Environmental, social, and governance (ESG) scores are top of mind for most executives today. Organizations want to be known as sustainable, strategic long-term thinkers, dedicated to value creation, and seen as a company where future risks and opportunities can be easily anticipated by investors. Cloud security has a significant role in impacting the ESG score of an organization, as the security and privacy of data is a core component of the “social” and “governance” aspects of ESG. This means that considering the impact of cloud security and overall cloud usage is essential when building an ESG program.

What is ESG?

Most investors have traditionally focused on company metrics such as gross profits, operating profit, and net profit. Assessing only those metrics prior to investing does not allow one to identify risks that may impact the financial performance of the company overall. For example, reviewing operational profit does not mean the organization is operating in an effective manner. Maybe operational profit has increased due to a pandemic causing company-sponsored happy hours, in-office food purchases, and other in-person company events to decrease. Thus, resulting in increased operational profit; not because the company has enhanced its internal governance structure to make effective decisions.

Adding the ESG lens can uncover risks that impact short-term and long-term financial performance, operations costs, and more (additional details regarding the definitions for each component of ESG can be found in "Figure 1: ESG Defined" below). Although there are a few ESG rating providers (e.g., MSCI ESG Rating, Sustainalytic's ESG Ratings, Bloomberg ESG Disclosure Scores, etc.), they all consider publicly available information such as industry, business activities, size of operations, location of operation, and risk management capabilities. The information gathered is used to generate a number, which is normalized to create an ESG rating and is benchmarked against peers.

Figure 1: ESG Defined

How does ESG relate to the cloud? 

As more information is being stored, processed, and transmitted in cloud environments, the security and privacy of that data is critical. As a result, cloud security plays a critical role in the “social” and “governance” aspects of ESG, while cloud computing contributes to the reduced “environmental” impact. Today, organizations are embedding security and privacy into operations. Some examples of embedding security and privacy include the implementation of a robust DevSecOps pipeline and the implementation of Zero Trust principles across the environment to control access to data. These approaches can assist in enforcement of security and privacy mechanisms that allow a company to meet its social, governance, and environmental responsibilities and improve its overall ESG score.


One of the top environmental benefits of cloud computing is a lower carbon footprint. When done right, using a cloud computing service provider is more efficient than running a data center as it allows companies to scale as necessary without having to worry about available resources such as servers, energy output, security, or location capacity. However, when looking for a cloud service or a cloud security service provider, companies should take note of existing environmental controls and conduct a service provider environmental impact assessment. Some of the controls to consider include infrastructure energy utilization, hardware energy efficiency, renewable energy usage, and sustainable engineering practices. Companies can also rely on the cloud service or cloud service providers' ESG score and score details, if publicly available.


A key social risk affecting cloud security involves privacy and data security. The collection of Personally Identifiable Information (PII) and confidential financial data from employees and consumers in the cloud environment requires companies to properly secure the storage, processing, and transmission of this data. Today, people entrust businesses with their personal data, and organizations must uphold that trust by taking measures to prevent unauthorized access or data breaches. This can be done by fostering a company culture where employees are taught to safeguard company data the same way they would protect their personal data, and by implementing key data security tools, technologies, and industry-leading practices within the organization.

For example, a high-priority company goal can be to limit the amount of data collected from customers and employees to only what is necessary or allowing consumers the right to choose the type of data that can be collected. Offering data privacy-related choices to consumers becomes a key differentiator in the market since people are becoming more concerned with privacy and their digital footprint. Further, companies can internally enhance their security capabilities by identifying critical systems in the cloud environment and focus on applying key data security configurations to these assets (e.g., granular access control, data leakage prevention services, data encryption, and network security groups to limit transmission of data within the environment).


Cloud security governance efforts, which usually include a steering committee and operational committee that drives cloud security initiatives, should consider ESG a priority. ESG for cloud security starts with transparency over data usage and availability. An IT data model needs to support the collection of ESG data, measurement of ESG metrics, and dissemination of ESG findings. For cloud computing and security services, this includes thinking about the secure accessibility and inclusiveness of the services that are being used.

Companies should also consider cybersecurity risk metrics when evaluating ESG and cloud security compliance. Corporate behaviors play into the level of risk a company faces against a cyber-attack. It is important to understand cost associated with a breach, a robust incident response plan, policy and procedure, and security automation and orchestration capabilities in place to reduce risk and enhance resiliency against cyber-attacks. Corporate governance policies, which include cloud computing and security policies, should be shared throughout the organization to continue advancing ESG efforts.

Tools and Techniques

There are a variety of ways to enhance ESG ratings in today's world. However, a combination of well-thought-out techniques and tools can be used to address aspects of ESG that organizations may not normally consider. Here are some tools and techniques that can be used to identify and enhance an ESG rating from an overall cloud and cloud security perspective:

  • Cloud service provider built-in capabilities: Microsoft Sustainability Calculator or Microsoft Sustainability Manager can help provide insight into the environmental impact of Azure Services, which include enabled Azure Cloud Security services. Similar services are also available for other cloud service providers, such as Google Cloud Carbon Footprint and AWS Carbon Footprint Tool (located in the AWS Billing console).
  • Gifting SaaS for a good cause: Software-as-a-Service (SaaS) applications can be utilized to enhance corporate social responsibility, by focusing on environmental, social or governance issues. For example, companies can support non-profits by purchasing SaaS application licenses (e.g., a simple CRM tool, QuickBooks) for communities or organizations in need, simultaneously supporting a worthy cause and improving their overall ESG scores.
  • Use existing information: There are business intelligence and data analytics services available that contain a repository of company ESG scores. These repositories allow users to extract ESG scores of organizations and analyze respective trends over time via the use of cloud services (e.g., Amazon Quicksight).

ESG Program: Cloud Considerations

When developing an ESG program, there is a list of cloud-related items that should be considered to improve the ESG score, including:

  • Reduce overall cloud cost: The most effective method to reduce cost is by launching a cloud services rationalization effort. This forces organizations to consolidate and optimize the usage of cloud tools and services, while reducing cost. This effort directly impacts the “social” and “governance” aspects of ESG.
  • Choose like-minded cloud service providers: Work with business partners or application providers (e.g., SaaS vendors) that have ESG on their mind. Include ESG questions and topics as a part of the vendor selection and vendor assessment process, which would improve the ESG score.
  • Prepare for a mindset shift: Some organizations have started to hold business units accountable for cloud spend by building ESG components into company processes, procedures, and design. Similarly, a mindset and cultural shift will be required to consider ESG efforts in all aspects of the business.

Considering cloud as a part of an ESG program and viewing it as a core component that impacts the ESG score can get organizations closer to a more desired state.