How the Cloud and Cyber alter traditional GRC models are two of my favorite subjects. This is part of just about every presentation I give these days. I am in the midst of writing an article which will most likely evolve into a paper.
I agree in principle with everything in the thread. My current thinking, is the big 4 differences to traditional GRC for the Cloud are below. Would love to know your thoughts.
1. Increase reliance on non-technical controls, especially third-party attestations.
2. Response to control failure is heavily reliant on third parties (e.g., Incident Response)
3. Traditional tools (e.g., Risk Register, RIAC diagrams) must be modified to incorporate 3rd parties and recognize an increased use of Compensating controls
4. Traditional enforcement mechanisms must be replaced with a greater reliance on Contracts and SLAs.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]------------------------------
Original Message:
Sent: Sep 07, 2022 07:02:29 AM
From: Peter HJ van Eijk
Subject: How a cloud compliance program differs from a traditional compliance program
Sounds like it was silent for a while. What about a new attempt at answering this?
I see two points to start with.
1. a cloud compliance program must be vastly more scaleable than a traditional program. Many more cloud solutions, much higher frequency of change and review
2. as IT assets get deployed more automatically attention should shift from manual to more automated controls (compliance as code).
Your thoughts?
------------------------------
Peter HJ van Eijk
CCSK & CCAK trainer
https://www.clubcloudcomputing.com/
Original Message:
Sent: Sep 10, 2021 10:54:49 AM
From: Jenna Morrison
Subject: How a cloud compliance program differs from a traditional compliance program
Hmm...This is a good question, and something I too am curious about.
I'd like to hear what some of the CCAK lead developers, who worked on the compliance chapters, have to say. @John Guckian or @David Frei do you have any thoughts?
------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
Original Message:
Sent: Sep 02, 2021 04:36:30 AM
From: Peter HJ van Eijk
Subject: How a cloud compliance program differs from a traditional compliance program
This sounds like an interesting question to throw in the group.
I have my opinions, but I'd rather hear yours first.
How does a cloud compliance program differs from a traditional compliance program?
Is it structurally different?
Is it about different threat models and controls?
Is it about higher volumes, automation, and attention to 3rd parties?
Curious.....
------------------------------
Peter HJ van Eijk
CCSK & CCAK trainer
https://www.clubcloudcomputing.com/
------------------------------