Opinions

Risk and Compliance Management: Modernizing the Cloud to Address the Realities of Security and Compliance

By   |  

Artificial Intelligence, Machine Learning, Big Data, Augmented Reality, IoT, 5G – some of the current buzzwords and trends in the industry.  It’s “what all the cool kids” are talking about.  Every time I meet with partners around the world, these are the topics they want to talk about.  No doubt virtually every IT organization has projects in one or all of these areas.  However, in addition to these “cool” new technologies which everyone wants to talk about, organizations are quietly ramping up other aspects of their hybrid cloud and multi-cloud implementations – specifically addressing Security and Compliance.

According to Cybersecurity Insiders’ 2018 Cloud Security Report*, Enterprise top cloud security concerns are compliance, security, visibility, and maintaining consistent security policies.  While compliance has been embedded in IT for certain verticals for years including banking (PCI), HealthCare (HIPAA), Government (FISMA), and others – industry wide attention to compliance has been minimal.  That really changed on May 25, 2018 when the General Data Protection Regulation (GDPR) went into effect in the European Union. As I said above, compliance isn’t anything new – but GDPR shifted the conversation by bringing into effect a regulation that broadly applies to every company that uses digital assets (which is, for the most part, EVERY company in the world) and by making the penalties onerous enough that everyone MUST pay attention. While GDPR itself is a topic for another blog, I like to use GDPR as an example and a leading point of discussion of why Risk and Compliance management is so important – and why Cloud Service Providers are specifically vulnerable if they don’t address compliance head on.

Ok, so what exactly is Risk and Compliance Management?  Simply put, it is the methodology and tools to analyze your IT enterprise assets in order to ensure they are meeting the requirements of a specific set of policies. Then apply rules to the results to measure the risk to your organization based on your level of compliance.  So, what does THAT mean?  Take a set of rules, apply them to your IT assets.  Are you sure they are really implemented?  What about that new virtual machine (VM) someone in Finance stood up “temporarily” (there is nothing so permanent as a temporary solution)?  Did all the correct settings get applied?  Is the data contained on the VM being properly tracked and structured in order to ensure things like regional isolation or meta-data tagging to ensure the right to delete?  What is the level of risk I am accepting or willing to accept based on a cost tradeoff of compliance (to what level am I following compliance rules).  This is what Risk and Compliance Management is all about.

Now, once you get your head around the need for Risk and Compliance management, the problem is exacerbated by this thing we called multi-cloud and hybrid cloud.  Simply put, enterprises are not using just one cloud today – they are using a variety of clouds in concert which together form their virtual enterprise.  From on-premise clouds for critical workloads, to public clouds for rapid prototyping, and SaaS applications like SalesForce or Office 365, to niche applications like SAS for analytics, or online HR apps and payroll apps – IT organizations have workloads and data that span across a variety of clouds.  And while they may be able to directly control or have access to the SaaS based applications – even the traditional IaaS workloads are spread across private clouds built in multiple datacenters across an organization, regional service providers, and public clouds.  Bottom line – it’s REALLY hard to manage all of your IT assets – but the regulators really don’t care.  Simply put, if you are not in compliance, you risk being fined (or losing certification, or other penalties depending on the specific compliance regulations).

(Warning – Soapbox rant ahead.  Skip this paragraph to avoid).  So how DO you get control – or at least visibility – into all your virtual assets across so many clouds?  And, how do you maintain that visibility/control when virtual assets are being created and destroyed daily/hourly/by the minute?  Well, there is the challenge.  The industry still doesn’t have a true multi-cloud management standard (at the control plane level).  There are continual waves of ISVs building solutions to limited success, and enterprises dabbling in those solutions.  But what I have seen firsthand, is that these solutions (true multi-cloud cross platform management) all end up suffering from the same flaw – which is they have to work to the lowest common denominator.  Meaning if you want to “be the one manager to rule them all” so that you simplify control to a common plane – that manager is limited by what the least advanced cloud it is managing can do.  Also, the lifecycle management of that tool is immense, because each time the APIs for the underlying cloud platforms change, the management tool has to change – and those API changes are constant.  Bottom line, a true multi-cloud manager is still more of a dream than a reality – but that doesn’t negate the requirements for Risk and Compliance management!

