Overseeing Cloud Services Security

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides boards with a structured approach to the governance of cloud use, focusing on oversight of vendor selection, shared responsibility, and measurable risk management.

Introduction

As organizations migrate operations and data to the cloud and leverage cloud infrastructure as a critical component of companies’ AI strategies, directors must ensure that cloud service management is subject to rigorous oversight. Cloud services reduce costs and increase scalability, but also introduce new dependencies, regulatory exposure, and systemic vulnerabilities. Cloud adoption is now mainstream, but with it comes concentrated risk.

Large enterprises are getting serious about adopting the cloud. They aspire to have roughly 60 percent of their environment in the cloud by 2025, but the 2024 Cost of a Data Breach Report discovered that 40 percent of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment. A small number of large providers (Amazon Web Services, Microsoft Azure, Google Cloud) host critical services for thousands of companies, raising systemic questions that boards must address. Boards that fail to scrutinize provider dependencies may face hidden vulnerabilities in resilience, compliance, and cost predictability. By reviewing empirical risk assessments, establishing a clear division of responsibilities, and maintaining strong internal expertise, directors can turn cloud adoption from a source of exposure into a strategic advantage.

Key Focus Areas for Boards

Ensure that cloud migration decisions align with the overall business strategy.

Questions directors can ask to ensure strategic alignment include: Does cloud adoption create new competitive advantages? Does it expose us to the risk of dependence on vendors that could alter their terms unilaterally?

Review economic analysis of cloud risks (e.g., downtime costs, contract lock-in, overrun pricing).

Boards can request empirical assessments of cloud reliance evaluated against the organization’s risk appetite and business objectives.

• What is the potential financial impact, including direct losses and indirect costs, of cloud downtime on our organization?
• How do cloud pricing models affect long-term cost predictability?
• What is the probability and financial impact of a provider data breach?

Quantifying these factors ensures directors can evaluate whether investments in redundancy, hybrid architectures, or insurance are justified.

Confirm that roles and responsibilities between the provider and the customer are clearly defined.

Many cloud incidents stem from misunderstandings of who is responsible for security controls. Boards should insist that management documents and communicates this division of responsibility, especially in multi-cloud or hybrid environments. Contracts should explicitly outline liability, indemnification, and notification requirements.

Conduct rigorous due diligence before providers are selected.

This includes audits, compliance certifications (ISO 27001, SOC 2), and continuous monitoring. Boards must ask how management tracks vendor compliance over time and how third-party risks flow into the organization’s enterprise risk reporting.

Probe the organization’s exit strategy and contingency plans.

Questions directors can ask to ensure strategic alignment include

• Do we have a plan if the provider suffers a breach or prolonged outage?
• Are backups stored in an alternative environment, and have they been tested?
• Has management tested its ability to shift workloads to another provider in a crisis?

Establish processes for monitoring compliance with legal, contractual, and data protection obligations.

Cloud arrangements may cross jurisdictions with different disclosure or privacy requirements. Boards should be briefed on how the company maintains compliance with regulations such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or the new Securities and Exchange Commission cyber disclosure rules.

Ensure management adopts a formal cloud governance framework aligned with ERM.

Adopting a formal framework integrates cloud security risks within ERM, ensuring they are visible, governed, and strictly aligned with the organization’s established risk appetite.

Oversee whether sufficient in-house cyber expertise exists to evaluate cloud risk and contracts.

Boards should evaluate whether the organization possesses the internal expertise to evaluate cloud risks, vet third-party cloud risks, and negotiate contracts that protect the company. The board should also maintain literacy about cloud risks and technologies aligned to their strategic and operational importance.

Questions the Board Can Ask Management About Cloud Security with Sample Responses

• Shared Responsibility: How does management ensure we fully understand our responsibilities versus those of the cloud provider for security and compliance?
  • Sample Response: Roles are clarified through contracts or documented agreements across providers.
• Vendor Oversight: What due diligence is performed before selecting or renewing contracts with cloud providers, and how do we monitor their performance?
  • Sample Response: Our due diligence includes security assessments, compliance checks, and performance benchmarks; ongoing monitoring via service-level agreements (SLAs) and regular audits.
• Economic Risk: How is the financial impact of cloud downtime, service disruption, or data breaches quantified for the board?
  • Sample Response: Financial impact is quantified through risk assessments, incident response (IR) cost analyses, and insurance coverage reviews.
• Expertise: Do we have adequate internal expertise at the board and management levels to interpret cloud contracts and evaluate technical risks?
  • Sample Response: Our expertise is ensured through dedicated roles, training programs, and consultations with external experts.
• Resilience: What are our contingency plans if a cloud provider experiences a prolonged outage or cyber incident?
  • Sample Response: Contingency plans include multi-cloud strategies, disaster recovery plans, and readiness drills.
• Compliance: How does management ensure cloud services meet our regulatory, disclosure, and data protection obligations across jurisdictions?
  • Sample Response: We ensure compliance through audits, legal reviews, and alignment of cloud services with the global regulatory landscape.
• Exit Strategy: What provisions are in place to avoid vendor lock-in and ensure data portability in the event we change providers? Have we tested this plan?
  • Sample Response: Provisions include data portability clauses in our vendor contracts and standardized data formats and testing required.

Further Reading

Cloud Security Alliance Guidelines

This guide outlines cloud security best practices, emphasizing practical application in real-world scenarios.

Return: Toolkit For Action