5 Maggio 2023

3 strategies for governing Microsoft Cloud risk in financial services

Person pointing to blue hexagon shape with the wording Compliance in the center.

Few sectors in the economy are benefiting more from the advent of cloud computing than financial services. Banks, insurance companies, stock brokerages, investment managers, and many other firms are gaining competitive advantages, deriving new value from data and analytics, and speeding innovation by replacing legacy approaches and systems with cloud technologies. The rise of generative AI-powered solutions promises only to accelerate the transformation, with even greater benefits.

For the people and teams responsible for managing risk and ensuring compliance, however, this paradigm shift comes with some new anxiety, as stringent security and compliance requirements must be met. While on-premises risk assessments and audit strategies may have been straightforward in a pre-cloud world, when data moves to a third-party cloud provider operating a shared environment at hyperscale, the lines shift. Security and access controls are automated, DevSecOps becomes more commonplace, knowledge gaps arise, and the regulatory context is changed drastically. Adding to the pressure, if compliance assessments and audits are disrupted, innovation can grind to a halt.

Fortunately, there are some excellent resources to guide you productively on this journey. Microsoft makes a significant investment to help customers get the assistance they need to optimize cloud risk assessments at scale. In this post, I’d like to share some of the learning we’ve gained through our deep engagements with customers, point you to a few Microsoft online gold mines, and invite you to check out our Compliance Program for Microsoft Cloud, which I think you’ll love.

Three road-tested strategies for governing cloud risks

Through our compliance community, we get an amazing stream of insights, feedback, and stories about what does and does not work. Here are three strategies that we see at the heart of every organization that successfully governs cloud risks:

  1. Establish a cloud risk governance body. Risk organizations are complex, and siloed approaches are likely to hit walls when different risk stakeholders across all three lines of defense each make their own assessment of a cloud service provider. We often see problems with a poor understanding of cloud technologies and risk controls. Inefficiencies tend to spring up as questions are raised repeatedly by different stakeholders (“Where is my data stored?” or “Who can access it?”). Many problems can be solved or prevented through a unified cloud risk assessment approach. We advise setting up a cloud risk governance board or body that engages all key functions in a single, integrated process that leads to faster deployments and addresses resource constraints and skills gaps.
  2. Adhere to common standards and apply risk-based approaches. Not every use case is the same, yet too often we see customers apply an extremely large set of mandatory controls to any and every cloud use case, irrespective of its significance. Moreover, cloud providers apply different risk control measures compared to what might be expected on-premises, and that can lead to endless control discussions. A good way to prevent these challenges is to align internal control frameworks to industry standards, such as SOC 2 and Cloud Security Alliance’s Cloud Controls Matrix (CCM). This approach gives you structure and guidance for implementing appropriate controls that can be applied in risk-based ways to individual use cases, each time aligned to your organization’s risk, security, and compliance requirements.
  3. Take maximal advantage of third-party assurance.Another pitfall is that some financial institutions will try to evaluate or audit every cloud control independently. This is a waste of time because there are already certifications and audit reports available where multiple reputable third parties have attested to the soundness and safety of these same controls and related risk areas. These should not be ignored. Microsoft is a leader in compliance and offers a very extensive compliance offering for Azure, Dynamics 365, and Microsoft 365 with more than 100 certifications and attestations.

Our framework for assessment in the cloud

Once these foundations are established, you can execute cloud risk assessments across these six basic dimensions:

Round graph numbered with six circles for the six basic dimensions of the cloud risk assessment process.

You can now achieve a cloud-optimized risk assessment process that drives maximum efficiency as you cycle through different use cases. Critically, this process will remain resilient as the enterprise gradually deploys more business functions onto Microsoft Cloud, each of which will require a contextual assessment of risks.

How to take advantage of Microsoft Cloud risk and audit resources

Microsoft understands the critical need for financial services risk, compliance, and audit teams to be well supported with tools and resources that empower them to fully understand and assess cloud-related risks.

To explain how we operate our cloud and help customers through their risk assessments and audits, we have created a one-stop shop describing Microsoft compliance that points to our compliance offerings. This includes a service assurance section that describes in great detail how we operate our Microsoft Cloud services, which is a great starting point for risk and audit functions to start their assessments. The service assurance section is organized by 14 risk domains and describes in detail how Microsoft works to secure our customer data. It includes on-demand learning paths available for customers to learn at their own pace.

A second excellent resource is our Service Trust Portal, where you can download external audit reports, useful whitepapers, and artifacts such as third-party vulnerability reports, business continuity, and disaster recovery plan validation reports. You’ll also find detailed regional financial services regulatory compliance checklists which can be used to meet regulatory requirements in each country.

Next, Microsoft Purview Compliance Manager is a unique tool that allows you to get to the next level and manage risk and compliance not just from the Microsoft side but also for your multi-cloud deployments, ensuring that your configurations meet all regulatory requirements as well as cybersecurity and privacy best practices. You’ll find more than 320 compliance assessments aligned to various industries and regions across the globe. You can double-click into each control and review detailed informationincluding Microsoft control implementationsand how each control was tested by external auditors and the results.

Don’t forget that cloud involves a shared responsibility, and after successfully having assessed Microsoft as your provider you also must ensure your deployments are compliant by default and optimally secure. The good news is that this is all integrated into service assurance as a starting point following the same risk-based structure.

Need the best? Check out the Compliance Program for Microsoft Cloud

The Compliance Program for Microsoft Cloud is a premium “white glove” service specifically created to support risk and compliance professionals through their assessments. This program originated 10 years ago when the first financial services organizations started to embrace the cloud, and it facilitates three-way engagements among customers, regulators, and Microsoft experts. The program continues to evolve, and it gives customers direct access to legal, cybersecurity, privacy, risk, and regulatory compliance experts both from within Microsoft and the industry as a whole.

Customers will receive the best answers to very specific questions and concerns and can submit entire questionnaires to accelerate risk assessment and audit activities. The program has tremendous educational value through webinars and global and regional compliance summits; offers opportunities to engage in a community with other customers and industry experts; and delivers proactive updates related to regulatory and compliance developments around the world.

Join the program today

The insights and tips in this article have largely been built on the experience of this community over the past years. If this resonates for you and your organization, I invite you to join the Compliance Program for Microsoft Cloud and connect with your peers today.

Learn more about Microsoft Cloud for Financial Services.

CISO (chief information security officer) collaborating with practitioners in a security operations center.

Compliance Program for Microsoft Cloud

Accelerate your cloud adoption with proactive compliance assurance.

The post 3 strategies for governing Microsoft Cloud risk in financial services appeared first on Microsoft Industry Blogs.

Source: Microsoft Industry Blog