The fundamental problem is that most enterprises underestimate the actual challenges—the “unknown unknowns,” so to speak. Migrating to the cloud services triggers a paradigm shift that affects large parts of the enterprise. Although non-trivial, the technical aspects are less of a challenge than the actual transformation within the enterprise. This includes a wide range of aspects. e.g. rules, norms, structure, procedures, and tools.
Cloud Governance and Cloud Management is largely uncharted territory for most enterprises and the reluctance of enterprises to rigorously govern and manage cloud services generates significant security and financial risk. This includes vendor lock-in as a real danger for enterprises. Unfortunately, there are no one-size-fits-all blueprints that can be copied and pasted across enterprises.
What is Cloud-Governance, -Compliance, and -Management?
Cloud Governance is the set of decision items, decision bodies, responsibilities, decision-making styles, and control functions that enterprises deem necessary to effect sensible and fit-for-purpose Cloud Compliance and Management. Enterprises will have to define committees, councils, boards, and line functions to enable consistent and compliant cloud decisions. There are many variations in topical focus, decision locus, regular intervals, escalations, and documentation for each governance body. We frequently see data governance, data protection, and information security having to follow non-negotiable, centrally determined standards while cost management is performed by the business-aligned IT function at the business unit level. Naturally, many aspects of Cloud Governance are borrowed from IT Governance, but the risks inherent in the operation of cloud services necessitates review and possible amendment or extension of the established IT Governance framework.
Cloud Compliance creates a level playing field for demand- and supply-side qualification for each potential cloud use case. This enables diligent decision-making and documentation by heterogeneous expert teams, thereby generating invisible efficiency in the early stages of any cloud migration. It helps enterprises to become fully aware of the kind of service they want and need, whether it has to be a cloud service at all, and what strings are attached. Think of it as setting the scene for cloud migration at the management level before the actual transition. Both its normative aspects and its quality as an auditable risk type control make Cloud Compliance an important part of Cloud Governance.
Cloud Management deals with the day-to-day activities that will have to be performed for each cloud service. The spectrum of Cloud Management activities is broad and includes activities like SLA monitoring, licence management, incident/problem/event management, access and identity management, backup and recovery management, and other aspects.
Proper Cloud Management is a “must have” for Information Security
Given the steep adoption curve of ever more cloud use cases, enterprises face the challenge of losing control over many aspects of their cloud service operations, including information security. Incidentally, the entire Multi-Cloud Management Framework aims to establish appropriate controls and institutionalise an operating model that is fit for the paradigm shift brought by the cloud. The Multi-Cloud Management Framework helps organisations to become aware of, prioritise, and consistently execute their information security policies down to the use-case level. Many organisations think their fully audited ISO 27001 ISMS can do it all, but unfortunately this is not the case. This is directly related to the key challenges inherent in the migration to cloud services.
Imagine a cloud service provider reducing the standard backup interval while simultaneously improving its disaster recovery functionality. For certain use cases, this might mean that the legal data retention requirements can now only be met by upgrading or changing to a different service. For other use cases, it might mean that the additional disaster recovery service becomes redundant and the enterprise overspends. Either way, every affected enterprise will have to deal with the changes to achieve legal compliance and fine-tune the financial impact.
The above example illustrates the need to shift the perspective to service/use-case combinations and extend certain planning, sourcing, and transition activities into operations. This is what Cloud Management is designed to achieve.
Is the Cloud the Most Secure Data Protection Solution?
The short answer is: “In principle, yes. But it depends.” The following considerations apply: In terms of data centre operation, the odds are in favour of deep-pocket firms with an army of experienced data protection specialists and multiple physical security layers versus an on-premise IT infrastructure-ops team in a company with non-IT core competences. But in terms of server uptime and intrusion detection and prevention, the cloud will be king—and downtime due to dusty vents is history.
In terms of platform operation, the cloud service providers—especially the hyperscalers AWS, Azure, and GCP (Google Cloud Platform)—provide many useful features like AI-based automated DDOS prevention (incl. automated traffic rerouting) and notification. When the platform is configured and operated in-house, however, it is up to the enterprise’s specialists to design a secure and reliable network and VM architecture, thus transferring an element of execution risk to the enterprise.
Software-as-a-service entails additional execution risks. The use case “talent management” (e.g. SAP SuccessFactors or Workday) clearly demonstrates that the scope of service consumption can creep beyond compliance: Imagine a SaaS subscription including “talent sourcing” functions that an enterprise’s HR department begins to use although they are not addressed by the corporate GDPR regime. The processing of applicant data is consequently unlawful and entails the risk of legal fines. In this case, the cloud provider has limited control over data protection, and the enterprise is responsible for implementing technical or organisational countermeasures.