For CIOs pursuing multi-cloud strategies, there are a wide variety of governance, risk management and regulatory compliance challenges. CIOs must simplify the management of vulnerabilities, create a shared-responsibility model with cloud providers, solve GDPR compliance challenges, address microservices used across clouds and stay abreast of shadow IT deployments.
"CIOs are increasingly embracing multi-cloud data management environments, which include not only the use of various cloud service providers but also public and private cloud," said Tom McAndrew, CEO of Coalfire Systems Inc., a cyber-risk management service.
There are a few drivers for the adoption of multi-cloud environments, McAndrew said, including the desire to avoid locking the organization into a relationship with or dependency on a single vendor. A multi-cloud approach also increases agility, enables the company to use new services from different cloud service providers and, of course, potentially decreases costs. But the flexibility and cost-savings multi-cloud offers is not without risk.
"With these benefits also come challenges that organizations must balance and manage, including challenges specifically related to security, privacy and compliance," McAndrew said.
Normalize vulnerability management across architectures
It's vital to remember that multi-cloud data management solutions are complex and, as a result, require specific cloud security and governance policies.
"Consistency in approach and understanding driven by these policies will reduce potential risk," McAndrew said.
For example, companies can minimize false negatives by normalizing vulnerability management across different architectures. By doing so, the IT organization can develop further expertise and use platform-specific tools, such as Amazon Inspector, Azure Security Center and the Google Cloud Security Command Center, for security management.
Another critical challenge is developing a shared responsibility model for the IT organization and the cloud service provider or internal private cloud team. Knowing who is responsible for managing key controls and security processes is critical from both a security and compliance perspective, McAndrew said.
Tom McAndrewCEO, Coalfire
According to McAndrew, he frequently sees IT organizations that are primarily concerned about where data is stored while paying insufficient attention to who has access to that data. Many of the recent cloud-related security incidents were a result of companies not fully understanding their shared responsibilities and, thus, not properly configuring their cloud solution.
Improve risk classification frameworks
The recently implemented GDPR and other regulatory compliance challenges have heightened awareness about systems being used to capture, record and exchange personally identifiable information (PII). Tracking the internal use of PII data was difficult enough when all the systems resided in a company's proprietary data center. It becomes even more complex in hybrid environments where compute and storage systems may be on premises, cloud-based or shared between those two environments.
It is sometimes difficult to control automated data copying and backup procedures in cloud environments, but organizations must be assured that all transient copies of sensitive information have been destroyed.
"Like most organizations, we've devoted considerable effort to map the flow of PII information through our business systems to prepare for GDPR-related requests," said Mark Settle, CIO at Okta Inc., an identity and access management service provider. "We have also updated our data retention policies."
Settle recommends that other CIOs ride the coattails of GDPR data classification initiatives to further clarify the criteria for safeguarding non-financial systems beyond what is already being done with Sarbanes-Oxley Act compliance. They can do this by incorporating PII criteria in their risk rating frameworks and by expanding GDPR classification efforts into other risk domains, such as threats to intellectual property.
Expanded use of third-party microservices to perform credit checks, obtain account balances, check medical histories and conduct background checks also raises PII concerns. Third-party microservices are becoming an increasingly popular way for companies to develop more frequent and intimate relationships with their customers. Such services may be hosted in a wide variety of private and public systems.
"With respect to the use of microservices, we require API-level authentication, in addition to end-user authentication, to access sensitive information held by third parties," Settle said, adding that Okta is completing a detailed API inventory of several of its major systems.
Another good practice is to simplify monitoring and control across cloud ecosystems. AWS, Azure and Google Cloud Platform each provide unique monitoring and management capabilities, but have very little chance to interoperate. As a result, many CIOs must either employ specialists with vendor-specific skill sets to avoid regulatory compliance challenges for each cloud, or they must build or purchase and configure relatively expensive cybersecurity and compliance tool sets to ensure they have the appropriate controls for each unique environment.
Wendy Pfeiffer, CIO at Nutanix, an enterprise cloud management service, said she began exploring different options last year as the company worked on becoming ISO/IEC 27001-certified and GDPR-compliant.
"I was concerned that we would not be able to bring our web scale operations into compliance while maintaining the meteoric growth that we've been experiencing," she said.
In the end, Pfeiffer went with Nutanix's own PrismPro and integrated it with Zenoss to manage the company's cloud environment from a consolidated management console.
"Monitoring and managing across a single OS, regardless of cloud, has provided us with extraordinary freedom to run workloads where we need to while ensuring that we handle GDPR-regulated data according to our policies," Pfeiffer said. This allowed Nutanix to receive their ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 certifications across its entire organization in eleven months.
Provide policies and oversight for shadow IT
Cloud services are easy to launch; therefore, shadow IT continues to grow. This creates a significant compliance and security threat, but making IT policies stricter to outlaw shadow IT might be counterproductive.
"We have implemented both organizational and technological checks and balances on who can procure and launch new services," said Venkat Ramasamy, chief operating officer at FileCloud, a file management service.
It's also important to find ways to improve visibility across all cloud instances and services and then determine what automated systems and alerts are required to notify security teams about potential risks.
The key is to limit rogue shadow IT use of the cloud within the organization and minimize the risk associated with it, but to still create an environment that enables the organization to fully take advantage of the benefits of a multi-cloud environment.
"Policies and oversight provide direction and set the ground rules for appropriate usage and, ideally, allow for consistent processes, such as change management and compliance management," Coalfire's McAndrew said. "The cloud is a powerful tool, and it can be as valuable as you make it. It will amplify your security posture good or bad. Managed properly, it will improve your business."