Where is Data Governance Headed?
Data governance in the cloud is an emotional topic. There are a wide range of opinions when considering the impact of regulations, data sovereignty, the NSA and the Patriot Act.
14 February 2014
I attended the HFMWeek Technology Leaders Summit in Sussex, England this past week. The setting at the South Lodge Hotel was like stepping back in time into a 19th century manor. With over 40 hedge fund CTOs and COOs in attendance, as well as a few vendors and integrators, the old English manor was abuzz with interesting conversations – including my panel on Security 360 – but a large portion of the cloud technology round tables revolved around data governance and the importance of reputation when selecting cloud technology vendors.
The Challenges of Data Governance Today
Data governance in the cloud is an emotional topic. There are a wide range of opinions when considering the impact of regulations, data sovereignty, the NSA and the Patriot Act (both the new French version and the original hailing from the U.S.). Keep your eyes peeled for my colleague Mushegh Hakhinian’s write up on the details of the French Patriot Act. The impact of these regulations, both new and old, makes it difficult to do business in our global economy and extremely challenging to make the right decisions when selecting a cloud vendor. It is a difficult time to be the person in charge of IT strategy because there are so many options in the technology landscape. These days, MIFID 2, FATCA, AIFMD and the EC-Directive are all causing financial services IT teams to become just as well-versed in regulation as in Relational Databases, or should I say NoSQL DB.
Factors to Consider When Selecting a Cloud Technology Vendor
This is where point two comes into play, which is the importance of the cloud vendor’s reputation during the selection and usage period. The contractual legalese is going to be hard fought and the regulators are going to continue to change their playbook. Selecting cloud vendors that are not “fly-by-night” (they've been in business and plan to be for a long time) will help ease the issues around the uncertainty of contracts and regulatory changes.
One important contractual negotiation with cloud vendors revolves around exit clauses and migration strategies. Most people are forward-thinking enough to negotiate a migration strategy within their cloud vendor contracts, but the legal wording can be interpreted in many ways when the time comes to execute on this clause. The overall financial health of the organization is an important factor when selecting vendors because a contract alone cannot always protect you against acquisitions, financial concern and a myriad of other problems that happen when doing business with a rapidly evolving company . If a cloud vendor is young, growing and seems “hot” at the time, they are likely to be acquired and merged with another company.
Vendor reputation must be combined with the other cloud security guidelines, especially one spoken so eloquently by my co-panelist at the Security 360 panel: “We strongly recommend that companies do not use Dropbox.” There are many reasons why this is a true statement but two that come to mind are the fact that data governance is a major issue with a vendor architected like Dropbox and it is hard to get to know the teams – at least any team besides Sales. We’d be more likely to learn about Dropbox’s management team from a Super Bowl commercial than a technical strategy discussion to align product roadmaps.
The Future of Data Governance
So what’s to come from the changing regulations around the globe and the plethora of options for technologies? How can we ensure that our business is not impacted by something outside of availability and durability of a service?
I’m afraid that the answers to these questions lay in the hallways and dining halls of places like the South Lodge Hotel. No, not hidden in one of the 200 year old closets, but in the form of conversing with other people and getting to know the companies that you’re working with. Don’t just meet with the sales team - get to know the security, technology and executive teams of your vendors.
This “old-fashioned” way of doing business will protect you more than sending auditors to your vendor’s datacenter –although I’m sure some vendors provide example datacenters eerily similar to the House of Wax. Stay tuned to the work that the Cloud Security Alliance is doing to help standardize cloud vendor evaluation and audit reporting.
Until next time…
John Landy is the chief security officer at Intralinks. Having served as chief technology officer at Intralinks for the past 5 years, he utilizes his technical background to work with clients to understand their security needs in sharing and storing sensitive information. John has been working on internal Intralinks controls for enterprise security and corporate risk and oversees a function comprising Customer Engagement, Security Architecture and a Security Operations Center.