Streamline Regulatory Compliance With a Hybrid Cloud
IBMer Richard Hogg and cloud consultant Eric Marks explain how a hybrid cloud strategy can simplify compliance.
By Kristin Lewotsky04/01/2019
In today’s business climate, just delivering goods and services to customers is no longer enough. Amid an ongoing stream of security breaches, countries, regions and industries around the globe have established regulations governing data protection—data privacy and data security. As a result, enterprises need to demonstrate and maintain compliance around egulations such as the European Union’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
The process can be challenging but it can also bring huge benefits. The difference lies in whether an organization embraces privacy compliance as a tool for transforming the business. This particularly works when enterprises apply an equally transformative tool: hybrid cloud computing.
The hybrid cloud environment enables enterprises to house data and workloads on the most appropriate platform, whether that’s a private cloud for highly sensitive data or a public cloud that reduces the cost and administrative hours required to maintain non-sensitive workloads. A hybrid cloud environment provides a highly elastic and flexible infrastructure to support storage and computing needs across the enterprise. Even better, the process of consolidating data and computing processes from large numbers of physical servers to a handful of cloud environments also helps organizations streamline privacy compliance.
Companies should view compliance as a transformation opportunity. For an example of what’s possible, look no further than IBM’s implementation of GDPR. “We chose to embrace GDPR as a global opportunity to transform the business,” says Richard Hogg, global GDPR and privacy evangelist, IBM.
IBM operates in 170 countries with 400,000 employees across 47 business units. “We had at least 47 different ways that we tracked clients and prospects, for example, if they signed up to attend an event or download a whitepaper,” Hogg says. This model generated vast amounts of geographically dispersed data. The problem is that data ages and erodes over time, even as the cost to maintain and track it increases.
The process of bringing its systems into privacy compliance enabled IBM to eliminate unnecessary or redundant data and harmonize the customer experience across business units. “We were able to rationalize our data into one central global system, so now whenever a customer anywhere in the world indicates their marketing preferences to us, all of IBM can consistently meet and sustain that going forward,” he adds.
GDPR is just one example of a rapidly proliferating collection of rules and standards being put into place around the globe. Coming in 2020 are California’s Consumer Privacy Act (CCPA) and Brazil’s GDPR-inspired privacy regulation, LGPD. Other regions and countries are busy drafting or revising their existing privacy regulations.
As a result, businesses need to put a process in place for efficiently achieving and sustaining readiness to these regulations even as conditions evolve. “The work IBM did on our global GDPR program, to transform the business toward privacy, put in place a re-usable framework that we can now use for all the other privacy compliance regulations upon the business and the 170-plus countries we operate in,” Hogg adds.
Implementing a hybrid cloud strategy is an essential part of building a responsive—yet compliant—framework. Privacy compliance presents three key challenges: personal data discovery, monitoring and management; data protection; and, of course, the overall organizational changes necessary to achieve compliance.
Many of the activities required to move the business to a hybrid cloud map directly to those challenges. As a result, the time, effort and resources expended to move data and processes onto a hybrid cloud can reduce the time, effort and resources required to bring the organization into compliance with the standards and maintain that privacy compliance going forward.
“A cloud infrastructure gives you the elastic ability to dynamically change and remodel the business more competitively but still leverage these enterprise-scale, enterprise-quality privacy and protection capabilities for whatever you're doing with the data.”—Richard Hogg, global GDPR and privacy evangelist, IBM
The Advantages of a Hybrid Cloud Strategy
The hybrid cloud model is built around using the best resource pool for any particular process. For workloads expected to grow steadily over time or those deemed too sensitive to move off premises, the private cloud provides scalability. For workloads with unpredictable requirements, a public cloud provides the elasticity to support demand spikes without requiring long-term investment.
A financial services company might deploy variable workloads like big data analytics and application development and test into a public cloud. They would keep more sensitive workloads such as online banking on premises or in a private cloud. Alternatively, they could deploy applications in a managed cloud—a private cloud managed by a third party. This solution combines the benefits of public clouds in terms of elasticity and reduced workload with the more secure implementation of a private cloud. A multicloud implementation includes multiple public clouds to match provider capabilities with workload and to maintain price competitiveness. An effective hybrid cloud includes the ideal mix of the above to best suit the needs of the organization.
“Having a hybrid cloud strategy, and especially a multicloud hybrid cloud strategy, is key,” says Hogg. “A cloud infrastructure gives you the elastic ability to dynamically change and remodel the business more competitively but still leverage these enterprise-scale, enterprise-quality privacy and protection capabilities for whatever you’re doing with the data.”
The process of determining the structure of the overall cloud and then which workloads and data get deployed where begins with building a decision tree. “The top three criteria are data privacy, security and business criticality,” says Eric Marks, vice president of cloud consulting for Boston-based Cloud Spectator. “What’s the classification of the data that the system will touch? What are the security requirements that the applications have to meet? What’s the business criticality? Can the business afford to have the network go down or not?”
