Forrester earlier this week released a report that offered best practices for more effective cloud governance, saying it can help companies ensure a predictable, accountable, and scalable transition to the cloud.
The report said companies have little choice but to focus on cloud governance because just about every company must grapple with corporate pressures to reduce IT operations and security costs, while at the same time transition workloads and data to the cloud.
Forrester defines cloud governance as “the ability to deliver strategic direction, track performance, allocate resources, and modify services to ensure meeting organizational objectives without breaching the parameters of risk tolerance or compliance obligations.”
Companies need to develop these cloud governance strategies for at least two reasons: First, some 59% of respondents to a Forrester survey say they have adopted or plan to adopt public cloud. Second, with 24% of corporate data stored in the public cloud, protecting and managing cloud data has become mandatory.
“Forrester’s interviewees tell us that protecting data in the cloud is mandatory and that lack of protection can prevent or delay a cloud migration from the legal and regulatory perspective,” according to the report.
Companies need to gain and maintain executive support for any cloud governance model, said Rick Holland, vice president of strategy and CISO at Digital Shadows.
“Governance can be perceived as an impediment that slows down the business,” Holland said. “Security leaders must clearly articulate the risks around the cloud, gain executive support and then roll out a framework that protects and enables cloud services. If enterprises implement cloud data governance poorly, then pandora's box will be challenging to close.”
This report points out that nearly 25% of infrastructure data now gets hosted in a cloud environment, meaning that cloud security solutions that are categorized as “good enough” are no longer an option, said Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.
And with companies undergoing rapid migration to the cloud, it's easy for security to get lost in the digital transformation shuffle, added Chuck Everette, director of cybersecurity advocacy at Deep Instinct.
“One common component that’s overlooked is data protection and security, which should be at the forefront and the core, not an afterthought or bolt-on after the migration," Everette said. "Companies need to have a clear and concise plan in place for management of protecting, scanning, patching, securing, and monitoring of data and applications in the cloud from the start.”
Danny Sandwell, solutions manager at erwin by Quest, said job No. 1 has become building a capability that documents where data resides, who’s responsible for it, what it means to the business, it’s lineage, impact on the business and IT operations, and how it’s used across a hybrid infrastructure. Sandwell said doing that lets companies plan, execute and monitor the impact of transformative initiatives as well as deliver data visibility to governance, risk and compliance (GRC) processes.
“It also offers a roadmap for applying specific capabilities, such as masking, redacting, anonymizing and encrypting data based on where it resides and what risks are inherent in various processes across the data lifecycle,” Sandwell said.