researchHQ’s Key Takeaways:
- When migrating traditional data centres to the cloud, organisations must understand the distribution of security and compliance responsibilities.
- If managed effectively, cloud environments can provide a full, real-time view of all operational data, allowing for fast responses and better optimization.
- Organisations should clarify company-specific requirements and ensure the correct data management measures are in place to maintain regulatory compliance.
For traditional data center operations, security and compliance requirements have always been operational overhead. Traditional data centers are under unique stresses in today’s world. There are pressures to make data centers more flexible and adaptable to business needs—such as rapid deployments of new technology or solutions—or to meeting changes in regulation or compliance with security rules.
The data center typically has increasing demands that stress both the operations and budgets of most businesses. Due to these challenges, companies are looking to transition operations to the cloud. The ability to deploy solutions rapidly in an on-demand cloud infrastructure may sound irresistible—until the operational, compliance, and security components challenges are added to the requirements.
Data center operations should examine the changes in compliance maintenance that take place when traditional data centers are moved to cloud operations. Cloud service providers offer a range of services that include compliance and security features, but you should approach these with some professional skepticism.
Your business is responsible for compliance and security, even if you outsource part of it. You should prepare to do the hard work of verifying a cloud offering’s security and compliance components rather than taking them at face value.
When compliance programs are designed and applied carefully, they can be enhanced by cloud offerings. With appropriate planning and a mature cloud offering, businesses can use expansion into the cloud as an opportunity to grow.
Compliance in Traditional Data Center Operations
To understand compliance and security issues for a cloud migration, it’s important to first examine the processes and procedures in place for your on-premises data center. For traditional data center operations, a compliance program typically includes the platform (the operating system or network) and the application.
On-premises management of controls has been considered an advantage, with a possible cost benefit over outsourcing IT functions and compliance in the cloud. However, cloud services can be part of a larger strategy to outsource some of the operational costs and overhead investments for security and compliance in the data center.
As most data center managers will concede, security is an ongoing challenge as data centers update technology and address resource constraints and the increasing number of compliance requirements.
For instance, in an integrated cloud solution with high-security requirements, it might be possible to lessen costs and management of controls such as access management, encryption, and monitoring within your cloud portion of the solution. It is important to consider challenges as well. Operationally isolating systems can increase other costs—such as compliance monitoring, specialized personnel training, and duplication of other controls for the “data center within the data center.”
Compliance in Cloud Operations: Some Practical Advice
As you plan, it’s useful to keep these recommendations in mind:
- Clarify the services and functions that would move to the cloud. The cloud is a broad concept of outsourcing operations with a variety of models. These range from:
- Hosting internet sites, typically called Software as a Service (SaaS).
- Providing network and server operations with Infrastructure as a Service (IaaS).
- Providing development tools and engineering applications with Platform as a Service (PaaS).
- Almost any combination of outsourced support, from 0-100% of the traditional data center (often called hybrid).
However, cloud architecture may be very different from your legacy configurations. Overlooked operational gaps can introduce costly new controls. Consider the operational and compliance impact of the cloud offering. For instance, a hosted solution typically means the cloud provider will host and manage your solution on their systems. This means the cloud provider will maintain the hardware and base operating systems software, but it may not include application administration, database hosting, or configuring connections back to services in your data center. Another example is that using the cloud for internal data center backup operations (a hybrid approach) may provide multiple sites and redundant communications channels to ensure backups are performed in a timely, recoverable manner. Testing and verification of backups, a compliance requirement, may not be part of the service provided.
2. Engage your security engineering team early. The challenge for many organizations is that moving to the cloud may create knowledge gaps. Changes may require training or awareness to ensure you address security and compliance. For example, certain compliance programs may have technical requirements for multiple providers, where duties and responsibilities must be kept separate—such as FedRAMP-certified environments, which require continuous monitoring and separation of function. Staff should be provided with training or time to learn about the control requirements and should become part of engineering a solution that works with your business needs. For many organizations that already have a data center and security monitoring, the question may be which security control functions a cloud provider should perform. For instance, monitoring and alerting, and patching and provisioning secure systems, may be better undertaken by the cloud provider.