Adhering to compliance can be tricky for enterprises that move to the cloud, but the creation of standards to automate governance could ease some of the issues they face. The Open Networking User Group (ONUG) recently issued a whitepaper that lays out why standardizing different reporting methods might save organizations from some of their headaches.
Co-founder Nick Lippis says ONUG is advancing its efforts beyond the first phase of the collaboration, which focused on basic governance in the cloud era. “Governance is all about control, how you control information and data,” he says. “Those two pieces are usually the root causes of failure in most digital transformation projects.”
Organizations want to reassert control over their data and information in order to make good on their digital transformation and consume more cloud services, Lippis says. ONUG’s whitepaper includes a design model for cloud governance policy and other frameworks organizations might consider adopting.
Lippis says cloud providers often talk about a shared responsibility model where the users take active roles in the process. The trouble is that the feedback and communication organizations receive is not always clear. He compared cloud providers to landlords who maintain and upgrade apartment buildings with the users as the tenants. Updating the property is the landlord’s responsibility. However, some cloud providers do not always provide much information about what is being changed and upgraded, Lippis says. Such breakdowns in communication and control could throw the enterprises out of compliance, he says, which they might not be known until an audit is conducted.
There is a need for better transparency, Lippis says, so organizations know what is happening when changes are made, or events occur. This is can be of particular concern when organizations adopt multicloud approaches, matching workloads to different cloud providers. Security questions may arise because each cloud provider might communicate information to users in varied ways. “It could be the same kind of event, but they’re all coded differently,” Lippis says. “The syntax is different.”
Dealing with a confusing mix of alerts and notifications that lack uniformity often leads to security teams ballooning in number, he says, as more people are needed to monitor each cloud provider separately. This can drive up operational cost, he says, and creates technical barriers. “Since they’re all different, you can’t code to that,” Lippis says. Notifications from different providers issued with different labels and formats, he says, can prevent aggregation, understanding, and automation of governance. That is the key finding of ONUG’s first phase, Lippis says, and points toward the next phase to create a common definition around security events, alarms, and alerts cloud providers can provide uniformly.
Under the next phase, he says, ONUG’s working group will convene with project managers and engineers from major cloud providers to define the alerts and how they should be reported. Uniform reporting would allow for the establishment of policies based on common definitions for automation. In a conference planned for October, ONUG expects to see multivendor demonstrations on security notifications from multiple cloud providers that can be coded and responded without anyone touching a keyboard.
ONUG’s working groups began its latest effort in January, with team members going virtual under the pandemic. Part of their work looked at creating toolsets for users to share in cloud responsibility and taking more control over information and data. The COVID-19 pandemic increased the importance of this work, Lippis says, as many organizations leaned more heavily on the cloud. “They realize and know that what’s happened now in their enterprise cloud is not just a new way to do IT, it’s the new business platform,” he says.
ONUG plans to continue work on the definitions, Lippis says, which could lead to frameworks to better ingest information across different modes and devices. “We’re hoping this could create a huge market opportunity for a range of companies that could take this normalized data to customize governance and policy as code for the large enterprise,” he says.
Future phases for ONUG will include input from experts from the compliance community, Lippis says, for to reduce time for audits. He also foresees security getting more deeply integrated into the continuous integration/continuous deployment pipeline. “All of this work helps accelerate the velocity for corporations to deliver digital products and services,” Lippis says.
For more content on cloud and data governance, follow up with these stories: