Tips to Avoid Compliance Complications When Migrating to the Cloud
Moving data to the cloud is a major project requiring a significant amount of effort to evaluate the plethora of options available. Which systems to migrate, which team’s data should be prioritized, and which cloud services to select are all major decisions. While all need careful consideration, it is equally important to be prepared for the next step in the process, securing your data in the cloud.
When migrating data to the cloud, compliance complications can easily arise due to the diversity of public cloud services, as each has different methods and user interfaces for data security and privacy. Complicating matters, public cloud services are disparate and siloed from each other, which makes it difficult to reconcile data compliance and usage policies across the different cloud services.
How Cross-Functional Leadership Eliminates Governance Blind Spots
When planning for data governance and compliance, it is imperative to understand the true scope of the requirements and policies in an organization, including data users and legal, security, and IT teams. Each group has their own objectives and requirements, and any implementation of data governance and compliance must encompass the scope brought to the table by each. Failure to consider the needs of all four groups results in data governance blind spots which will derail the organization’s ability to implement a successful compliance framework.
For example, legal teams and the office of the chief data officer (CDO) are tasked with providing trusted data to the business. They are responsible for building a governance framework that facilitates the use of data in compliance with regulatory requirements, which often varies based on geography, business units, and data type. Security teams have the mandate to create policies that protect corporate data. These policies impact enterprise business processes as well as the selection of software solutions for data security. On the other hand, data teams consisting of scientists and business analysts demand swift access to data as they cannot be impeded by time-consuming and slow data access procedures.
However, it is the IT team who is ultimately responsible for the implementation of the governance framework–and it is the one who must balance the needs of legal, security, and data users. IT teams are the center of the requirements gathering, decision making, deployment, and maintenance of any data governance solution. They are responsible for building the infrastructure that is used to define access control policies, grant, or revoke data access, and ensure data teams needs are being met. IT teams are also responsible for demonstrating to internal and external auditors, legal teams, and security teams that effective data governance, security controls are in place to monitor and protect data assets.
With this in mind, IT teams are in a logical position to take the lead in driving cross-functional leadership in the implementation of a comprehensive governance framework. Since each team has a stake in this process, it is better to take a team approach than to develop policies in isolation which can result in duplicated efforts or create a conflict with each other. To ensure enterprise-wide success of a governance solution, IT teams should bring together the offices of the Chief Privacy Officer, Chief Security Officer, Chief Information Office, and the Chief Data Officer.
Implement Consistent, Scalable Policies Across On-Prem And Cloud
Taking the time to involve cross-functional leadership will result in a more comprehensive and streamlined outcome without wasted or duplicated efforts. It also creates consistency across the entire organization, which makes it easier for all employees and business processes to be on the same page when it comes to implementation and adherence. Part of ensuring consistency is ensuring uniformity of policies and data governance procedures across systems. Persistent and homogeneously applied data policies across the enterprise improve its ability to adhere to regulations and reduce the risk of accidental data breaches or leakage.
One common pitfall to avoid is to adopt a new data governance tool when migrating to the cloud, and inadvertently “throwing away” all the years of effort to make data privacy and security work seamlessly for the enterprise. The specific tools must change to be effective for cloud services but the underlying principles for a data governance solution do not. What was a legal requirement on-prem, continues to be a legal requirement in the cloud. Compliance with data privacy regulations must still be adhered to, and internal compliance teams need a consolidated way to understand where sensitive data is stored and how it is (or is not protected) across on-prem and the cloud.
The reality is that policies implemented to work at scale on-prem, are needed in the cloud as well. For example, large enterprises have often developed sophisticated RBAC (role based access control) and ABAC (attribute based access control) policies for their on-prem data. RBAC provides the definition of roles and privileges that ABAC extends by enforcing policies based on the attributes of subject and object, operations, and the environment. The tools themselves change from on-prem to cloud, but policies do not.
