In a recent article in CIO, Maria Korolov reviewed the results of a survey from IDG. In that survey, it was no surprise that cloud security stood out as one of the major concerns of CIOs. What might surprise some people however, was the growing concern amongst CIOs, IT managers, and Compliance Officers about data visibility in the cloud. Simply put, with highly distributed and redundant architecture, you don't always know where your data is, especially as it moves around a cloud provider's infrastructure. This can be very problematic in scenarios with sensitive, or regulated data where compliance audits happen regularly. In this article, we'll look at the issue, and tell you what you can do right now, to help mitigate the problem.
The Data Visibility Issue
In the article, David Rubal, chief technologist for data and analytics at Herndon, Vir.-based DLT Solutions, stated the problem:
"In a cloud computing environment, data is stored in logical pools, the physical storage spans multiple servers and often locations. "With this model, it is very difficult for a cloud provider to pinpoint exactly where any portion of customer data is stored."
The issue here is when you're dealing with regulated data, you will be periodically audited for compliance. You have to respond to those audits and provide the information obligated to auditors about the regulated data. Since you no longer control that data or store it on-premises, you have to rely on your cloud service vendor to provide accurate, verifiable information about your data. Remember, compliance involves access of all sorts, electronic and physical. You might need to answer questions like:
- Is the data in one data center or more that one?
- Who has electronic and physical access to those data centers?
- Does (or has) the data move across national boarders, where access laws and regulations might be different?
This is an important issue for organizations that must maintain compliance. If an auditor finds a problem with your data, it's on you to pay the fines and fix the problem. You can blame your cloud service vendor, but the fines are still yours to pay, and the regulating agency will put the onus on you to fix the problem.
Better Tools and Visibility are Are Needed
As stated in the article, there is a growing ecosystem of third party tools designed to provider visibility, security, and monitoring. There is also is a growing awareness on the part of cloud service providers, including major players like Amazon, Microsoft, and Box, that they need to make visibility in their solutions better. However, as Richard Cassidy, technical director at Houston-based Alert Logic, Inc. is quoted as stated in the the article, "Vendors aren't required to share proprietary security information, and many will often provide details only to their largest customers." It's also important to note that any new tools, and plans to increase data or infrastructure visibility won't help you if you're audited today.
There are of course other options to help you maintain compliance and achieve at least some of the benefits of cloud computing. First, a hybrid cloud may be an option for keeping sensitive data on-premises. Hybrid cloud solutions are popular because, as this Forbes article explains, it gives organizations choices and the flexibility to put infrastructure and data where it makes the most sense. Of course, those benefits have to be compared to potential downsides of keeping infrastructure on-premises, including the loss of rapid provisioning, rapid elasticity, and cloud provider support.
Another option is private cloud. Private cloud implementations, at least according to some reports, are growing in popularity with certain types of enterprises. The major downside is the expense, both in hardware, and expertise needed to run private clouds effectively and efficiently. After all, if you implement a private cloud, you're in the cloud computing business along with whatever else you're doing. For some enterprises, especially large enterprises in certain regulatory environments, private clouds are the best choice. For smaller businesses and many other types of large enterprises, private cloud offers many challenges. Also, many industry experts question whether private clouds will be able to keep up with the innovation you'll see in public clouds.
Key Takeaway: Compare and Evaluate Cloud Providers and Deployment Models
The key takeaway for us from this article, was the following quote:
"46 percent of the survey respondents said that they need to ensure that cloud service providers’ security meets their compliance requirements before moving ahead with deployments."
We couldn't agree more. You have to evaluate cloud service provider service level agreements (SLAs), and ask questions before you select a provider. You can only count on support, access, and visibility that you get in writing from your provider. Obviously we're biased because we offer cloud computing training. But, as the authors of these courses, we can tell you they were written to address just these types of issues. The CloudMASTER cloud computing classes and certifications not only cover compliance and audit issues in-depth across multiple lessons, the classes go beyond that, teaching critical cloud provider comparison and evaluation skills. Since CloudMASTER is vendor neutral, students review, compare, and discuss SLA provisions from different providers and are taught to consider vendor provisions through the lens of their corporate requirements rather than "industry norms." There's even a a list of recommended compliance and audit related questions you should ask of any cloud provider you're considering. In addition, third party monitoring tools are covered at length, giving students hands-on experience with tools like Rightscale and other monitoring and management solutions that might be invaluable during an audit. Combine all of that with the deep coverage of public, private, and hybrid cloud implementations offered in the courses, students will leave CloudMASTER training well prepared to evaluate cloud service providers, and implementation options to find the best solution to meet your organizations requirements.
The article makes it very clear. Cloud data visibility is a major concern for CIOs and IT managers. Cloud providers are trying to open up visibility to their proprietary infrastructure, and third parties are swarming to fill the gaps. But that's not enough if you have to be compliant today and tomorrow. It's on you to be compliant, and respond to audits. Your best preparation is to train your people well. Train them to think critically and evaluate providers, their SLAs, compare service offerings, and third party tools to give your organization the visibility it needs to be compliant every day.
Over to You
If you have tools you use, or processes in place to help your organization have visibility into your data that's stored in the cloud, let me know in the comments.
CloudMASTER cloud computing class curriculum was authored by principals at CarverTC in conjunction with the cloud experts at the National Cloud Technologists Association and are distributed exclusively through our partnerLogical Operations.