The Business Case for Cloud Data Security Tools and Platforms
This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Okera CEO Nong Li offers the business case for cloud data security tools and platforms.
One of the most contentious and anxiety-producing proposals we can introduce to a company’s executive team is to run sensitive data workloads in the cloud. It’s a topic that’s charged with ambition on one side and fear on the other. It’s such a hot-button issue, that some organizations have shifted focus to growth and innovation, and are now establishing a compelling business case for securely migrating sensitive data to the cloud in a cost-effective manner.
So What’s the Problem? The “cans,” the “cannots,” and the “will nots.”
A successful business case stems from identifying what problem(s) need solving, and for whom. When thinking about running secure data workloads in the cloud, we can consider them as falling into one of three business blockers: the cans, the cannots, and the will nots.
Business Case: Cloud Data Security Tools
When we think about the “cans,” we are referring to employees who can get access to data – any data – even if there is no business reason for that to happen. In security parlance, they are considered “over-provisioned.” Over-provisioning is a big problem for security teams because we are all individual security vectors; if our login credentials are compromised, all the data we have access to can end up on underground markets.
Over-provisioning is also a big problem for our audit, compliance, and data protection officers. Allowing employees access to data they have no legitimate business purpose for using is just asking for trouble with all the regulators who clarify that certain data is restricted and cannot be used indiscriminately. Over-provision access to data, regulators can and will fine the business.
The “cannots” are the exact opposite. In this scenario, technical teams lock down more data than is necessary, meaning employees cannot use data to find critical insights that lead to growth and opportunity. Lack of access to data – though an enormous business blocker – is harder to quantify. How do we establish that our business would be more competitive with expanded data access when we haven’t had an opportunity to analyze it first? The answer is we can’t, but we can establish that modern cloud data security allows the business to expand its understanding of market opportunities and innovate faster. Agility and speed are arguably the most important indicators of business success in today’s digital economy.
And finally, the “will nots” are the “no” people who have a legitimately rational fear of moving sensitive data to the cloud. The problem with the “will nots” is that their hesitancy to move to the cloud blocks the business from doing more with less and from creating new products and services faster.
Who and Why: Jobs to be Done
Which blocker is worse for us? What about other stakeholders? Is accepting one blocker riskier or more acceptable than the others? The answer depends entirely on our point of view and our obligations to the business.
In fact, it is here where we establish the heart of our business case. We are all hired to do a job for the business, but what if we could establish data security – specifically for cloud data platforms – to make everyone’s job better? Ultimately, the company runs more efficiently, and the business becomes better informed. To build an end-to-end business case, we need to start by addressing all data stakeholders involved, including:
Line of Business
Obligation to the business: create value for the company. We’ve been talking about “unleashing the power of data” and data democratization for decades now. But few have achieved it. To build out our business case, we start by identifying the company’s business goals over the next one to three years.
Financial Services, in particular, were early adopters of the cloud, but they didn’t migrate without reason. For instance, one of our customers knew that modern cloud resources would accelerate their ability to develop superior customer experiences and thus become more competitive. Another moved to the cloud because their on-prem big data solution couldn’t scale to meet demand (a technical problem).
More importantly, this customer wanted to free up their analysts and data scientists to use best-of-breed and custom applications so they could detect and correct fraud in financial markets faster and more accurately. In both cases, highly sensitive data is co-mingled with non-sensitive data, and they needed a way to open up access to those with legitimate business needs.
The bottom line? Find out what is important to the organization and map how to secure data access helps the company meet its ambitious goals.
Data Engineering Teams
Obligation to the business: deliver reliable, trusted data to the organization. Data engineering teams have the unenviable responsibility of implementing data access controls – over and over – across all data and analytics platforms. Because each data platform has its own access control mechanisms, requirements that are handed down by the security team or Data Protection Officer are implemented differently.