(Soapbox rant over, back to our regularly scheduled blog).  So if I can’t have a true management control plane across all my cloud assets what do I do?  Well, while the management control plane is still being resolved, the risk and compliance responsibilities for any IT organization exist today and must be addressed day in and day out.  Traditionally, the methods used to approach this challenge involved custom scripts, excel spreadsheets, various independent automation tools, and other hodge-podge methods.  While this may work for small datacenters, getting global visibility across an entire virtual enterprise spanning multiple clouds – with the challenge being financial penalties for non-compliance – the methodology breaks down very quickly.  Simply put, one-off scripts and excel spreadsheets don’t work for the modern virtual enterprise, particularly in the world of virtual machines which can be created and destroyed many times a day.

To address this challenge head on, Dell EMC has partnered with Caveonix and VMWare to build a solution which enables Cloud Service Providers to offer a true Risk and Compliance Service.  This solution is multi-tenant, service provider focused, and ready today to accelerate Risk and Compliance Management for commercial and enterprise organizations globally through our Service Provider Partners.

Caveonix RiskForesight™ is the industry’s first multi-tenant cyber risk and compliance management platform for the hybrid cloud, enabling service providers to offer full workload protection and compliance management services to their customers. The Platform provides proactive workload protection from risks due to cyber threats and helps organizations ensure regulatory compliance requirements such as GDPR, PCI, HIPAA, ISO, NIST, FFIEC, FISMA, and FedRAMP through continuous compliance.  RiskForesight’s Detect, Predict and Act continuum extends the NIST Risk Management Framework with active defense in addition to providing continuous automated monitoring, and quantitative risk posture analysis, of applications and their workloads.

The Risk and Compliance Management as a Service Solution (RCMaaS) is built from the ground up to enable rapid GTM for service providers, with the peace of mind of a solution built on an industry leading stack including Dell PowerEdge Servers, Dell EMC Isilon Storage, VMWare through VCPP, and Caveonix RiskForesight™.

Bottom line is this:

  • Risk and Compliance is a real issue faced by corporations around the world.
  • The challenge is intensified as the virtual enterprise expands across multiple clouds.
  • Regardless of how it is done, compliance is a requirement across almost all workloads today.
  • Service Providers are perfectly positioned to offer services to address this challenge.
  • The solution needs to be addressed holistically, across a multi-cloud ecosystem.
  • Dell EMC, VMWare, and Caveonix have a solution ready today to address this challenge.

Act now!  Being compliant is more cost effective than the alternative!

Contact us today at: GA_Spotlight@dell.com

Learn more:

Risk and Compliance Management for Cloud Service Providers Knowledge Center

*Cybersecurity Insiders, “2018 Cloud Security Report” – Report

About the Author: Douglas Lieberman

Douglas Lieberman currently runs a global organization at DellEMC responsible for driving the future strategy of DellEMC in the global service provider market. Previous to his current position, Douglas was the Vice President of Global Engineering for Leidos (previously Lockheed Martin) driving the creation and implementation of a Leidos Presence for Cloud, Enterprise IT, and Cyber programs around the world, as well as being responsible for managing the engineering talent globally for all regions outside the United States. Douglas has been architecting solutions and designing/delivering Enterprise IT and Cyber solutions across the industry for over 20 years. Douglas is highly engaged across the industry speaking at senior leadership forums, government events, and conferences to promote the benefits of Cloud computing, Cyber, and Modern Critical Infrastructure Solutions as well as serving on the Board of Directors for technology companies and supporting multiple Industry Councils. Douglas served as Director of Operations, Director of Research, and other leadership positions for various global companies before joining Leidos. Across his career, Douglas has served in the roles of CTO for several organizations each with annual sales of close to $1B, Chief Architect implementing multiple new classified global networks, designer/implementer of large internal clouds, and senior technical advisor to many International Programs. Douglas leverages his depth and breadth of experience as well as his extensive connections to design and implement highly complex solutions for Enterprise Customers and governments around the globe. Douglas holds an MBA from University of Maryland University College, an M.S. in Cyber Security from University of Maryland University College, and a B.S. in Computer Science from DeSalles University. He also is the recipient of numerous awards including the prestigious Lockheed Martin Celebration of Excellence Award for Leadership, the NOVA Award for International Business Growth (top award at Lockheed Martin), and the US President’s Bronze award for Community Service. Douglas has also served on the Board of Directors for technology companies into addition to roles with community organizations such as the Philadelphia-Israel Chamber of Commerce and the Erie Innovation District where he is providing support to grow business globally through technology outreach.