ECDC 2021: Compliance and Governance – Delivering a Clean Cloud

ECDC 2021 Compliance And Governance - Helping Deliver A Clean Cloud Across Businesses

Prakash Sethuraman, Global Head, Cloud Security, HSBC, Nathalie Laneret, Director Private Policy, CIPL,  Ankur Rastogi, Head of IT Application, Cloud Migration at Lufthansa, speak to Ravi Raman, Publisher & Storytelling Director at Vibe Projects, at ECDC 2021.

The discussion revolves around Data security in premise and on the cloud. How enterprises can help deliver a clean cloud across businesses. Here’s the full transcript of the discussion.

Ravi Raman: One of the biggest challenges is maintaining a balance between ease of business and data privacy compliance.  How can the right balance be achieved?

Nathalie Laneret: The key is to make compliance and data protection laws have to be made business imperative. It has to go beyond being an arrangement to satisfy the law. All stakeholders need to be equally responsible. Making this into a competitive business will be beneficial.

Prakash Sethuraman: This topic is not new to me at all. In fact, in the banking scenario, meeting compliance is not an option at all. This is a necessity, and we must abide by it. Compliance is like driving, but with a speed limit. Can you drive over and above the permissible speed limit? Yes, you can. Should you? No, you shouldn’t.

Compliance exists to protect your customer and their data in an organisation. This is not an either-or situation. Processes must be developed, automated, bettered. What you are trying to achieve is a customer journey that is compliant. One must remember this fact. What keeps a customer safe also keeps the organisation safe.  It’s a moot point. You have to find a compliance standard and keep moving fast. 

Also Read: The Rise of Intelligent Cloud in Enterprises

Ankur Rastogi: I shall speak from a cloud perspective. We need to differentiate between ‘What’ and ‘How?’ 

What must you focus on? You focus on an appropriate governing structure. You focus on a solution-enablement philosophy. ‘How’ helps you decide what you must focus on, how the implementation will be. You try to control things when you govern. And when you control things, bottlenecks, delays and a clampdown on creativity happens. Focus on ‘What’ instead of ‘How’. Enterprises must try and build a rapport with the cloud. Issues like logging, securing, the power to intervene when anomalies are detected comes through the cloud. 

Ravi Raman: Taking Prakash’s driving analogy forward, the limits and regulations are different in different regions. There are no rules or penalties that are consistent globally. How can we address that?

Prakash Sethuraman: That is the summary of Compliance. Or any regulation for that matter. When you are a regional organisation, you get a homogenous atmosphere to work in. When we talk about global enterprises like HSBC, compliance is a way of life. It’s something that is done every day.  So long as we keep an eye on what compliance is trying to achieve and why it is being done, the how-to, or the process of maintaining compliances achieved without any extra effort. There is not much debate about the variation in compliance regulations. The essence is protecting what’s valuable.

Ravi Raman: How can enterprises recognise and mitigate breaches?

Ankur Rastogi: From a cloud computing perspective, I believe that the cloud is the most secure than on-premise systems. They provide continuous upgrades into their security that normal organisations can’t match up to. Also, because they work across regions, they have to keep themselves updated. Clouds can adhere to international standards and certifications. These are challenges a conventional data security firm may not provide. However, the control, access and security of the data and application happen within the cloud itself by these firms. Depending upon the model of infrastructure, right from the application development stage itself to the cloud, the organisation itself ensures security.  

Principles like design security, putting all security protocols in places like access control or password change, everything must be put into place by the organisation. 

Nathalie Laneret: I agree with what Ankur said. You have to be the best in class. Your clients come to you because of this. A holistic approach is crucial for organisations because it will help them evaluate their risks. Compliance and training are crucial to achieving cloud security. How leadership teams work in securing data and the adopted policies have to ensure compliance is an issue in data protection laws. This is compliance, as well as a big business imperative.  

Ravi Raman: What lessons can be learnt from GDPR? Do you see the Middle East coming up with a framework, or do you feel a broader framework will be put in place?  

Nathalie Laneret: The EU has seen the implementation of GDPR, and that in itself is a gold standard of sorts. GDPR may not be the perfect approach for the middle east region. We can think of a softer approach initially. A code of conduct that’s adaptable by others can be taken into account. Something similar has been seen in the Asia-pacific region where certifying organisations can certify two companies already complying with rules. This is similar to GDPR. However, a soft-touch approach is important. 

Prakash Sethuraman: Regulations will always turn up, sooner or later. That is a given. A softer-touch approach is better. Businesses always bear the cost of the regulation violation. This is more expensive than protecting a consumer’s data. That is always beneficial. Consumer data isn’t to be misused. Organisations must secure customer data and device policies and regulations that prevent data from getting misused. Threat perception must be top-level. A heightened approach is always better as that prevents organisations from digressing.

The EU has a fairly homogeneous legal system. It took a few decades to reach the level of maturity prevalent in protecting data. In the current scenario, time isn’t a luxury, and regulations and laws have to be quickly devised. 

Ankur Rastogi: Most regulations and compliances are focussed on safeguarding personal data. This is largely common sense. Protecting a customer’s data is of paramount importance. The data, if misused, can have long-term harmful effects on the organisation. The same goes for the Middle East. 

Ravi Raman: Many enterprises are not happy with the level of security provided by cloud security providers. Most of them are investing in their infrastructure to remain compliant with security standards.

Nathalie Laneret: Having a principle-based approach is important for organisations. A policy that tells organisations what has to be done, what should be the code of conduct, or what level of security must be put in place to secure data must exist. Having said that, organisations must be allowed to take charge of their security and take it forward. 

Prakash Sethuraman: Concerns organisations have about their security is rooted in ignorance. They don’t have general information because the concept is new. We do not have such concerns as we have been doing this for years, and we are familiar with this system. Unfamiliarity breeds concern. The challenge, however, remains. Some organisations will require a stringent level of data security or compliance to keep things safely in place. In most health or financial organisations, the way data is audited, referred to requires a high level of diligence and security. SMEs don’t have such problems. On the other hand, banks can ask for years or even decades-old data for reference or audits. We cannot say no to that.  The gaps have to be closed.

Cloud service providers are probably more secure than on-premise data servers or storage places. Access is controlled, who can log in etc., are the most crucial for legacy enterprises. Cloud is super secure, and they tone down requirements based on clients. That is where it must be made secure. In the adaptation

Ankur Rastogi: Most organisations believe that security is essential when it comes to protecting their on-premise data. The organisation themselves mainly handles physical as well as virtual security. However, CSPs have a wide area of functioning, transcending geographical boundaries. The risks they encounter and the security measures put in place are also dynamic and continuously evolving. They are better equipped to handle security compared to individual organisations. Security is not the responsibility of cloud providers alone. Application development has to be very secure, and once that is in place, cloud infrastructure providers will follow.

The conference was supported by Platinum Partner Nutanix. Strategic Partner  Lenovo, Intel, and Enterprise Technology Partner Confluent, Media Partners Enterprise Talk and IT Security Wire. The session video can be watched here.