Navigating Risk and Compliance in a Multi-Cloud World

The challenge: determining if your cloud provider's security and compliance framework fits into your own security and compliance framework.

istock 689905208

IBM and IDG Content

With the regulatory climate in a constant state of flux, managing compliance has always been a challenge for IT organizations. Cloud adoption has kicked that complexity up a notch, introducing new wrinkles for IT organizations as they struggle to manage risk and governance practices across an increasing diverse multi-cloud landscape.

According to an exclusive IDG Research survey, complexity looms as the No. 1 issue with maintaining compliance in a multi-cloud world. Specifically, respondents were grappling with such issues as more intricate security practices, managing risk, more complicated governance, and understanding compliance, the survey found.

In fact, the most oft-cited cloud security challenges were directly related to managing compliance, the IDG Research survey found. Specifically, CIOs said they were struggling with how to deal with data protection and localization regulations (28%), the rise of new regulations prompted by disruptive technologies and business models (23%), and meeting the requirements of interventionist governments changing data handling standards (15%). In short, regulatory challenges are expected to be a strategic headache for the C-suite over the next 12 to 24 months, on par with security breaches, the survey found.

“The biggest change is that cloud providers in many cases have unique security frameworks,” says Jason Lascola, senior certified architect and enterprise IT advisor for IBM. “Each cloud provider has its own security and compliance framework that may change often, so customers are challenged to determine if that fits into their own security structure, and then adapting their security framework as requirements change.”

The Road to Compliance

Prior to setting out on a multi-cloud journey, IT leaders must take several steps to close potential visibility gaps and ensure compliance. Among them:

  • Establish a well-documented security framework. Codify security policies, processes, and governance models with an eye towards the specific regulations that are pertinent to the industry, Lascola says. As part of this process, it’s important to create an end-to-end security and compliance framework that covers regulatory, data management, and network security, among other requirements. In addition, to address the varying security requirements of diverse business services, the framework should transcend both cloud and on-premises environments and encompass tiers.
  • Evaluate cloud service providers based on that security framework. Each cloud service provider (CSP) in the mix should be assessed on their ability to meet the requirements of the codified security framework. Involving the CISO in the process early on to help determine what clouds meet the security standards for specific workloads can head off any potential problems that can crop up post-deployment.
  • Integrate the security and compliance framework into the IT service model. As opposed to treating governance in a silo, companies should integrate a security and compliance framework directly into their service delivery model and make it a key attribute in the service catalog, says Lascola. In that way, IT can map individual CSPs in the multi-cloud mix to specific compliance requirements based on their specific security postures. This approach gives users transparency into critical security standards so they can keep compliance requirements top of mind as they provision the best cloud platform for their desired business service.
  • Enlist third-party partners. Third-party partners can be instrumental in navigating risk management and codifying compliance and governance strategies. In the IDG Research survey, 42% of respondents expected to benefit from third-party assistance for risk management, including compliance and legal challenges.

Rather than a scramble post deployment, security and compliance should be one of the first stops in planning a multi-cloud journey in order to close visibility gaps and effectively mitigate risk.

For more information on IBM’s approach to security frameworks, visit https://www.ibm.com/cloud/garage/architectures/securityArchitecture/security-policy-governance-risk-compliance/.

To continue reading about this topic, check out our blog, Securing the Cloud: Integrating Existing Infrastructure with Multiple Cloud Providers.