Don’t forget Cloud Governance

Written By:
Published:
Content Copyright © 2015 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt

In the joy of migrating to Cloud and replacing all that nasty hardware with nice clean Cloud SLAs – and the joy of getting rid of all the nerds who know how this IT stuff actually works under the covers – don’t forget that you can outsource execution but, in general, you can’t outsource responsibility. So, you need good governance around your use of Cloud and you need assurance that your Cloud services are themselves well-governed by your vendor. And perhaps a bit more than that.

In particular (as pointed out in a Forrester report commissioned by iland), don’t lose control of the usage and performance metadata you might need for good Cloud service governance. Not only might you want to do analytics for actionable insight that isn’t supported by your Cloud vendors’ services but you might also want an independent check on whether it really is meeting its claimed SLAs.

But there is more to all this – I’ll talk about some fairly obvious use cases around the EU Data Protection Directive regs, as enforced in the UK, but this may be just the tip of an iceberg. Suppose you are an EU company and you put personal data on the cloud and your cloud vendor backs it up on a cheap server in Turkestan – outside the EU – where someone nicks it and exploits it. Will the Information Commissioner come after you or after your Cloud supplier? Probably both. And will the data owners’ lawyers (or the authorities) accept your plea that “they promised they wouldn’t do that”, or will they hold you culpable for using an incompetent Cloud service provider? Do you know what your current EU data protection responsibilities are and how they are changing? Or what the penalties are for non-compliance? Currently, there is a £500,000 maximum, with some possibility of prison, but these may be increasing to, perhaps, 5% of worldwide turnover or 100 million euros.

Some cloud suppliers talk of “safe harbour” as if it was a complete protection against EU data protection issues if data is moved to the USA, but the EU isn’t wildly enthusiastic about Safe Harbour. Have you done “due diligence” as to exactly what protection this would give you currently?

OK, now suppose that you dump un-analysed Big Data in a “data lake” on the Cloud, in case it is useful later on. It’s a cheap place to store it – a classic Cloud use case – but almost by definition you don’t know whether it contains personal data or not. Did you think that you don’t have to worry about the EU Data Protection directive until you actually use this data for something? You are wrong (see here and here), you become liable when you store it. And, since this is “cheap” storage for later use, you probably won’t pay for cast-iron SLAs about keeping it in the EU (not that they would necessarily help); nor are you likely to spend time and resources discovering exactly what you are storing. Leaving aside the issue if – or when – a customer discovers that you aren’t looking after his/her personal data, suppose a disgruntled employee notices – and shops you to the Information Commissioner?

If you, or your company, would like further input from David Norfolk on this important subject you can get in contact here.

Please note that I am definitely NOT saying that Cloud has a security issue – good governance is bigger than security. As it happens I think that Cloud security is probably better than a lot of in-house security. This is because a lot of in-house security isn’t thought through properly, isn’t enforced and isn’t very effective – especially against the “insider threat“. A Cloud services vendor has a professional “custodian” culture and lives or dies by being able to demonstrate effective governance of service levels and policies – usually based on externally accredited standards. But however well-governed your Cloud services are from the provider’s point of view, you still have to demonstrate your own good governance.

At the very least, however effective your supplier’s SLAs are and however much metadata they make available, can you show that you chose the right SLAs and that you are using the metadata you have access to, for effective governance of any of your services that depend on Cloud services? 

Possibly, the basic issue here is that people are choosing Cloud for purely economic reasons. A much better reason for choosing Cloud (and one which encourages good governance) is for the business agility, flexibility and innovation, which the use of Cloud encourages – and facilitates.