The increasing use of cloud computing, the creation of new services and the changing compliance landscape are all...
pushing enterprises to review and update their cloud governance strategies. For companies just getting into cloud computing and not considering a governance strategy -- think again. Data protection, application performance levels and compliance are all at risk without a well-designed cloud governance model.
Data protection is key when building a cloud governance model, and that begins with a data classification scheme. Use data classification to determine which data can be stored in the cloud and what security controls must be in place to protect that data. Basic schemes -- such as categorizing data as public, sensitive, confidential and highly confidential -- are useful for organizing sets of controls. For example, sensitive data may be stored in the cloud, but must be encrypted in motion and at rest. Confidential data may be stored in the cloud, but only in data stores with fine grained access controls and the ability to log all operations on the data.
Location, location, location
In some cases, data should be classified into multiple dimensions. The European Union (EU), for example, dictates protections for personal data of EU citizens. Companies in the EU could store the personal data of EU customers in U.S. data centers under the Safe Harbor agreement. However, a decision by the EU Court of Justice struck that agreement down last year.
When building a cloud governance model, consider geographic restrictions on data. These restrictions may be accommodated by a single cloud provider. Amazon Web Services (AWS), for instance, has data centers in Ireland and Germany that may be used for protected EU citizens' data. However, organizations must monitor other versions of data, such as backups and archives, to ensure restricted data is not inadvertently saved to a noncompliant region. This could happen, for example, by enabling cross-region replication on AWS Simple Storage Service buckets and replicating EU protected data to a U.S.-based region.
Cloud governance policies should also address service delivery. Of course, mission-critical applications should be designed for high availability, but to what level and at what cost? Part of a governance strategy entails accommodating an enterprise's risk tolerance. Questions you need to consider include:
- If a cloud data center fails, is it sufficient to failover to another data center in the same region?
- Could your business tolerate a natural disaster that struck multiple data centers in a region?
- If not, would you want to failover to a data center from the same cloud provider but in a different region?
Considering technical vs. business risks for a cloud governance model
A cloud governance strategy should account for both technical and business risks. Organizations can mitigate technical risks, such as the loss of a data center or disrupted network access, with a well-designed cloud architecture.
However, not all cloud disruptions are due to natural disasters or technical failures. If your business is in a dispute with a cloud provider and access to your data and services is restricted, how would you continue to operate? When building a cloud governance strategy, consider using multiple cloud providers. Sole-sourcing your cloud infrastructure can introduce technical and business risks.
Organizations can also become locked into a single vendor because large amounts of code are written to proprietary cloud APIs. API hubs, such as Cloud Elements and Equinix Cloud Exchange, can help abstract cloud services and reduce the number of vendor-specific infrastructure code you need to maintain.
While relationships with multiple cloud providers can help avoid vendor lock-in, remember that not all services are available in all clouds. For example, you may find that AWS DynamoDB is an ideal service for a new application, but replicating functionality into another cloud to mitigate lock-in risks is not practical. In this case, the inability to replicate may lead to a change in technology to use a platform that's readily available on multiple clouds.
The importance of compliance
A final consideration when building a cloud governance model is compliance. This is closely coupled with information security, but there are additional considerations. In particular, watch for details regarding users' responsibility when using a cloud service that is in compliance with a particular regulation. For example, AWS cloud services are PCI compliant, but users of those services must contract with PCI auditors to complete other requirements. Similarly, several, but not all, AWS services are suitable for use with protected healthcare data under the Health Insurance Portability and Accountability Act regulations. Governance strategies should prevent the use of noncompliant services, and ensure compliant services are not used in noncompliant ways.
Avoid these seven common cloud security risks
Exploring IT's role in cloud compliance
Data residency laws introduce cloud compliance hurdles