What to consider when building a Hybrid Cloud Governance Strategy

Secure Hybrid Cloud

There is no doubt Enterprise IT has changed forever over the last two to three years. Even companies who had a “not on cloud” strategy are being forced to re-assess given the economics / ROI that public cloud brings.

Enterprise IT finds itself in a position whereby they have to deal with information silos that can not only be on public cloud services such as Google Drive and Office 365, but also on services such as BaseCamp, SalesForce, and the many other SaaS services that stores content.

Coupled with this is ‘Shadow IT’ and ‘Bring your Own Cloud’, in which company content can easily find its way onto personal users devices and consumer clouds.

A way to deal with this is to not only to consider options such as MDM/BYOD but also to consider categorizing information and decide whether it can be disseminated publicly, on cloud, or whether it is deemed sensitive and needs to be stored behind the corporate firewall but still part of an integrated cloud deployment topology

This type of strategy is often referred to as hybrid cloud and the purpose of this post is to look at what should be considered when building a hybrid could strategy.

  • Firstly, any policy implemented should not be to complex and be as transparent as possible to the users or you will find they will not use it and may actively seek to go around it.
  • Understanding the certification policy frameworks for any IaaS services that are used also aids in understanding what type of information can be stored there. Do they support PCI DSS ? What level ? What is required ?Both Amazon and Microsoft have good policy documentation for their Elastic Compute and Azure services. Other SaaS services such as SalesForce offer a similar transparency with regards to security and legislative compliance.These policies and compliance certifications need to be understood to be able to understand “if”, “where”, and “which” types of information can be stored on Cloud.
  • It is also important to know the details of these policies from an Operational Risk Management standpoint. Risk is the possibility that an event will occur that could detrimentally affect the achievement of objectives so it is key to understand such risks.

    Companies already have established policies, that encompass IT, for initiatives such as Basel 2 or SOX and cloud risk and cloud use need to be factored into these.In terms of deployment models Private Cloud can be thought of as the least risk cloud deployment model, whereas public cloud can be considered the most risk deployment model, with hybrid deployments sitting between the two.

  • Check all public cloud services to be used to validate they are not susceptible to recent well documented breaches, such as Poodle, ShellShock, Freak etc. This can be done using a variety of online tests, such as this one from Qualys.
  • Document and understand data, storage, and Application services that are used internally and that may be used on cloud and categorize who has access to access / store information and what types of information may be stored. Grade each service with regards to security and access.
  • Considering protecting all information stored on public cloud by encrypting the file prior to it being stored on the remote IaaS infrastructure.For example such encryption functionality is part of the Storage Made EasyEFSS Cloud Control Gateway and can be used to encrypt data on remote SaaS services, such as Box, DropBox, Google Drive, Office 365, SharePoint etc.Encryption options should be considered as part of a published hybrid cloud security model, which may also incorporate using a VPN to build a virtual private cloud, extending organizational trust boundaries.
  • Don’t treat each data storage point as a silo. If it is used by employees it should be part of a consistent framework of use. Companies need to consider how to build hybrid data governance across enterprise data silos.Doing so will define a cohesive set of parameters for data management, data usage, as well as the ability to create governance processes for a companies internal use / public cloud use, and for their supply chain, which ultimately leads to information assets that are well managed and secure.
  • Set policies for data access / persistence and enforce them through common tools. For employee sharing of data through tools such as email, make it easy but also set policies that can define, for example, expiry time and password protection.
  • Knowledge is power. Ensure that the hybrid cloud framework can not only protect you but also inform you. Auditing of all private and public cloud data access, data download, and data sharing should be available on demand and be able to be integrated into existing BAM frameworks as well as being easily available to compliance officers for inspection.


This post gives an overview of some of the things to consider when implementing a hybrid cloud strategy. Much of these, and more, is covered in the various site pages and white papers at Storage Made Easy, where we provide a Hybrid Cloud and security solution for connecting up data silos, so feel free to visit for further information.

Leave a Reply