So, what is infrastructure now anyway? Who owns it and more importantly who administers it? These are all open questions in the world of IaaS, DRaaS, PaaS and cloud managed hardware. With more and more workloads moving off-prem or into a hybrid type configuration the complexities of maintaining your firms or your client's compliance controls are becoming a more dynamic and complex task.
Take for example DRaaS. Recently I started moving down the road of getting rid of our physical DR colo and transitioning all our standby systems to a third party hosted service. Lower TCO, better physical controls, etc all make it a pretty compelling idea. Imagine my surprise when after sending my first build sheet with all my protected VM’s, I got an email stating that they don’t yet support some of the versions of VM hardware we have on site. Now I'm not a bleeding edge adopter when it comes to VMWare by any stretch, but this version was at least a year old. Moreover, to further complicate the situation we are mandated by our outside auditors to remediate our systems when vulnerabilities are exposed and patches released which means we update pour hypervisors regularly. Suddenly the whole “cloud is better at compliance and security than I can be” argument was showing cracks.
I use this example to illustrate that now not only are we expected to understand the management and administration routines of our own networks and systems but also those of the vendors we entrust with our data. So what can be done to help lessen the burden:
- Start a vendor management program
- Nothing major, but get your vendors to share with you their third-party audit reports or compliance documents. These should align with most of the standards you are subjected to as well.
- Understand what’s still your responsibility and what you are offloading
- A third-party hosting provider is not, in most cases, responsible for the contents of the data you host with them. Your policies and requirements are still in effect.
- Understand how you can get your data back and verify its deletion on the event of a dispute?
- Bring your auditors and or clients into the conversations as early as possible. Don’t assume they are okay with moving workloads to a third party. There may be audit requirements for the third party now that need to be addressed.
This should not be taken as the definitive list (obviously) but can get you on your way to thinking about this new shared approach to compliance and risk. The cloud and use of third parties offers huge rewards if thought through and fully understood but can also get you in hot water of jumped into without the proper context. Some clients may ask you to let them know who will be holding their data and could push back if they don’t fall into their approved list. Others may push you to update some of your policies on data transfer, classification, and key management as a result. These are all good things but require thought and planning. The most important thing to remember is to give yourself more time in the planning stage of any project involving cloud our third-party data handling. In the end, you'll thank yourself when you breeze through the clients questionnaires and look like a hero to the partners! Let's face it we all could use a little more of that.