In 2021, cloud collaboration platforms (Google Workspace, Microsoft 365, etc.) are more commonly being integrated with GRC platforms. At Cential, we have seen many GRC solutions begin to include pre-built integrations into their programs as well.
We hosted an FAQ session with Cential team members Jannie Wentzel, Roy Verrips, and Andrew Gunter to cover all the bases of integrating GRC solutions with cloud platforms and how to optimize success with these implementations.
What’s the main advantage of implementing GRC solutions with cloud storage platforms?
Gunter: The first advantage is that the stakeholders are used to working in cloud-based evidence repositories (such as Google Drive, Microsoft OneDrive, or Microsoft Teams/Sharepoint), whereas getting them to also store the same evidence in a separate location inside their GRC solution creates another step in that process. We’re seeing that a lot of organizations want to have an easy file picker when they get to their GRC. For example, they want to easily go into Google, select the Drive and build integrated links between the Drive and their risk solution.
One of the biggest advantages of doing that, too, is that you can rely on the security settings of what you’ve set up in your cloud storage. So instead of relying on only the GRC solution to set access controls, you have an extra layer of access controls set up inside the cloud storage system managing who has access..
Verrips: I agree. These access controls also allow you to be more granular when dealing with evidence that may be PII or PCI based, as you can easily impose those controls on top of your storage location as opposed to trying to introduce those into your GRC solution as well.
What are more of the risks and benefits to integrating my GRC solution with a cloud platform?
Gunter: A big risk to consider is whether the audit and compliance teams can access the documents needed, and managing continuous access requests. A great benefit received in return, though, is storage space. For those working in a cloud environment with limited amounts of data storage, keeping some of the large attachments out of your GRC system allows you to avoid the need to purchase additional storage space.
Wentzel: I think it’s a cost-benefit situation—to gain the benefit of increasing your storage, you lose the benefit of having a single point for your document and now having to maintain multiple locations for your documents.
Verrips: Another risk you have is with some of these APIs that come along with cloud providers. You’ve got to be sure that you have a strong infrastructure and you’re permissioning that infrastructure correctly. It’s important to make sure there’s a secure networking channel between your cloud providers and, if possible, push that into a secure network that is not public on the internet.
Gunter: APIs are relatively easy to turn on for a lot of the GRC platforms, it just takes a little bit of planning and connecting with the right people who own the cloud storage to get the right keys and build those in with the GRC solution. Once you make that connection, it’s pretty easy to run with it and employ it in everyday use.
So if your organization is debating employing cloud platforms, it may be worth at least taking that initial jump. Then, you can decide when it is appropriate to utilize any of your applications for any of your solutions or use cases.
How do I maintain integrity of my point in time requests when utilizing these integrations?
Gunter: I think the most common solution we’ve seen with this is to have people convert it over to PDF. Or if it’s a case of your audit group or compliance group needing to work with an Excel spreadsheet or something of that sort, they will need to be provided with a copy that is theirs to work with and edit. It’s important to be mindful to not give them access to the original copy for these kinds of requests.
Verrips: Again, there’s some benefits that we can leverage from a cloud solution. I think of SharePoint, for instance, which has the ability to lock your files and allow people to read them. But if the other person needs to edit them, then they need to ask for permission to do so. That finer-grained security and access permissions is something the cloud is going to be able to give you a lot more easily than your GRC solution would.
How do I most easily integrate cloud platforms with different GRC solutions?
Verrips: There’s really two ways you can approach this. The preferred way is to leave the data in the cloud platform and not bring it into the GRC solution.
The other option is to bring it in through an API. Most of the GRC tools have the ability to import files through APIs. That has challenges within itself because you now have two copies of the data, but it does address that concern of linking the point in time of that file to the evidence that you’re busy collecting.
Do you see that most GRC solutions have embedded workflows to easily link to cloud solutions?
Gunter: Yes, we are seeing most GRC solutions have some sort of ability to easily link into OneDrive and Google. We’re also seeing some new Microsoft Teams and Slack integrations coming up from some of the vendors. We’ve also seen it become an initiative for them on their roadmap or something that they’re moving towards.
More and more of the world is going towards cloud based GRC and vendors understanding that having those integrations pre-built in is a big value add for customers.
What does this mean for GRC vendors and SOC-2 reports?
Wentzel: If you run a business, you need to have your controls in place for your business to make sure you maintain the integrity of your business’ information. However, if you outsource it, you have the ability to create what we call a SOC-2 report. With this, you have an independent verification that the outsource entity has all the controls in place, which helps maintain the integrity of your business’ information.
When information is stored ad hoc in both a GRC vendor and also on a cloud storage solution, the question is posed of whether organizations now need a SOC-2 report for both their cloud storage and their GRC vendor.
Verrips: To this, we would definitely say you would need both because both of those are coming into scope. It’s important that the two are working in unison with each other, with both under the same scope with unified controls.
Has Cential found cloud platform integration to be easier or more difficult for the end users?
Verrips: I think with more people working remotely, people are a lot more comfortable with the cloud. People are aware of the fact that they’re no longer at the office, and that they’re no longer on a secure network at the office.
Even with those that are already security-conscious, it’s a good opportunity to say “We’re not going to link straight to the platform anymore; we’re instead going to do this secure file picker that we have. We realize it’s a little bit more work for you, but it will create the best solution long term.”
Those that have been working in GRC for a while now know that version control on documents that are attached to your GRC is typically difficult to maintain. A lot of the cloud storage systems have version controls built in already—so by building that link between your GRC and the cloud, you get that automatic version control that your cloud storage provider offers.
It’s important to look in your settings and make sure that that’s turned on, though. By default, those aren’t turned on. If these are the files for your GRC, you’ll want to go to the highest level of security.
There are also different levels to these cloud providers. There is a Microsoft solution, and there’s also a Microsoft government solution which has much tighter controls and many more stringent regulations. Google has a Government cloud, and Amazon has “AWS Cloud for Government” as well. Be aware of those and the costs involved. Sometimes the regulatory requirements mean you need to be working in a more secure enclave, so those platforms provide benefits you would gain as it comes to your file storage solution.
What is your recommended plan to optimize integration to maintain effective risk processes?
Gunter: I think the main advice I can give is to do some planning up front. You’ll want to identify the purpose of why you’re bringing the platform in and where it should be used. You’ll want to identify what the use cases are and the key stakeholders that need to be involved and then schedule that time to meet with them to walk them through what how it’s going to be used and any security concerns. If you accomplish those, it will be a significantly easier process versus trying to just go at it ad hoc or just jump right in without any planning ahead of time.
GRC platforms will continue to integrate more and more with cloud providers, so it’s important to know how to manage this well and take full advantage of the functionalities while creating the best end user experience possible.
If you have further questions about anything we discussed in this conversation, don’t hesitate to contact us to continue the conversation further.