Advice and Information for Finance Professionals

8 Steps to Assess Risk in Your Cloud Applications

Guest Author

By Ritesh Bagayat, Senior Manager, Deloitte & Touche LLP

Cloud computing has transformed the way nearly every enterprise does business today, but along with its many advantages come new security considerations. As public cloud adoption has reached 90% of global organizations, 19% of respondents to the 2019 SANS Institute cloud security survey reveal that they had experienced a breach in the previous year, a 7% increase over the previous year. 

While some providers offer stronger security controls than others, security issues can stem from the way in which an organization accesses cloud services. All too often, organizations incur unnecessary risks through misconfiguration, lack of cloud-ready security strategies, insufficient access management, and ineffective monitoring for insider threats. Here’s what we’ve learned from our experience helping clients migrate enterprise software including ERP, SCM, and HCM to the cloud securely.

Find out where you stand

As a first step towards migrating to cloud, we recommend an assessment that spans across the key cyber risk domains:

  1. Cloud security governance: Organizational structure, committees, and roles and responsibilities 
  2. Role based access controls (RBAC): Limiting data access to those roles that require it 
  3. Secure development operations: Embedding security across your DevOps cycle
  4. Identity and access management: Ensuring that unauthorized users cannot gain access with improper credentials
  5. Cloud data protection: Meeting regulatory and policy requirements for sensitive data
  6. Cloud vigilance: Ongoing monitoring for suspicious activity and threats
  7. Cloud resilience: Crisis management, recovery capabilities, and incident response protocols
  8. Infrastructure security: Ensuring security for data at rest and in motion

Segregation of duties, sensitive access certification and secure role design

While your cloud SaaS vendor is responsible for the security of the platform, your data is only as safe as your organization’s governance makes it. These are three pillars of process security — including cloud applications:

  1. Segregation of duties (SOD) is the principle of requiring separate individuals to complete key steps in a business process (for example transaction execution and approval) to reduce the opportunity for fraud. It is required for Sarbanes-Oxley (SOX) compliance. Most organizations meet this requirement by using yearly SOD audits to streamline and optimize roles. However, a lot can happen in a year and a periodic audit only looks at a snap shot in time. We recommend, as best practice, deploying continuous SOD monitoring which has the additional benefit of automating your required SOD reports.
  2. Sensitive access certification or privileged/elevated access certification is for users who must administer an application such as ERP, HCM, and SCM. Given the broad access that these roles require, they are coveted targets of threats inside and outside the organization. Access certification involves periodic audits to determine whether roles are appropriately assigned and ongoing monitoring for suspicious activity. (Also required for SOX)
  3. Secure role design incorporates SOD, privileged access, data protection, and risk-mitigated design. This protects the core business processes within enterprise cloud solutions while laying the foundation upon which other cyber security controls can be deployed. Role design needs to be validated through the implementation and should be part of the business requirements-gathering phase. 

Prioritize and automate security from the get-go

Most enterprises (over 80%) have a multi-cloud strategy, with many spanning public and private clouds. Managing this complex environment can be difficult, so we consistently recommend that our clients consolidate enterprise cyber security tools and methodologies to provide both a single pane for managing risk to their “crown jewel” data assets and leveraging native/built-in capabilities for deep analysis and monitoring. This requires keeping security top of mind from day one of cloud migration. 

In fact, we often recommend initiating a security and compliance discussion during the cloud provider assessment phase. We also frequently recommend designing, building, and deploying SOD and transaction controls during the implementation process. Retrofitting these controls post-implementation can lead to significant business disruption and enterprise risk.

Historically, enterprises have used manual methods such as spreadsheets or third-party tools to manage their cyber security risks.  This can not only lead to inefficiency but to risk exposure due to insecure data extractions. In contrast, a tightly integrated solution such as Oracle Risk Management Cloud can automate SOD, transaction, and configuration controls to find the optimal balance for the organization’s processes.  This can lead to lower overhead, improved security posture, and audit readiness.

Learn more about Oracle Risk Management Cloud

Join the discussion

Comments ( 1 )
  • Aditya Bhelke Wednesday, April 29, 2020
    These are all important aspects which you have touched upon, and organisations need to understand their role in addressing Cloud Security & Compliance.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.