Recent Forrester research on cloud governance best practices created quite the buzz in the security community.
With corporate competitive pressures to reduce IT operations and security costs, transitioning workloads and data to the cloud is unstoppable — but the most difficult question is how to govern the process to ensure a predictable, accountable, and scalable transition, and resulting cloud infrastructure, that accounts for the diverse interests of the internal stakeholders and the regulators. This latest Forrester Research report gives cloud leaders a blueprint and best practices for cloud governance and accounts for stakeholders, workload targets, processes, and tools.
On average, surveyed infrastructure technology decision-makers at enterprises in North America and Europe report that 31% of their infrastructure is in an owned facility, 20% in a co-located facility, 24% in a public cloud, and 25% hosted or outsourced in another environment. This, paired with the reported hundreds of SaaS applications in use as well as increasing pressures for General Data Protection Regulation (GDPR) compliance, emphasizes that (sensitive) enterprise data is everywhere.
Cyber experts weighed-in on Forrester's new best practices.
Howard Ting, CEO at Cyberhaven:
“It's obvious the cloud is uncovered real estate for most enterprise data protection programs and there is a mad rush to deploy tools to provide visibility and control of data in the cloud. We must avoid, however, creating yet another silo of policies and tools for organizations to deploy, manage and monitor. The only effective approach is a unified data protection platform that spans cloud and on-prem environments.”
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows:
“Gaining and maintaining executive support is critical for any cloud governance model. Governance can be perceived as an impediment that slows down the business. Security leaders must clearly articulate the risks around "the cloud," gain executive support and then roll out a framework that protects and enables cloud services. If enterprises implement cloud data governance poorly, then pandora's box will be challenging to close.
Data residency is also a critical component of any data protection strategy. Vendors must guarantee that a clients' data remains in a specific geographic location, and this need extends beyond just GDPR use cases. Vendors that don't have regional infrastructure will be at a competitive disadvantage. This requirement can be particularly challenging for smaller technology vendors that don't have the resources to invest in global architectures.”
Oliver Tavakoli, CTO at Vectra:
“This report provides a glimpse into the complexity of understanding and managing risk as cloud adoption has entered the mainstream. The distributed nature of confidential and mission-critical data (on premise, in SaaS application, in public cloud IaaS and PaaS) in this new world and the increasing regulatory frameworks driven by continued breach reports ratchet up pressure on information security teams. Comprehensive data governance as well as threat detection and response related to access of this data have become table stakes for cloud-adopting organizations.”
Kevin Dunne, President at Pathlock:
"Data protection is a mandatory activity for protecting sensitive financial, customer, employee, and other IP data in the context of a growing landscape of compliance regulations. While financial data has historically been a focus due to SOX compliance regulations, the introduction of GDPR, CCPA, and other data privacy regulations is pushing emphasis on personal data. Enterprises are now focusing on protecting critical customer and employee data, much of while is moving to cloud based systems (Salesforce for CRM, Workday for HRM). These cloud systems are often multitenant and vendor hosted, and therefore cannot be secured with typical approaches like network-based access control or database level encryption. A new breed of SaaS-friendly data access governance solutions is emerging to protect this most sensitive data where it resides most often."