As some cloud workloads move back on-prem, enterprises look to automation tools to maintain policy adherence and to keep data safe across cloud boundaries.
It’s no secret that enterprise IT teams favor hybrid cloud environments because they provide flexibility. They provide the flexibility to choose the best infrastructure for each business application. And the flexibility to move workloads around as IT requirements change to lower costs and achieve higher resiliency. But while this fluidity enables businesses to continually hone their environments for optimum cost and performance, it has big implications for IT governance and compliance. This hybrid cloud mix equates to multiple platforms to manage and secure — and this complexity can create major gaps in IT defenses.
In this new world, applications and enterprise data are becoming widely spread across dozens of locations and are increasingly on the move. To keep their systems compliant and safeguard critical data, enterprises have begun migrating some of their workloads off of public cloud services and back onto premises infrastructure.
IDC reported, for example, that 80% of 400 IT decision-makers it surveyed in 2018 had migrated applications or data from a public cloud to an on-premises or private cloud infrastructure. More recently, in 2019, nearly three-fourths (73%) of 2,650 global IT professionals surveyed by Vanson Bourne, said they were moving apps back on prem, and 22% said they were migrating five or more applications.
In addition to security concerns, privacy legislation aimed at helping protect individuals’ personally identifiable information (PII), is also influencing cloud data governance. For example, the General Privacy Data Regulation (GDPR) requires that any organization serving a customer in the EU must know exactly where that customer’s data is stored and be able to fully delete it on-demand at the request of that customer. A number of legislative bodies in the U.S. and elsewhere are taking steps to emulate the spirit of those regulations with legislation of their own.
As such, companies already under regulatory mandates issued by their specific industries — such as HIPAA in healthcare, PCI DSS in retailing, and SOX in the financial sector — must further amend their policy and security systems for additional adherence.
These trends are conspiring to create an imperative for systems that can monitor and remediate compliance and security policies across not only AWS, Azure, Google Cloud Platform, and other public cloud environments but across on-premises private clouds, too. As companies straddle multiple private and public cloud environments, their management and orchestration systems need to do the same for improved governance. Today’s complex cloud environment requires smarter and more automated systems that can detect changes and adjust as necessary to continue proper policy enforcement.
Modernizing enterprise compliance
Data security, governance, and compliance are related functions. Data governance is an organization-wide framework that defines exactly what data an organization has, how it’s used, how it’s managed, and in which system and location it’s stored. One of the things the governance framework accounts for is compliance rules, set both internally by the company and by industry regulators.
For its part, compliance has become an always-on necessity for ensuring enterprise security controls enforcement. For that, enterprises need a measure of automation to continually check whether the ever-changing nature of workloads and stored data remain adherent to the compliance rules contained in the data governance framework. Static set-and-forget IT configurations no longer are up to the task. Instead, businesses require adaptive security systems that provide the following:
- Complete visibility across cloud borders, what’s running where, and who’s accessing it. You can’t protect what you can’t see.
- Real-time recommendations for right-sizing cloud resources and constant monitoring for security vulnerabilities and remediation of those vulnerabilities.
- Policy-based automated remediation at an enterprise scale. For example, if someone makes a change to your configuration, your system has to capture those events and deploy an automated standard operating procedure to ensure security.
Know your data
Of course, in order for the systems and tools to effectively work, your organization first needs to know what policies it wants to enforce on what data and when; for example, public-facing applications only or exclusively on internal applications. That requires taking inventory of the enterprise data you have and where it’s deployed so you can define your enterprise security policy. You also need to know what should happen when there’s a deviation from that policy. Lastly, you need to determine where the policy should be enforced; for example, within your on-prem or public cloud environments.
Moving public cloud workloads back onto your premises doesn’t mean that your security and compliance needs disappear. It simply means that requirements change. If you end up with apps and data that are both on-prem and in a public cloud, your management, security, and policy-enforcement tools should be able to work consistently across those environments, even as workloads evolve. If your apps and data fully move back on prem to a private cloud, the onus of ensuring data governance, compliance, and security is on your organization — and your organization alone.
In order to successfully manage hybrid cloud governance and compliance, you need to adopt and deploy next-generation adaptive security applications that can bring real time insights. Simply put, event-based compliance detection is a “non-negotiable.” You must have the ability to deploy automated remediation to safeguard your enterprise applications and data. The reality is, a failure to do so can potentially be very detrimental to your business and stakeholders. With that said, I implore you to prioritize finding an ample solution for this endeavor. There are several solutions in the market that can help you remediate security vulnerabilities as soon as they arise so that you can keep your critical applications and data safe while reaping the benefits of hybrid cloud architectures.