Managing Data Governance in a Cloud-Focused World

The rate at which companies are amassing data is staggering. More than half of organizations today (57%) have production workloads running in the cloud, and with the number of new devices being introduced that create and consume data and transmit it to the cloud, it has become critical to have some type of cloud governance program in place.

However, one of the most challenging elements of such a program is how to manage an organization’s sensitive data. This data could encompass anything from bank account and credit card numbers to HR payroll data. Misuse or negligent handling of this information could cost companies tens of thousands of dollars per record lost in a potential data breach. Besides monetary consequences, we’ve also seen how disastrous a data breach can be to customer confidence. Cloud governance is nothing to scoff at!

When the stakes are this high, it is understandable that companies are reluctant to trust the cloud. Gartner predicts that “through 2020, 95 percent of cloud security failures will be the customer’s fault.” However, cloud providers have made significant improvements to their security offerings over the last five years. This means that with proper planning and preparation, you can still reap the benefits of cloud efficiency and agility while maintaining appropriate levels of security.

Cloud Classifications

The types of cloud services on the market today can be classified into two categories: enterprise and consumer. An enterprise cloud service is one that meets current standards for security, application management and level of integration. Microsoft leads the field, delivering five of the top 20 most-used enterprise cloud services, with products such as OneDrive, Exchange Online, SharePoint Online and Skype for Business. Consumer cloud services include popular social media sites such as Facebook, LinkedIn and YouTube.

These services rely heavily on cloud infrastructure to deliver massive amounts of content on a global scale, a characteristic organizations may not consider when sharing their sensitive data. What’s important to note from a governance perspective is that compared to enterprise cloud services, consumer cloud security is lacking, with only five percent of the top 20 services offering enterprise-grade security.

As organizations prepare to create new governance policies, it is helpful to understand which types of cloud services are being used across the company. A log-analysis tool such as Splunk Enterprise Security identifies commonly used services and uses those statistics to create meaningful policies and procedures. According to Skyhigh Networks’ 2016 Cloud Adoption and Risk Report, the most commonly used services in the market today can be grouped into three categories:

  1. Approved services (5.4 percent of services) – services fully sanctioned by IT for having enterprise-grade security and functionality and often purchased and deployed at companies.
  2. Permitted services (63.3 percent of services) – services that offer significant business value but may require some risk-mitigation strategies such as data loss prevention measures, activity monitoring and access control.
  3. Not-allowed services (31.3 percent) – services deemed too risky for corporate use. Examples might include online PDF converters and consumer-grade cloud-storage providers.

Between Tradition and Trends

Organizations just beginning to use cloud solutions are often surprised to learn it is still possible to handle data governance like a traditional computing system. Tried-and-true elements of classical data governance such as a company charter, RACI matrix and data-steward structure can be integrated and enhanced to incorporate the nuances of cloud workflows. However, because of how the cloud can change the way a business operates, it is strongly encouraged that organizations review existing policies to determine whether an existing policy can be enhanced or whether a new policy should be created in its stead.

In a pre-cloud world, a company would likely be separated into three main functional areas: business, operations and IT. Now, cloud-management responsibilities can span all three areas, which can essentially make it easier for lines of business to procure their own solutions and might necessitate the creation of a cloud-management department and a restructuring of responsibilities:

  • Because cloud infrastructure is a pay-for-service model, usage can be billed directly to a department. This will require IT to function as the broker, rather than provider, of services.
  • Addressing the skill gap will require either training initiatives for existing employees or hiring of cloud architects to facilitate adoption, development and maintenance.
  • Directors and managers of the organization will be involved in assessing the risk of migrating a particular system to the cloud. They will also be responsible for communicating with other departments and overseeing the adoption of new governance policies and workflows.
  • Network and application security models must be enhanced to handle both on-premise and cloud infrastructure.

Integrating the cloud movement into an existing governance program is a crucial step in securing an organization’s data and optimizing new business processes. These considerations should help a data-management organization plan ahead as it begins to adopt new and powerful cloud environments.

To learn more about Protiviti’s cloud capabilities, contact us

Narjit Aujla

Manager
Data Management and Advanced Analytics

Subscribe to Topics

Learn to better manage your data and safeguard your privacy in a world of breaches this Data Privacy Day – January 28. Find out all the ways you can get involved at http://ow.ly/KESt50Df0sN
#PrivacyAware #dataprivacy

Want to reduce your operating costs and improve customer experience whilst still meeting #AML and #CTF regulatory obligations? Register for our presentation on January 27th today!
http://ow.ly/ScaC50DcVbB #KYC #CustomerExperience #ProcessEfficiency #ProcessMining

Oracle’s latest release (20D) for #RiskManagementCloud was published on Oct 28, 2020. To enable organizations to take advantage of the updates, our #TechnologyBlog explains key changes specific to Risk Management Advanced Access Controls
http://ow.ly/YnFt50D7XrM #Oracle

January 28 is Data Privacy Day and Protiviti is proud to be a Data Privacy Day Champion. Learn how @Protiviti experts like Manisha Agarwal-Shah can solve your key challenges with our data privacy consulting solutions http://ow.ly/lhHZ50DeRST #privacyaware #dataprivacy

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at http://ow.ly/tVsp50DcVab
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...