Tackling data sovereignty with DevOps and the Cloud
Organisations have more choice than ever over the types of cloud services they can procure, with many offering guarantees around where data is held and how it is handled; meaning that there are more options for central business critical services to be put out to the cloud.
However, cloud has also brought with it more focus around data security as organisations are now having to ask where their data is, to be sure of what will happen to information held in the event of law changes, national events (i.e. Brexit) or company reorganisations.
Organisations need to strike a balance between data security considerations and flexibility benefits.
Businesses can still access the advantages of cloud and agile service delivery by taking a sensible and carefully thought out approach to deployment activities. Introducing a DevOps culture is a way to be more agile, however in a recent report, 46% of DevOps leaders cite data security issues as the biggest challenge when introducing DevOps into processes (2).
Where does your data really need to be?
Many regulated organisations automatically default to wanting UK based datacentres for any cloud service to prevent the risk of data leaving the UK, however having a local provider isn’t the end of the story. For one, many providers have backup or disaster recovery sites in other parts of Europe. Secondly, US companies with datacentres here may still have to comply with US data laws demanding governmental access to information. So you not only have to think about where the data is, but the laws that your hosting provider may have to comply with.
There are actually many different cloud options that aren’t UK-based but still offer high levels of data security, and are probably suitable for a large majority of projects being undertaken, especially if using dummy data for testing purposes. Obviously for applications handling sensitive customer data, public cloud services may not be suitable – especially as many cloud services delivered at scale don’t offer the ability to be tailored to each individual customer. These services provide a ‘one size fits all’ solution, which isn’t great for organisations who need to be incredibly prescriptive about their data and application environment
Data security concerns isn’t always down to the cloud services or delivery tools themselves, as an article in CIO reported how data security issues around DevOps and more agile ways of delivering services is often down to a lack of understanding by staff, rather than the tools themselves (1). There is understandably concern when moving to a new approach to IT service delivery, and one of the main areas that worries users about DevOps practices is the lack of audited access to data when delivering applications – a sign that clear security processes are not being laid out before DevOps projects are undertaken (2). Taking the time to put in place a structured approach to data security management (covering access rights, data locations and user roles) can help to reduce any concerns that stakeholders may have about DevOps practices.
|1) Stage 1 – These consist of non-critical apps that don’t handle customer data and can be put out to the Public Cloud or overseas.||Public Cloud Provider|
|2) Stage 2 – This would be the default stage which most apps fall into, where any services are delivered purely in the UK.||UK-based Cloud Provider|
|3) Stage 3 – This is for the most secure applications, and apps in this category could remain in-house or be put onto a highly secure dedicated hosting service.||In-house or Secure Hosted Solution|
For each of the stages, your organisation would have a dedicated provider so that at the end of the standardisation process there is a select list of trusted cloud providers who deliver the most appropriate solution for each application. This tiered approach enables you to save money where you need it (i.e. Public cloud services for non-critical apps) and retain security levels where required (i.e. Customer data).
DevOps practices integrated into the cloud deployment process can also help speed up service delivery and application development. But, as CIO magazine point out, DevOps (and this applies to cloud service delivery in general) isn’t about cutting corners to speed up processes, it’s about breaking larger projects down into smaller components and automating the parts that suit being automated whilst delivering smaller ‘chunks’ little and often (1). This can actually prove to be a less risky approach, and when done in a structured way, can maintain the same high levels of data security that businesses enjoyed when delivering services in house.
Register to attend our GDPR events hosted in partnership with data protection experts Grant Thornton
27 April, 2017 / Data protection and how you may be affected by the new GDPR
21 June 2017 / Data protection and how you may be affected by the new GDPR
- (1) http://www.cio.com/article/3042893/security/is-devops-good-or-bad-for-security.html?page=2
- (2) http://www.zdnet.com/article/survey-reveals-data-issues-represent-biggest-challenge-to-devops-initiatives/