BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
A growing number of organizations are recognizing that business intelligence and analytics are critical components of the corporate information technology landscape. There are many success stories of companies that have invested a significant amount of effort -- and budget -- to design and build in-house data warehouse infrastructures, but many other companies are looking for simpler and/or lower-cost options for deploying a business intelligence and analytics service.
The emergence of adaptive, agile data warehousing platforms has simplified organizations' ability to envision, develop and deploy business intelligence and analytics services. Data warehouse automation tools have become popular, but some organizations are considering cloud-based platforms for instantiating and deploying their reporting and analytics applications.
Assess the cloud computing risks vs. potential rewards
Cloud-based data warehousing platforms provide a number of benefits. They not only reduce acquisition and development costs associated with home-brewed reporting and analytics systems, but they also reduce the complexity surrounding implementation and continued operations. This enables a much faster time-to-value of the analytics information.
At the same time, risk-averse management professionals may be hesitant to sign off on this approach. Migrating sensitive corporate data off-premises to cloud-based or platform as a service (PaaS) data warehouse providers raises big risk questions, including:
Security. When data is stored on-site, security officers can devise and enforce policies establishing perimeter security that protect data assets behind the firewall. These officers must be assured that the PaaS or cloud-based environment offers the enterprise the same level of breach protection.
Data protection. In the event a perimeter breach, what cloud-based data warehousing platforms are most vulnerable, and what steps are taken to prevent exposure of protected information?
Non-encapsulation. PaaS providers often deploy a single platform instance as a multi-tenancy that supports multiple clients' applications and corresponding data sets within the same data warehousing platform. Unless there are guarantees about encapsulating each client's data set, corporate data could be "cross-contaminated" with data from other clients' environments -- or vice versa.
Regulatory compliance. There are obvious questions about how cloud operations will ensure private information protection driven by directives, such as HIPAA and Graham-Leach-Bliley, or about the reliability of electronic records imposed by rules, such as 21 CFR Part 11. Companies also must ensure that there are no obstacles to developing mandatory reports, such as those required of companies operating in the finance and insurance industries.
Data access and business continuity. Data access and availability is important to support both regulatory reporting and the legal management of systems of record, especially when it's needed to respond to legal actions or information requests initiated during discovery procedures. When choosing a cloud computing service provider, companies must make sure the provider has instituted the proper measures to ensure continuity if there is a system failure or data loss.
Mitigating cloud computing risks
With so many cloud-based data warehousing vulnerabilities, it is a wonder that any organization would trust their applications to cloud vendors. Fortunately, the good cloud vendors and PaaS service providers have established best practices for data protection, encapsulation and regulatory compliance, and are necessarily forthright and transparent about their approaches to risk mitigation. Some examples of these best practices include:
Encapsulation. The vendor provides user authentication and authorization -- such as implementing role-based rules for access to discrete data sets -- to ensure that only users with valid credentials are able to access the system.
Physical and virtual system security. In most cases, the vendor will clearly outline the security, data protection, data replication, backup and archiving policies, and strategies employed by virtual environments' hosts, as well as the physical systems on which the virtualized environments are deployed.
Encryption. To combat data exposure in the event of a breach, encryption methods are used to prevent unauthorized viewing of data in place or in transit.
Certification. Companies should seek service providers who have been certified by industry consortia for oversight and internal governance, as well as risk management, such as the Service Organization Control certifications provided by the American Institute of CPAs. In addition, companies should make sure that their cloud host abides by the Safe Harbor Privacy Principles -- the EU Safe Harbor Framework -- agreed to by the United States and the European Union to protect European citizens' private data.
These are just a few of the activities that cloud vendors and data warehouse hosted service providers have performed to mitigate risk. Scrutinizing these and other approaches should provide some level of comfort that the cloud or PaaS vendor can adequately address your company's unique risk and compliance concerns.