To streamline the migration from the cloud, it is important that the underlying data governance architecture proven to work at scale on-prem, is leverageable in the cloud. And in fact, a solution for the cloud needs to be even more scalable as the volume of data is growing faster here than data on-prem. A data governance solution in the cloud should not be re-inventing the wheel but should be easily portable to the cloud.
On-premises versus cloud deployment is not an either or proposition. Most organizations are implementing hybrid architectures; therefore, having different frameworks–one for on-premises and another for cloud–results in twice the work for IT teams who bear the burden of implementing policies for privacy, security, and data governance. IT teams evaluating data compliance solutions need a platform built for cloud, but also maximize efficiency by leveraging existing policy frameworks.
Evaluate The Practical Impact on IT Teams and Business Processes
To prevent an undue burden on internal resources when migrating to the cloud, it is important to clearly understand the resource implications of the data governance and compliance solution before making a final selection. The IT team typically bears the brunt of the effort when deploying and utilizing a data governance solution and ensuring optimal efficiency for the IT team is of paramount importance.
It is critical to evaluate the full impact on IT teams, both initially for migration but also for ongoing business operations with data distributed across multiple heterogeneous cloud environments. For example, many often consider whether or not to take the path of least resistance and use whatever data security capabilities are supported by the cloud service provider.
At first glance, this makes sense: Why not use the native data security for the cloud service in question to implement your policies? However, this approach is only viable in the rare situation when there is only a single cloud services provider. When more than one cloud service provider or services are in play, it requires internal teams to become experts in the detailed architectures, configurations, and interfaces of each offering in use across the enterprise. Teams who have migrated to the cloud quickly find the plethora of choices both empowering and once implemented, logistically daunting due to the number of heterogeneous services that need to be managed. Beyond the expertise requirements, there is the workload of manually implementing and maintaining consistent (or at least comparable) data access control across the different cloud services and on-premises solutions. This piecemeal, specialized work makes it even harder for enterprises to maintain compliance.
IT teams should also evaluate the practical implications – how much expertise, training and effort is involved whichever solution is selected? Two different tools are likely needed for on-prem and cloud due to the technology itself, but does it require a complete overhaul of the team’s skill sets? Duplicating efforts with two completely different data governance solutions for on-prem and cloud is not practical. Your team isn’t likely to increase in size, so neither should your data access controls, management policies and processes.
Additionally, the IT team cannot afford to choose a solution that delays other teams from achieving their objectives. If a solution makes it too difficult or is too slow, the teams will find ways to bypass it. For example, if a data privacy solution requires too much effort, and delays access to the data, data scientists and business analysts are much more likely to find alternative methods to access what they need. Forcing data scientists or other analysts to submit a flood of tickets to gain access to the data and then wait for IT teams to respond can defeat the purpose of going to the cloud in terms of time and efficiency. They may even be motivated to inadvertently copy, move, or even completely remove security controls to be able to do their jobs, and at this point, the implementation of any kind of data compliance solution is for naught.
The most practical option for the IT team is to utilize a platform that provides a single, consistent view of all data policies across the organization, on-prem, and across multiple cloud services. This is also a key requirement for legal and security teams who need enterprise wide visibility to assess risk and recommend risk mitigation programs and policies. Automated and integrated reporting from a centralized point, saves hours, if not days, of high-cost legal resources and security team spelunking efforts. A consistent approach to locating and securing data is necessary for the practical implementation of any governance framework.
When migrating to the cloud, an enterprise is not only transferring data but also all the relevant access policies associated with that data. This makes it even more critical for enterprise IT teams to adopt scalable data compliance frameworks that encompass cross-functional requirements to eliminate data governance blind spots, enable consistency across on-prem and cloud environments, and optimize efficiency of IT teams in a practical and scalable manner.
About the author: Balaji Ganesan is CEO and co-founder of both Privacera, the cloud data governance and security leader, and XA Secure, acquired by Hortonworks. He is an Apache Ranger committer and member of its project management committee (PMC).