The goal is to build a data hierarchy that can be applied to existing workloads as well as to any new initiative in order to determine where and how it should be deployed. The same could be said of a privacy compliance strategy.
Dealing With Data
In our brave new digital world, enterprises must reimagine their roles as data custodians rather than data owners. In GDPR, for example, data subjects have the right to access the data captured on them (their data), to correct it, to request that it be erased and to obtain a portable copy. To comply with these rights, businesses need a record of where their data comes from, how they acquired it, where they are storing it, how they are using it and the legal basis for those activities. The process of developing a hybrid cloud strategy and deploying data into the cloud makes it easier to accomplish these goals.
“Compliance involves first getting a handle on the types and categories of personal data in the enterprise. A cloud can help accelerate that,” says Hogg. “You act in fewer places against that data so that you can achieve enterprise-scale activities and outcomes such as being able to automatically classify, tag and catalog personal data across all the data you have. Whose data is it? Where is it in the hybrid cloud? We need to have the insight by data subject so that we can address the rights that GDPR brings.”
Although most data privacy and protection regulations are designed with data security in mind, compliance doesn’t necessarily ensure security. HIPAA, for example, mandates a password for each user but passwords can be easily broken. As a result, a system can be compliant with HIPAA without being secure. Organizations need to approach compliance with security as a primary goal, for example using two-factor authentication to increase data protection.
Security is one of the key criteria in the hybrid cloud decision tree. Out of concern over side-channel attacks, many organizations choose to keep sensitive workloads on premises or in a private/managed cloud. A private cloud can be an effective solution but requires staff with expertise in security, both for the initial buildout and for ongoing operations. The enterprise needs to be willing to commit the resources to the project. If not, the workloads maintained in the private cloud out of concerns over data privacy and compliance might actually be less secure than if they were on a public cloud.
“A lot of enterprises are very reluctant to have any of their sensitive data hosted in a public cloud,” says Marks. “Now, I would because I think that the hyperscale cloud providers have very, very good security.”
For those public cloud providers, optimizing, maintaining, and protecting their assets is the core of their business model. “In general, the major cloud providers have far better cybersecurity and data-protection abilities than any individual data center that any individual company provisions or runs or operates,” says Hogg. “The major breaches that we see around the world generally aren’t against the major cloud providers.”
For a well-designed application, public cloud deployment is unlikely to present a security risk. Consider a transaction processing application. “If you’ve designed a terrible application that hasn’t got security by design, you might be in trouble,” says Marks. “Applications have to be built with security and data privacy in mind.”
Developers should follow best practices such as encryption of data at rest and data in motion, encrypted passwords, and containerized applications. If the contents of the container are also encrypted, then even hacking the password of the system administration won’t provide access to sensitive data.
“If you’re making sure there’s end-to-end encryption and you’re careful about masking and obfuscation and following data privacy best practices, you can probably run the application in a public cloud just fine,” Marks says.
“A lot of enterprises are very reluctant to have any of their sensitive data hosted in a public cloud. Now, I would because I think that the hyperscale cloud providers have very, very good security.”—Eric Marks, vice president, Cloud Spectator
In the rush to achieve certification, enterprises can lose sight of the fact that compliance isn’t an event. It’s a process. It must be maintained through organization-wide policies and procedures. Moving to the hybrid cloud also requires a governance framework, which means that it can streamline the development of regulatory governance.
Cloud governance should detail best practices for data classification and application development to support the decision tree developed around data privacy, security and business criticality. Once the cloud infrastructure is built out, it must be made usable.
“You need to bring the clouds into a unified catalog of services that you can provision with self-service technologies and capabilities so that your business partners can use them,” says Marks. “You don’t want to tell the business,’ No, you can’t do that,’ so the main thing is to enable the business to use these things in a secure, governed compliance-centric manner.”
As important as governance is, education and training shouldn’t be forgotten. After all, the best automatic tagging and most secure applications are useless if an employee emails a spreadsheet of personal data to a colleague. Training and revalidation also needs to be woven into the business via policies, processes and annual auditable enablement.
More and more enterprises are moving their computing operations into a hybrid cloud. It brings a level of elasticity and scalability required for competitiveness in today’s business environment. It also speeds, simplifies and reduces the cost of adapting to changes in data privacy and protection requirements.
Hogg implores clients to embrace the cloud. “It will give you the elasticity and flexibility to innovate the business and keep compliance going forward. It gives the ability to automate data identification and management and dependable cybersecurity to protect the data while it’s in your custody,” he says.
AIX / IBM i / Linux on POWER / Article / Cloud / Security / Power Systems / Cloud security / Cloud strategy / Compliance / Hybrid cloud / Private cloud / Public cloud / Data security / Multicloud / Multifactor authentication / Pervasive encryption
Kristin Lewotsky is a freelance technology writer based in Amherst, NH.