With competitive corporate pressures to reduce IT operations and security costs, transitioning workloads and data to the cloud are unstoppable — but the most challenging question is how to govern the process to ensure a predictable, accountable, and scalable transition, and resulting cloud infrastructure that accounts for the diverse interests of the internal stakeholders and the regulators. The latest Forrester Research report, Best Practices: Cloud Governance, gives cloud leaders a blueprint and best practices for cloud governance and accounts for stakeholders, workload targets, processes and tools.

Forrester defines cloud governance as "The ability to provide strategic direction, track performance, allocate resources, and modify services to ensure meeting organizational objectives without breaching the parameters of risk tolerance or compliance obligations."

The practice, analysts say, includes cloud security, container security, and software-as-a-service (SaaS) security. Enterprises must build out full cloud governance practices because the cloud serves critical apps; self-service provisioning and pay-per-use inflate cloud costs; cloud increases third-party risk; cloud governance risks are impeding productivity; and data protection is mandatory. 

"Data protection is a mandatory activity for protecting sensitive financial, customer, employee, and other IP data in the context of a growing landscape of compliance regulations," says Kevin Dunne, President at Pathlock. "While financial data has historically been a focus due to SOX compliance regulations, the introduction of General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data privacy regulations are pushing the emphasis on personal data. Enterprises are now focusing on protecting critical customer and employee data, much of which is moving to cloud-based systems. These cloud systems are often multitenant and vendor-hosted, and therefore cannot be secured with typical approaches like network-based access control or database-level encryption. A new breed of SaaS-friendly data access governance solutions is emerging to protect this most sensitive data where it resides most often."

On average, the analysts found, surveyed infrastructure technology decision-makers at enterprises in North America and Europe report that 31% of their infrastructure is in an owned facility, 20% in a co-located facility, 24% in a public cloud, and 25% hosted or outsourced in another environment. This, paired with the reported hundreds of SaaS applications in use and increasing pressures for GDPR compliance, emphasizes that (sensitive) enterprise data is everywhere and must be protected. 

Oliver Tavakoli, CTO at Vectra, explains this "distributed nature of confidential and mission-critical data (on-premise, in SaaS application, in public cloud IaaS and PaaS) increasing regulatory frameworks driven by continued breach reports ratchet up pressure on information security teams. Comprehensive data governance, as well as threat detection and response related to access of this data, have become table stakes for cloud-adopting organizations."

Full cloud governance requires a different approach to data management and protection and requires organizations to define the scope of cloud governance clearly. Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, explains that gaining and maintaining executive support is critical for any cloud governance model. "Governance can be perceived as an impediment that slows down the business. Security leaders must clearly articulate the risks around "the cloud," gain executive support and then roll out a framework that protects and enables cloud services. If enterprises implement cloud data governance poorly, then pandora's box will be challenging to close."

Data residency is also a vital component of any data protection strategy, Holland adds. "Vendors must guarantee that a clients' data remains in a specific geographic location, and this need extends beyond just GDPR use cases. Vendors that don't have regional infrastructure will be at a competitive disadvantage. This requirement can be particularly challenging for smaller technology vendors that don't have the resources to invest in global architectures."

For more information, please visit https://www.forrester.com/report/Best+Practices+Cloud+Governance/RES158301