The chief data officer is taking center stage tackling data management in the cloud as cloud adoption continues to accelerate through private, public and hybrid permutations.
Issues CDOs continue to address include the cloud's impact on data management, security, privacy and regulatory compliance. When it comes to the cloud, there are two main aspects that the CDO needs to deal with and hybrid cloud compliance should be on every CDO's radar.
Cloud adoption and its impact on data
Unless an organization has either completely migrated to a single public or private cloud or as a relative new entrant has been born in the cloud, most CDOs are dealing with a hybrid universe. A hybrid universe is a combination of private, public and sometimes more than one public cloud. Given this backdrop the following guidelines can help:
- For new initiatives that involve managing and analyzing growing volume of data, adopt a data fabric model. Data fabric is a design concept that serves as an integrated layer (fabric) of data and connecting processes, as defined by Gartner. Using a data fabric model also allows for an effective and scalable framework that helps guide regulatory compliance process development.
- For existing initiatives that have started in an on-premises data center, it's critical to cleanse and harmonize data before migrating to the cloud. This reduces the data exposure dramatically and starts the cloud journey with a clean data slate. Conversely, doing a lift and shift of all the on-premises data to the cloud is expensive. It can also create a massive target due to data exposure and misses a crucial opportunity to reduce the attack surface.
- A big driver for migrating and growing data in the cloud is the analytics, data management tools, platforms and expertise offered by these providers. Assess candidates' analytics capabilities before choosing a particular cloud provider.
Compliance upkeep in a hybrid world
Keeping up with compliance regulations in a hybrid world is both complex and time-consuming. Many organizations living in a hybrid cloud world can try to limit the complexity and time of hybrid cloud compliance by practicing the following:
- Building on a single solution -- on premises, managed security service provider or public cloud -- for a particular type of compliance requirement. For instance, if there is consumer payment card data for which PCI compliance is mandatory, then choose a public cloud provider that adheres to the four levels of PCI compliance. However, choosing a PCI compliant public cloud platform doesn't automatically make the organization PCI compliant. While the public cloud service provider (CSP) is responsible for the infrastructure and its environment, the organization is responsible for the applications that store, process or transmit payment card data. This makes PCI compliance a shared responsibility between the organization and the CSP.
- Periodically evaluate other solutions. As public clouds continuously evolve and mature, organizations should evaluate its cloud solutions to identify possible migration paths -- both from on-premises cloud options and third-party cloud providers. Using guidance from the Cloud Security Alliance Cloud Controls Matrix is recommended.
- Monitor and remediate. This applies to both on-premises and cloud implementations in a hybrid universe. Cloud implementations evolve fast to keep up with changing regulatory environments, but the onus is on the organization to scan the cloud provider and evaluate the risk reports and process remediations.
In addition, as seen in the PCI example, the application compliance is the organization's responsibility, and similar periodic scan, risk assessment and remediation plans need to be in place.
As clouds evolve and data increasingly becomes both a rich source of innovation -- as well as a prime target for attackers -- hybrid cloud compliance provides a necessary first step to ensure proper data hygiene. However, being compliant alone is not enough; staying abreast with the solutions for maintaining good security and privacy outlined above is critical to successful data management in the cloud.