This leads to inconsistencies, gaps, conflicts, and customized workarounds that are difficult to maintain. A modern data security platform lets data engineers work with data stakeholders to develop abstract policies, such as sales directors that can see personally identifiable information/PII for their own accounts. This enables them to get out of the mess of implementing little bits of security in lots of different places.
Finally, a modern cloud data security platform offers a great economy of scale. Data access control policies exist independently. Data engineers simply register new data, users, and use cases to existing policies.
The bottom line? Organizations realize an enormous advancement in how teams work to bring data to users faster, and more securely.
Obligation to the business: Use technology to make the business run more efficiently. The IT/infrastructure teams are the most vested in moving operations to the cloud in general terms. They’re usually the team with budget, and the ones who benefit the most by being able to do more with less. But, with the separation of storage and compute came awkward controls that, because of their complex implementation, sometimes became the purview of the IT team, and the data team, to author and enforce.
A modern cloud data security platform removes ambiguity and redundancy. IT can lock down all data access and leave it to the data owners and data stewards to apply access control policies to selectively provision data to meet business demand. The infrastructure team does; however, they have a big say in whether the selected data platform meets their operational needs.
Expect a veto if you can’t demonstrate that a security platform can work within your cloud environment, is secure in its own right, and scales to stand up to whatever load is thrown at it. One last thing to avoid a veto is to ensure that the platform works without users having to change the way they work, as the IT Team will ultimately be responsible for managing the platform.
The bottom line? Choose a solution that is easy to implement, support, and maintain.
Obligation to the business: Minimize and manage risk. The way to build the business case for your security team is to focus on their ability to assure that data access control policies are implemented as intended, enforced consistently, and can be immediately disabled in response to threats. Modern data security platforms support zero-trust and fine-grained access control, automated data classification, and dynamic attribute-based policy enforcement. Remember the “cans” who are over-provisioned?
The whole point of modern data security platforms is to use security to open up data so employees can use it responsibly. Leveraging a security platform means security teams spend less time demonstrating regulatory compliance because they can run their own audits and analyze sensitive data usage.
The bottom line? Simplicity, visibility, and speed help the security team minimize and manage risk.
Audit and Compliance
Obligation to the business: Comply with the law. Similar to the security team, audit, compliance, and data protection officers need confidence that data access control policies are implemented as intended and enforced consistently. Not only that – they need to demonstrate it for government regulators. With a modern data security platform, they can self-serve their own reports and dashboards, easing up pressure on other teams and making everyone’s job easier. The bottom-line? If something is found that needs to be fixed, it’s easy enough to loop back to update policies and show the regulator that corrections are in place.
How: Demonstrate the Path to Success
The challenge now is that despite establishing pain and persona-based benefits and desired outcomes above, we know that’s not always enough. Those who manage the purse strings want to know what it takes to achieve these outcomes, including how much time and how many people? How do we know we are taking the right steps in the right order? How do we know if we’ve done it right or have to make improvements?
Fortunately, by following best practices, it’s easier than we think to demonstrate how to move sensitive data workloads to the cloud. For example, we could follow the EDM Council’s Cloud Data Management Capabilities (CDMC) Framework. Real-world practitioners from leading financial firms, consultancies, technology firms, and numerous other corporations worked with all the big cloud providers over multiple years to address the big questions of how we do it and how we know if we’ve done it correctly?
Since this framework is available as a free license for internal use, there’s no reason not to consider using it in our business case. Another benefit is that it clearly lays out the major components we need to implement for a successful cloud data framework, the capabilities we need to implement, controls to monitor our progress, and automations to keep our data-driven enterprise humming along reliably and securely.
Moving sensitive data workloads to the cloud should not be taken lightly, but today it doesn’t need to be as anxiety-producing as it once was either. By showing how modern data security reduces or even eliminates cross-cutting business problems, we can unblock the business so it can build more, better, and execute faster. Start by grounding our business case in our company’s one to three-year goals, and take precautions to reduce implementation risk with a comprehensive and vetted framework of best practices.