Is data governance in cloud computing still a mirage or do we have a vision we can trust?
The data governance and compliance issues faced by organisations are the same whether operating in a cloud environment or not. When organisations are considering moving business data into the cloud a sound data governance approach must be in place to enable them to avoid costly data protection mistakes .
The concept of Cloud computing is not a new one. Software as a Service (SaaS) has been around as a concept for many years. Ross Perot's Electronic Data Systems (EDS) was using the term 'outsourcing' in 1962. The idea that a company could divest itself of all of its costly Information Technology (IT) infrastructure, and all of the headaches associated with running a complex in-house IT operation and outsource it to a third party has always been popular when organisations are looking at optimizing their IT expenditures.
One of Gartner's analysts defined Cloud Computing as: "A style of computing in which massively scalable IT-enabled capabilities are delivered 'as a service' to multiple customers using internet technologies." Reading Gartner's definition you begin to see the attraction of The Cloud for many organisations in a period of economic uncertainty, increased competition and dwindling UK Government contracts in the wake of the Government's spending review. Sarah Burnett, senior analyst at Ovum said recently: "The Budget could well turn out to be among the best things to happen to cloud computing in the UK public sector. It is likely to bring it to the top of the list of how to cut IT budgets."
Gartner certainly thinks Cloud is going to be big: They recently predicted that it will generate $68bn in revenues in 2010, a 16 percent increase from 2009. And by 2014 Gartner predicts cloud services will generate $148.8bn -more than double this year's total.
Now that the period of hype cooling down, it is time to examine how Cloud computing can perform when real-world data management and protection requirements are considered.
While the economic advantages of cloud infrastructure are increasingly well understood - the ability to expand infrastructure to meet demand, the value of usage-based payment and the sheer power of scale, etc--many organisations have yet to master data governance of their existing, in-house infrastructure. When not properly addressed, Cloud services can exacerbate existing data management and protection issues, adding a list of new concerns:
* "How do I enforce existing security policies and procedures?"
* "If lawyers sue my cloud provider, can they get access to my data?"
* "The cloud provider is only prepared to give me one all-powerful user identity"
* "I need access and full reporting for my IT governance and compliance responsibilities"
* How do we know what's in our Cloud?
* How do we know if it is secure?
* How do we automate access rights management in the Cloud?
There is currently an urgent need for customers of Cloud computing and third party IT services to be able to make an objective comparison between providers on the basis of their security features. Security is the number one concern for many businesses and governments. Existing mechanisms to measure security are often subjective and in many cases vague. This makes quantifiable measurement of security profiles difficult.
Organisations have more digital data than ever that must be continuously managed and protected in order for it to remain safe and retain its value. While data governance is often thought of more as a discipline than a technology there is software available to enable companies to implement data governance policies with automation and without disrupting existing business processes. This technology has developed because, over the past two decades, the widespread interconnectivity and availability of computing resources precipitated rapid growth in digital collaboration and an exponential increase in the amount of data that is created, shared, streamed and stored. Whether an organisation is housing their information within a cloud environment or not, the demand for comprehensive data governance to manage and protect critical data remains.
Organisations now store more and more information about their customers and partners, and have a responsibility to safeguard it. Failure to protect this data can be damaging to organisations and individuals beyond the organisation storing the data. Partners and customers now expect assurance that their information is being consistently protected in order to conduct business with you.
IT has worked at capacity to manage and protect data manually as best it could - responding to authorisation requests, migrating data, and cleaning up excessive access. Despite this effort, they have been falling further and further behind for the past 15 years. There is simply too much data being created too quickly to manage, protect, and realise its full value without continuous, up-to-date information about the data: metadata.
Put simply metadata is data about the data you hold in your organisation. Use and analysis of metadata is already more common than we realise; automated collection, storage, analysis, and presentation of metadata will become a necessity not only for in-house data stores but for cloud infrastructure as well.
Metadata framework technology for data governance non-intrusively collects this critical metadata, generates metadata where existing metadata is lacking (e.g. its file system filters and content inspection technologies), pre-processes it, normalizes it, analyzes it, stores it, and presents it to IT administrators in an interactive, dynamic interface. Once data owners are identified, they are empowered to make informed authorisation and permissions maintenance decisions through a web-based interface - that are then executed - with no IT overhead or manual backend processes.
Those organisations that have learned to harness metadata to underpin their data governance practices will have a far greater chance of a extending those management and protection capabilities to The Cloud, assuming that the cloud providers are equally metadata-capable.
One other major hurdle for organisations is that there is currently no certification or accreditation system designed specifically for Cloud computing based security. That changes in April 2011 with the implementation of the Common Assurance Metric Model (CAMM) for cloud computing. CAMM, launched in February 2010, is a global initiative that aims to produce objective quantifiable metrics, to assure Information Security maturity in the Cloud for third party service providers, as well as internally hosted systems. This collaborative initiative has received strong support from public and private sectors, industry associations, and global key industry stakeholders.
Ensuring governance of data in the cloud
As John Walker, Professor Of Science & Technology, School Of Computing & Informatics and member of ISACA Security Advisory Group, said: "You are not merely buying a cloud, you are choosing a partner and that choice has to be based on thorough due diligence. This process is essential. The most important barrier to the adoption of cloud computing is assurance - "how do I know if it's safe to trust the cloud provider? With today's complex IT architectures and heavy reliance upon third party providers, there has never been a greater demand for transparency and objective metrics for attestation"
The migration to Cloud should be seen as an extension of the operational perimeter of the business, and viewed as a partnership that joins on-campus business objects, and those located in the extended perimeter of the Cloud as in the same logical space, subject to access controls, policies etc. as a range of business entities. Any approach to utilise Cloud must be achieved as an evolution of the expected in organisation controls which are evolved into a robust, contractually-obligated partnership between client and provider - nothing short of this should be considered secure.
There is an urgent need to address security and compliance challenges associated with an organisation's cloud initiatives. IDC research has found that security and compliance are among the top 3 challenges to cloud computing. Without adequate information on the security and compliance profile of the data, including its ownership, access controls, audits and classification, cloud initiatives can fall short of expectations and put sensitive data at risk. Understanding the data owners and the authorised users and user activity is critical to garnering organisational input, which in turn, is critical to defining the security and compliance profile of the data for internal datacenter and for The Cloud. CFOs and ClOs are hesitant, IDC says, to move critical data and processes into the cloud when there is very little visibility on access and ownership, traceability and data segregation. It is vital that organisations have data governance in order to provide secure collaboration and data protection for their customers, partners and employees. Without it, it will be virtually impossible to manage and protect digital information in The Cloud or anywhere else.
Wendy Yale, Senior Director of Worldwide Marketing, Varonis
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||WHITE PAPER|
|Date:||Jan 1, 2011|
|Previous Article:||Hactivism 101.|
|Next Article:||Deloitte technology survey: the outlook for M&A continues to improve.|