Is Data Governance in Cloud Computing Still a Mirage or Do We Have a Vision We Can Trust?
A Contributed Article By Wendy Yale, Senior Director of Worldwide Marketing, Varonis
Cloud computing was all the rage in 2010 with vendors and customers alike touting the benefits of scalability and cost savings. But behind the glow of the cloud, there's still the very important and critical matter of securing that data no matter where it's stored. Today's data governance and compliance issues faced by companies around the world are the same whether information is in a cloud environment or on premise. So with that in mind, when organizations are considering moving business data into the cloud a sound data governance approach must be in place to enable them to avoid costly data protection mistakes.
The concept of cloud computing is not a new one. Software as a Service (SaaS) has been around as a concept for many years. Ross Perot's Electronic Data Systems (EDS) was using the term ‘outsourcing' in 1962. The idea that a company could divest itself of all of its costly Information Technology (IT) infrastructure, and all of the headaches associated with running a complex in-house IT operation and outsource it to a third party has always been popular when organizations are looking at optimizing their IT expenditures.
One of Gartner's analysts defined cloud computing as: "A style of computing in which massively scalable IT-enabled capabilities are delivered ‘as a service' to multiple customers using internet technologies." Reading Gartner's definition you begin to see the attraction of the cloud for many organizations in a period of economic uncertainty and increased competition.
Gartner certainly thinks cloud is going to be big: They recently predicted that it will generate $68bn in revenues in 2010, a 16 per cent increase from 2009. And by 2014 Gartner predicts cloud services will generate $148.8bn - more than double this year's total.
Now that the period of hype is cooling down, it is time to examine how cloud computing can perform when real-world data management and protection requirements are considered.
While the economic advantages of cloud infrastructure are increasingly well understood - the ability to expand infrastructure to meet demand, the value of usage-based payment and the sheer power of scale, etc. -- many organizations have yet to master data governance of their existing, in-house infrastructure. When not properly addressed, cloud services can exacerbate existing data management and protection issues, adding a list of new concerns:
- How do I enforce existing security policies and procedures?
- If lawyers sue my cloud provider, can they get access to my data?
- The cloud provider is only prepared to give me one all-powerful user identity.
- I need access and full reporting for my IT governance and compliance responsibilities.
- How do we know what's in our cloud?
- How do we know if it is secure?
- How do we automate access rights management in the cloud?
There is currently an urgent need for customers of cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. Security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases vague. This makes quantifiable measurement of security profiles difficult.
Organizations have more digital data than ever that must be continuously managed and protected in order for it to remain safe and retain its value. While data governance is often thought of more as a discipline than a technology, there is software available to enable companies to implement data governance policies with automation and without disrupting existing business processes.
This technology has developed because, over the past two decades, the widespread interconnectivity and availability of computing resources precipitated rapid growth in digital collaboration and an exponential increase in the amount of data that is created, shared, streamed and stored. Whether an organization is housing their information within a cloud environment or not, the demand for comprehensive data governance to manage and protect critical data remains.
Organizations now store increasingly more information about their customers and partners, and have a responsibility to safeguard it. Failure to protect this data can be damaging to organizations and individuals beyond the organization that stores the data. Partners and customers now expect assurance that their information is being consistently protected in order to conduct business with you.
IT has worked at capacity to manage and protect data manually as best it could - responding to authorization requests, migrating data, and cleaning up excessive access. Despite this effort, they have been falling further and further behind for the past 15 years. There is simply too much data being created too quickly to manage, protect, and realize its full value without continuous, up-to-date information about the data: metadata.
Put simply metadata is data about the data you hold in your organization. Use and analysis of metadata is already more common than we realize; automated collection, storage, analysis and presentation of metadata will become a necessity not only for in-house data stores but for cloud infrastructure as well.
Metadata framework technology for data governance non-intrusively collects this critical information, generates metadata where existing metadata is lacking (e.g. file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorization and permissions maintenance decisions through a web-based interface that are then executed with no IT overhead or manual backend processes.
Those organizations that have learned to harness metadata to underpin their data governance practices will have a far greater chance of a extending those management and protection capabilities to the cloud, assuming that the cloud providers are equally metadata-capable.
Ensuring governance of data in the cloud
As John Walker, Professor Of Science & Technology, School Of Computing & Informatics and member of ISACA Security Advisory Group, said: "You are not merely buying a cloud, you are choosing a partner and that choice has to be based on thorough due diligence. This process is essential. The most important barrier to the adoption of cloud computing is assurance - ‘how do I know if it's safe to trust the cloud provider?' With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation."
Migrations to cloud should be seen as an extension of the operational perimeter of the business, and viewed as a partnership that joins on-campus business objects, and those located in the extended perimeter of the cloud. They are all subject to the same access controls, policies etc. as a range of business entities. Any approach to utilize the cloud must be achieved in tandem with in organization controls to create a robust, contractually-obligated partnership between client and provider - nothing short of this should be considered secure.
There is an urgent need to address security and compliance challenges associated with an organization's cloud initiatives. IDC research has found that security and compliance are among the top three challenges to cloud computing. Without adequate information on the security and compliance profile of the data, including its ownership, access controls, audits and classification, cloud initiatives can fall short of expectations and put sensitive data at risk. Understanding the data owners and the authorized users and user activity is critical to garnering organizational input, which in turn, is critical to defining the security and compliance profile of the data for internal datacenter and for the cloud. CFOs and CIOs are hesitant, IDC says, to move critical data and processes into the cloud when there is very little visibility on access and ownership, traceability and data segregation. It is vital that organizations have data governance in order to provide secure collaboration and data protection for their customers, partners and employees. Without it, it will be virtually impossible to manage and protect digital information in the cloud or anywhere else.
About the Author
Wendy Yale, Senior Director Worldwide Marketing at Varonis
Wendy Yale leads marketing and brand development for Varonis' global growth efforts. She is a veteran brand strategist with 16 years of marketing experience. Prior to Varonis, Wendy successfully managed the global integrated marketing communications team at Symantec. She joined Symantec from VERITAS, where she led the interactive media marketing team.