IT Governance in the Cloud Era

IT Governance in the Cloud Era

Enterprise IT often faces dueling forces. While the cloud and a proliferation of smart devices have opened new opportunities for data access, storage, and insights, they also introduce the potential for security risks and unprecedented data management challenges.

Enterprise data is no longer confined within an organization’s network and infrastructure. Data could reside in an on-premises data center, in a colocation data center, in the cloud, at the edge, on personal computing devices, or, most likely, some hybrid of all.

As a result, companies are reinventing processes, procedures, and safeguards as they leverage and manage the growing complexity of data. Building appropriate controls and governance requires a deeper understanding of a company’s data, whether it lies within IT, production, financials, or other parts of the enterprise.

Keeping data secure

“The growth of the cloud has changed how we think of security and how we manage it,” said Geoff Aranoff, vice president of information technology and global chief information security officer (CISO) at Western Digital. “Coming up with appropriate security solutions that can manage both cloud and on-premises is not just our challenge, but a challenge in the market as well.”

The cloud holds structured and unstructured data. It enables access to both enterprise accounts and personal accounts. It is a hub of services and unlimited resources available at the click of a button. A unique challenge for CISOs like Aranoff presents itself when applications create data that exists outside sanctioned IT infrastructure, often referred to as shadow data.

“Shadow data is the data that resides outside an organization’s formal data infrastructure,” said Aranoff. “It’s often defined as the data you don’t know about.”

Shadow data can introduce risk for companies. The applications and processes that create it likely do not have the same controls as sanctioned environments. In other words, they can open the door for potential data breaches when data lives without boundaries.

With the ease for anyone to use the cloud and spin-up resources, create a test environment, or evaluate new services and applications, Aranoff says companies need to tighten processes around how many people engage and how data is moved around. He adds that it’s a bigger issue for small-to-midsize companies that may not have the appropriate controls or adequate human resources in place.

“Since companies don’t have unlimited budgets, sometimes it’s about making smart decisions based on where data is sitting and how to control it,” said Aranoff.

The need for governance

Suraj Rao, the vice president of data analytics engineering at Western Digital, manages the company’s advanced analytics office. One of the team’s responsibilities is consolidating data across the company’s 15 global factories. Rao stresses the need for standards isn’t just about security but is also vital to integrating cross-functional data.

“You need to have the governance in place,” said Rao. “Once you have the right governance in place, you are minimizing risk factors because if there’s data governance, then there’s surrounding security.”

Rao agrees the cloud brings both opportunities and new challenges.

“On the plus side, we have the ability to collect data from all these locations and integrate that cross-functional data to get insights that were not possible before,” said Rao. “But the other side of that is now the central organization has to stitch together data that was collected in silos and that can be challenging.”

For example, yield is an important factory metric. But if data is collected in an ungoverned manner, the way two factories calculate yield could generate very different results.

“Without prior alignment and governance, it becomes very hard at the central level to figure out how to stitch the data together so that the data collected from various locations means the same thing,” said Rao.

Manufacturing, particularly smart manufacturing, is highly dependent on data to derive insights on quality, environmental conditions, etc. It’s not just the propensity for human error. In today’s world of decentralized data, sensors collecting information about the status of factory machines can be problematic if they are collected in an unregulated manner.

Show me the numbers

Bill Roy, the vice president of IT at Western Digital, manages the company’s data warehouse from which all financial data is derived. Roy’s team consolidates data from the company’s Enterprise Resource Planning (ERP), HR, sales, and other systems into the data warehouse. Data comes from the company’s operations in more than 35 countries, with tens of thousands of employees, shipping multi-exabytes of HDDs and millions of flash devices annually.

Incorporating all that data is no small task. Finance is a highly controlled environment where teams must adhere to regulations such as Sarbanes-Oxley (SOX) in the U.S., a federal law with specific mandates on corporate disclosures. In addition, countries outside the U.S. have their own regulatory compliance and privacy regulations that must be followed.

But without such controls in place, different versions of the data could exist. For example, if someone saved a report offline, whether that be to their own computer or onto another database. In that scenario, an individual wouldn’t be able to discern whether they’re looking at the right data or the latest version.

“We have to make sure that any data that’s reported externally is highly controlled, that it’s auditable, and that its checks and balances are done,” said Roy. “It’s probably our highest quality data because it’s so highly scrutinized.”

Yet not all data requires such rigorous quality controls.

Analyzing finished goods or logistics to identify how to best ship drives across the globe at the highest speed and the minimum cost is about moving the benefit value needle, not exactitude.

“You don’t have to scrutinize that data in the same way as what we’re reporting to the street,” said Roy. “[For projects like that] having 90% is good enough because they’re using it more to see trends and identifying the next set of value capture opportunities.”

Standards no matter where data sits

Whether it’s how to build more sustainable manufacturing or delivering products that power everything from the cloud to gaming devices, these data-reliant initiatives cannot happen without the right controls and governance in place.

The deeper the understanding of how data is used across the company, the more sophisticated the orchestration of its control mechanisms can be.

Related Stories

What is the 3-2-1 Backup Strategy?