corporate and Investment Banking clients, such as the use of a cloud-based machine learning platform to automate manual processes and improve efficiency," he confided.
Ensuring compliance with evolving regulations and standards
Attacks against critical infrastructure and system failures have raised the importance of regulations and adherence to standards. As governments develop AI frameworks, organisations must ensure their cloud governance practices comply with relevant regulations and industry standards.
"As an active proponent of the use of AI to better support clients and stakeholders, we are playing an active role in helping regulators to shape guidelines for responsible use, through our membership of initiatives such as the Veritas consortium in Singapore and the UK's Artificial Intelligence Public-Private Forum," said O'Neill.
He cited specific measures such as monitoring emerging trends, opportunities, and developments in technology and emerging business models that may have implications for the banking sector and continuing to invest in our capabilities to better prepare and protect ourselves against possible disruption and new risks.
"Additionally, we have established enhanced governance for new areas through the Digital Asset Risk Committee and Responsible AI Council, which considers emerging regulatory guidance," he added.
Recommendations
As cloud computing becomes a business necessity, effective cloud governance is critical for organisations in Asia's burgeoning digital economy. By adopting a collaborative, risk-based approach to cloud governance, businesses can unlock the full potential of cloud computing while ensuring security, compliance, and trust.
Asked what he would recommend for those in charge of developing/enforcing cloud governance, O'Neill starts by recognising the criticality of ensuring that governance adds value to the organisation. He then provides insights into the unique characteristics of the area being governed to improve risk management, adoption metrics, regulatory engagement, and advocacy.
He emphasised the importance of clearly delineating duties and reporting lines. He explained that engineers and governance teams will work together to add value and ensure they report separately to avoid any conflict of interest.
"Finally, automate and re-use controls from the outset – avoid the temptation to shortcut these steps with manual reviews that will not scale with adoption. The CSPs do not manage their environments manually and neither should you," he concluded.