Artificial Intelligence, Machine Learning, Big Data, Augmented Reality, IoT, 5G – some of the current buzzwords and trends in the industry. It’s “what all the cool kids” are talking about. Every time I meet with partners around the world, these are the topics they want to talk about. No doubt virtually every IT organization has projects in one or all of these areas. However, in addition to these “cool” new technologies which everyone wants to talk about, organizations are quietly ramping up other aspects of their hybrid cloud and multi-cloud implementations – specifically addressing Security and Compliance.
According to Cybersecurity Insiders’ 2018 Cloud Security Report*, Enterprise top cloud security concerns are compliance, security, visibility, and maintaining consistent security policies. While compliance has been embedded in IT for certain verticals for years including banking (PCI), HealthCare (HIPAA), Government (FISMA), and others – industry wide attention to compliance has been minimal. That really changed on May 25, 2018 when the General Data Protection Regulation (GDPR) went into effect in the European Union. As I said above, compliance isn’t anything new – but GDPR shifted the conversation by bringing into effect a regulation that broadly applies to every company that uses digital assets (which is, for the most part, EVERY company in the world) and by making the penalties onerous enough that everyone MUST pay attention. While GDPR itself is a topic for another blog, I like to use GDPR as an example and a leading point of discussion of why Risk and Compliance management is so important – and why Cloud Service Providers are specifically vulnerable if they don’t address compliance head on.
Ok, so what exactly is Risk and Compliance Management? Simply put, it is the methodology and tools to analyze your IT enterprise assets in order to ensure they are meeting the requirements of a specific set of policies. Then apply rules to the results to measure the risk to your organization based on your level of compliance. So, what does THAT mean? Take a set of rules, apply them to your IT assets. Are you sure they are really implemented? What about that new virtual machine (VM) someone in Finance stood up “temporarily” (there is nothing so permanent as a temporary solution)? Did all the correct settings get applied? Is the data contained on the VM being properly tracked and structured in order to ensure things like regional isolation or meta-data tagging to ensure the right to delete? What is the level of risk I am accepting or willing to accept based on a cost tradeoff of compliance (to what level am I following compliance rules). This is what Risk and Compliance Management is all about.
Now, once you get your head around the need for Risk and Compliance management, the problem is exacerbated by this thing we called multi-cloud and hybrid cloud. Simply put, enterprises are not using just one cloud today – they are using a variety of clouds in concert which together form their virtual enterprise. From on-premise clouds for critical workloads, to public clouds for rapid prototyping, and SaaS applications like SalesForce or Office 365, to niche applications like SAS for analytics, or online HR apps and payroll apps – IT organizations have workloads and data that span across a variety of clouds. And while they may be able to directly control or have access to the SaaS based applications – even the traditional IaaS workloads are spread across private clouds built in multiple datacenters across an organization, regional service providers, and public clouds. Bottom line – it’s REALLY hard to manage all of your IT assets – but the regulators really don’t care. Simply put, if you are not in compliance, you risk being fined (or losing certification, or other penalties depending on the specific compliance regulations).
(Warning – Soapbox rant ahead. Skip this paragraph to avoid). So how DO you get control – or at least visibility – into all your virtual assets across so many clouds? And, how do you maintain that visibility/control when virtual assets are being created and destroyed daily/hourly/by the minute? Well, there is the challenge. The industry still doesn’t have a true multi-cloud management standard (at the control plane level). There are continual waves of ISVs building solutions to limited success, and enterprises dabbling in those solutions. But what I have seen firsthand, is that these solutions (true multi-cloud cross platform management) all end up suffering from the same flaw – which is they have to work to the lowest common denominator. Meaning if you want to “be the one manager to rule them all” so that you simplify control to a common plane – that manager is limited by what the least advanced cloud it is managing can do. Also, the lifecycle management of that tool is immense, because each time the APIs for the underlying cloud platforms change, the management tool has to change – and those API changes are constant. Bottom line, a true multi-cloud manager is still more of a dream than a reality – but that doesn’t negate the requirements for Risk and Compliance management!
(Soapbox rant over, back to our regularly scheduled blog). So if I can’t have a true management control plane across all my cloud assets what do I do? Well, while the management control plane is still being resolved, the risk and compliance responsibilities for any IT organization exist today and must be addressed day in and day out. Traditionally, the methods used to approach this challenge involved custom scripts, excel spreadsheets, various independent automation tools, and other hodge-podge methods. While this may work for small datacenters, getting global visibility across an entire virtual enterprise spanning multiple clouds – with the challenge being financial penalties for non-compliance – the methodology breaks down very quickly. Simply put, one-off scripts and excel spreadsheets don’t work for the modern virtual enterprise, particularly in the world of virtual machines which can be created and destroyed many times a day.
Bottom line is this:
Published with permission from https://blog.dellemc.com/en-us/