RSA Sees GRC Moving to the Cloud

The increasing complexity of complying with regulations has become one of the primary drivers pushing IT organizations to shift management of governance, risk management and compliance (GRC) into the cloud.

According to Art Coviello, president of the RSA division of EMC, a new report issued by a Security Council for Business Innovation, which is made up of senior IT executives that are customers of RSA, highlights the increased nuance and specificity required to manage GRC.

But to accomplish those goals, IT organizations will need a more economical approach to managing GRC that allows them to take advantage of the scale afforded by a cloud computing model. As part of that shift, Coviello said we should also expect to see higher levels of automation brought to the GRC challenge, which he argues can be most effectively delivered via the cloud.

The two other biggest threats to controlling GRC costs, said Coviello, are government regulators that are too prescriptive when it comes to specifying certain technologies in regulations and the fact that many governments have yet to realize that location is no longer determines the security of data.

For example, a regulation might call for 128-bit encryption when in a few short years that level of encryption might no longer be sufficient. Instead of having to rewrite the regulation every time technology advances, Coviello argues that governments need to be more careful about the language used.

As for the location of data, Coviello notes that there is an assumption that if data is located within the borders of a country, it is more secure. In reality, cloud computing is going global and regulators need to recognize that data can be kept private and secure regardless of its location. Until then, the economics of cloud computing could be adversely affected by requiring IT organizations to keep copies of the same data in multiple countries.

The whole argument over data in the cloud is just beginning to take shape as a political issue. But as governments around the globe get more involved in the issue, they will be shaping the future of the data economy for years to come. And if that’s the case, then maybe it’s time to move this whole topic up the international agenda, as opposed to letting every government make hundreds of incompatible regulations.