Cloud security governance processes must also be considered, as well as aligning corporate security requirements with compliance and privacy laws, especially when it comes to personal information, says Forrester's Shey.
Because it is a healthcare entity, CHS is finding security to be more complex to manage in the cloud. A lot of Hadoop environments that people use in the cloud are less mature than a structured relational database environment, CHS' Danzi explains. CHS is using HDInsight from Apache Hadoop, which has products such as Apache Ranger, a security layer for Enterprise Hadoop that administers and manages user-level access.
Microsoft Azure supports two versions of Hadoop implementations -- the fully managed HDInsight version, which does not yet support Ranger, and the IaaS version, HDP, which does. HDInsight is HIPAA compliant, "but doesn't have the deep user-level security features of Ranger, so we have to limit access," Danzi explains. That was an important lesson CHS learned early on: Ensuring the cloud vendor supports the software version a company is using, or wants to use.
"You can't assume these things offer all the security protocols and protections you're used to,'' he says. "Fortunately, someone here asked, and it was a lesson learned." Additionally, "we knew going in [that] the Hadoop version we're using is all or nothing" in terms of who can be granted access. But CHS wanted only its information and analytics services (IAS) administrators to be able to access its environment. As a result, the company built a secure application in Microsoft SharePoint to give only the doctors on the tumor board access to their patients' information.
Another important aspect of managing data in the cloud is data residency and data transfer, adds Shey. "If you have customer data of people from a particular country or region ... you'll see [General Data Protection Regulation] come into play, but specific countries may have their own data residency requirements where they'll want you to keep the data in country,'' she says.
"You need to know where data physically resides because the laws are different in different countries," agrees Global Data Strategy's Burbank. "Europe has more stringent rules about how to protect personal customer information than the U.S."
Other cloud management considerations
Data backup and recovery should be spelled out in a cloud provider's service-level agreement, and it is one of the key benefits they should offer, says Burbank. Those SLAs should include information about whether the provider has a failover site and where that failover site is located. "Another thing to think about is [whether] can you pick where those failovers are," she says.
Organizations should also think about the format of the data they manage in the cloud; it could be in a relational database, a flat file or email. If they have customer data stored in a high-volume data warehouse, they also need to think about whether they have the internal skills to manage it, Burbank says.
"If you're doing a lot of cleansing and management around the data, that's something to consider, and a lot of cloud technologies aren't as advanced" for those purposes, Burbank notes. "But if you have raw data that can scale and migrate easily, that's well-suited for cloud because there's not a lot of management required around it."
Skills needed to manage data in the cloud can be hard to come by since the technology is so new. The necessary skills will depend on whether the data is in a SaaS, PaaS or IaaS model, says IDC's Bond. At a technical level, IT staff may need to be familiar with internet technologies such as web services, SSL, secure FTP and RESTful APIs. They may also need to be familiar with IaaS architecture constructs such as virtual machines, object storage, availability zones and subnetworks, he says.
"At a business level, users will need to be aware of policies that govern where ... data is entered and maintained, and latency issues in data replication across multiple systems," Bond adds.
Plan for the unexpected
CHS's Danzi likens the cloud environment to the Masters Tournament in golf: a website can sit virtually unused for 10 months of the year and then for one month, "that thing gets hit like nobody's business." Likewise, he says, they found that some of CHS's "eager data scientists" just started running the R programming language to write models to study readmission risk, for example. Running those models costs money, and "the cloud is happy to give its resources for this, and the meter is running."
So the IAS group, with help from Azure, wrote scripts to shut the models down at night when compute wasn't needed. Cloud, Danzi says, is "like a balloon that expands and you have to tell it to let the air out, and it gives you the ability to write scripts to shut down servers. That's called elasticity, and you want to make sure your cloud vendor gives you elasticity up and down" so you pay for resources only when you're using them.
He also advises regulated organizations to have someone on board with good legal skills. "You have to make sure you have all your HIPAA compliance in place and good business associate agreements" with third-party service providers.
A lot of cloud vendors offer products like analytics and will provide benchmarking analysis for prospective customers, so Danzi says you need to make sure those vendors anonymize your data when they present it to peers in your industry so it's not obvious where it is coming from.
Another issue organizations might not think about it is if they write an algorithm on Azure, they might want to protect the intellectual property of that algorithm so it isn't used by others in the cloud, he says. "You're building the algorithm on common tools and common cloud-based technology next to everyone else's stuff, so you want to make sure you've got your IP protected."
Danzi believes all data will be hosted in the cloud in 15 years' time. While managing cloud data requires a lot of extra effort, he says it's worth it. "Although the new environment requires more constant vigilance, the juice is worth the squeeze because you get access to this absolutely amazing technology that expands as you grow, contracts when you don't use it and gives you all these advanced capabilities."