Cloud computing governance and compliance is critically important for a key reason: cloud computing impacts so many aspects of our business and personal lives. As consumers, we think nothing of connecting to Dropbox or using an online graphics program. As business people, we use cloud computing applications like Salesforce for CRMs, MS Office 365 for productivity, and Box for file sharing.
So here is the $64,000 question: does your business know how to orchestrate multiple cloud computing services for cost, workflow, and compliance? Chances are it does not. Adopting a few cloud applications on a limited scale is one thing. But when companies decide to invest heavily in cloud computing, then IT and their counterparts in governance and risk management must adapt to a complex new reality. This reality is called cloud governance.
What Is Cloud Computing and Why Do I Need to Govern It?
The simplest definition of cloud computing is delivering cloud-based services to end-users. Computing clouds may be private, public, or a hybrid combination of the two. The major cloud computing service models are Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a service (PaaS). But whether your business uses public, private or hybrid cloud computing, proper governance is essential to harvesting maximum gain from the cloud, and to monitor an array of critical security issues.
Cloud Governance and IT
Cloud computing offers big efficiency gains and cost advantages for customers, but introducing a cloud computing strategy isn’t a simple operation. This is where cloud governance comes in: the process of managing multiple cloud computing services for simplicity, integration, and cost control.
Cloud governance manages IT processes to receive maximum value from cloud computing investments. Although establishing cloud governance takes time and resources at the beginning, it should deliver significant cost savings wicth management processes and frameworks for cloud computing IT spend.
Cloud governance is a business-wide initiative because it involves compliance officers, risk managers, and senior executives as well as IT. However, cloud governance is closely related to IT, who is responsible for cloud computing.
Let’s look at the COBIT model, which publishes five essential process areas both business-wide and for specific stakeholders including IT. They list IT’s five process areas as strategic alignment, delivering value, managing resources, managing risk, and measuring performance.
- Strategic Alignment: Link cloud computing services with business and IT strategy planning. Cloud computing should the value of IT as a strategic asset. The governance framework encourages IT and the business to detail strategic business objectives for cloud computing. IT aligns to business goals by establishing metrics and specific responsibilities, and tracks concrete objectives for each cloud computing service.
- Delivering Value: Moving to cloud computing and a governance framework can disrupt the status quo. IT and executives need to clearly state the value proposition and measure results against the strategy. The emphasis is on lowering cost and communicating clear user benefits.
- Managing Resources: Carefully plan resources at the beginning of the cloud governance project. Include people, applications, business information, and on-premise computing infrastructure.
- Manage Risk: Clarify and manage risk to compliance, profitability, and employee satisfaction. Ongoing risk management will minimize negative impacts and maximize benefits.
- Measure Performance: Set up tracking mechanisms and monitor metrics around project management and completion, resources, new processes, and delivery.
Cloud Governance and Technical Domains
IT’s cloud computing responsibility also includes a simple governance question: Does it work? Each cloud computing application needs to meet SLAs around three primary technical domains: quality of service, quality of service, application integration, and the biggest challenge of them all: security.
Quality of Service: Performance, Latency, Availability
Cloud computing services operate from the providers’ remote data centers. This means that providers and businesses must maximize efficient throughput for performance and latency, and sign meaningful service level agreements (SLAs) around availability and durability.
Acceptable performance and low latency depend on efficient application code, sufficient bandwidth, geo-location, and fast server and storage throughput in the cloud and on-premise. Application availability and data durability are also major issues. Durability is not particularly difficult for cloud providers, who practice data redundancy across multiple devices and sites. (All three public clouds offer 11 nines or 0% data loss guarantees.) Availability is a different issue. Be sure to look at a cloud provider’s average application uptime, and understand how they remediate any service outages, particularly similar outages that have occurred more than once.
To explain application integration, let’s take an example where a software development company develops SaaS applications on Oracle Cloud PaaS. Their salespeople use Salesforce.com to track advertising campaigns and sales funnels. AWS Marketplace is a major product distributor, so many of their ordering links point there. Purchase information feeds into an on-premise Oracle Financials database.
The cloud and on-premise applications may or may not have internal integration points. (Oracle Cloud Adapter does in fact integrate Salesforce.) A cloud computing governance platform encourages IT to discover existing integration points, track integration dependencies, and optimize less than ideal integrations.
Corporate and cloud security are in the news: hackers and malware attempts are more common than ever, and can affect thousands of employees and millions of users with a single hack. A cloud provider’s data center is not magically immune to these types of attack. In fact, the cloud computing model has vulnerabilities of its own.
First, cloud computing aggregates much of their customers ‘data into single files and stores massive data sets in a single location. The cloud provider almost certainly builds in data redundancy against data loss, but a hacking attempt can expose huge volumes of data for download and sales. A single company can experience a disaster when a single malware penetration occurs on employee workstation. Should the same malware penetrate a cloud data center, it could compromise multiple tenants’ data.
Companies must do careful due diligence on cloud provider security. Understand how they protect their data centers against physical disasters, energy loss, and both physical and digital intrusion. Encryption is a critical security measure, and don’t leave key protection solely with the provider. Strongly consider using multi-factor authentication tools to protect against unauthorized user access. Also, ask how the cloud provider protects customer data against staff error or deliberate malfeasance.
Cloud governance has more to do with to do with process management than legal and regulatory issues. However, cloud compliance is an extremely important challenge whenever you store regulated or sensitive data in the cloud. Ask your cloud provider how they comply with government and industry regulations, and look for certified data centers and expert provider InfoSec teams. Find out how your cloud provider supports cross-border investigations. Here are some questions to ask:
- How compliant are you with government and industry regulations? When you store regulated or sensitive data in the cloud, you need to know your provider’s level of compliance with regulations like HIPAA and PCI DSS. Remember that you still have primary responsibility for compliance, but your provider should have some responsibility for data storage and privacy regulations.
- How can I be sure that my data is present and recoverable? Recovery assurance is important with any data on the cloud, especially with online production data. SLAs should cover data availability and durability as well as correctly observing data retention requirements.
- How do you keep my data safe? Most compliance standards include physical and digital data security. Verify your cloud data center’s physical security and digital information security. Ask for reports on yearly audits and compliant storage practices, and ask about security ratings like SSAE-16. Ask about segmentation policies in multi-tenant environments including intrusion security and noisy neighbor management. Encryption and user access control are also critical security measures.
- Do you support cross-border investigations? When you’re pursuing cross-border investigations, you need to comply with differing national and regional data privacy laws. For example, several European countries require sensitive data to stay within their borders, or at the least within the European Union’s geographical borders. The EU’s new General Data Protection Regulation (GDRP) will be even stricter around data security and privacy. And however much China courts foreign business, it’s all too easy for investigators to run afoul of state secret laws. When you research cloud computing cloud providers, be certain that they have the knowledge and capacity to store your data in regional data centers. Ask if they will work with you to migrate culled data sets between countries.
Most companies already have some cloud computing services, and adding more may not seem to be much of a challenge. But diving into cloud computing can have a big impact on your infrastructure, employees, and strategic goals. It’s simply good business to adopt cloud governance for integrating and optimizing cloud computing for your own business.