Comments on the Proposed Cloud Smart Strategy
Submitted by Veritas Technologies LLC
Thank you for the opportunity to provide comments on the proposed Cloud Smart Strategy. As a leading provider of data management, information governance, business continuity and storage management solutions, we look forward to working with you.
The proposed strategy offers four primary areas for further exploration: defining cloud, security, procurement, and workforce. While we have strong interest in all of the areas identified, we will focus our comments on the first three, believing these are most critical to understanding how a company such as Veritas can assist the government in the development and implementation of its cloud strategy.
General Comments / Defining Cloud The challenges of cloud adoption are exacerbated by the fact that most organizations plan to use multiple public clouds in addition to on-premises private and non-cloud infrastructures. In this “hybrid, multi-cloud” approach, data management is a critical success factor. Implementing a healthy data posture before migrating to the cloud is a foundational best practice. Without proper data management strategies, a multi-cloud environment can quickly become just another silo, compounding costs and risks. In the list of proposed CIO Council Actions, #15 indicates that OMB will be providing “direction to agencies to improve the security and visibility for information systems and data managed in the cloud, beginning with the incorporation of requirements set forth in the updated High Value Asset policy.” Veritas encourage OMB to go beyond the updated HVA policy, and issue guidance to the agencies on the importance of data management for successful cloud migrations. Such policy should include the following data management concepts.
The Cloud Smart strategy should sync with the data governance requirements in the Federal Data Strategy for agencies to have a comprehensive view of their data.
The draft plan highlights the importance of continuous data protection and awareness. It aptly describes the agency as the “custodian of its data on behalf of the public.” This is an excellent reminder of the great responsibility agencies have to protect and secure data in all of their environments. This is no easy task. Cloud migrations only make this more complicated.
The strategy seems to suggest that agencies are to create a data governance plan for their cloud-hosted data only. In this age of hybrid multi-cloud, data governance in isolation is insufficient. Before you can make decisions on what to move to the cloud, you must better understand your data inventory. Unfortunately, research shows that this is not often the case. Veritas’ 2016 Global Databerg Report finds that 52% of data in an organization is dark data, 32% is redundant, obsolete, or trivial (ROT), and just 15% of data is used by the organization to operate. Migrating data that has virtually no use for the business can result in paying for more storage than is necessary. Having visibility into data with limited value means that decisions can be made to remove it, or store it on second or third tier, low cost storage, avoiding first tier cloud storage and egress costs.
Only after you have identified what data exists, how it is classified and protected, how it is being used, who owns it and who has access to it can you make a fair determination of how or if to make that data
available. The quicker you can conduct these data inventories, the quicker you can make these important determinations and the more effective your data center consolidation activities will be. Therefore, agencies should be required to develop an enterprise data governance strategy for all of their data and this concept should be reflected both in the proposed Cloud Smart strategy and the forthcoming update to the data center optimization policy.
Technology exists that allows for greater visibility into data, including data stored in the cloud or legacy systems. These tools allow organizations to visualize their data, not only the typical metadata information, but important details like true ownership, categorization and disposition. Being able to see, understand and categorize your data are the keys to using your data for analytics and machine learning. Further, these tools support automated, policy driven decisions for moving data to the appropriate type of storage solution, based on the type of data, leading to cost reduction through storage analysis and optimization.
The Cloud Smart strategy should emphasize the need for data classification prior to cloud migration. Routine requests for information, such as an audit, FOIA request, or eDiscovery often become time sensitive and high stakes search and retrieval efforts. Fragmented data environments, across multiple cloud infrastructures, further complicate this process. Blindly moving dark data to the cloud can quickly become a compliance nightmare. Therefore, any data governance strategy for cloud migrations must include data classification technology. The ability to classify data solves a critical problem; the rapid growth of unstructured data exposes organizations to potentially harmful personally identifiable information leaks. Classification technology lets organizations quickly scan and tag data to ensure sensitive or risky information is properly managed and protected. This reduces the risk of a data leakage and supports an enterprise approach to data governance based on prepackaged and in house developed policies and machine learning capabilities.
Further, classification tools enable administrators to infuse data archives with intelligence by reclassifying all of their existing content with consistent patterns and policies delivered from an automated data classification process. These solutions align classification tags with retention policies to ensure that all critical data is managed appropriately and support the defensible deletion of data ROT within the normal course of operations. Enhanced classification capabilities provide the foundation for accelerated access to your most important data by making it easier to search for content using tags and expediting the process of responding to discovery or information requests to address compliance regulations. Integrating technologies for automated data classification, along with proactive, defensible and ongoing policy enforcement against common retention requirements, drastically increases the speed, accuracy and efficiency of eDiscovery and other information requests. All of these actions should be tied together to ensure an effective data governance strategy.
The Cloud Smart strategy should address the need for data protection in the cloud and the migrations from the cloud to another platform, including other commercial clouds and privately managed infrastructure in a data center to avoid vendor lock in and support disaster recovery requirements. As workloads move to the cloud, agencies must consider how data will be protected, and whether it makes sense to unify data protection under a platform and cloud independent solution. Cloud providers offer built-in snapshot technology that can replicate data across cloud zones and geographic regions.
Snapshots and replication are data protection components, not its replacement, especially in a hybrid, multi-cloud environment. Further, cloud service providers often include blanket statements in terms and conditions, placing the onus for data encryption and back up on their customers. Therefore, it is up to the agency to implement a robust data protection strategy. There are considerable efficiencies to be gained with a unified data protection platform that protects workloads across all environments. Independent and disparate point products have a higher total cost of ownership and their lack of integration dramatically complicates operations. Research also shows that most organizations do not give sufficient thought to how they would fail back from the cloud or change providers. The motivation for a multi-cloud strategy is to take advantage of best-of-breed cloud services, avoid cloud lock in, and to have an insurance policy against cloud failure. The ability to reliably move and orchestrate workloads across a heterogeneous IT landscape is necessary in a hybrid, multi-cloud environment.
Agency priorities fluctuate over time and may require an organization to move workloads between environments for compliance reasons. Given rising storage and egress costs of data, it becomes even more important to be able to move applications and data between clouds for financial flexibility. Organizations need agility. Enterprise data management provides this by establishing the data ownership and application portability necessary to exit a cloud. Cloud outages occur. So, a multi-cloud strategy is not only prudent, but must include the ability to migrate data and workloads TO the cloud of choice, and also WITHIN zones and regions associated with that cloud for the purposes of disaster recovery (DR). Further, the ability to test the DR strategy without disrupting the existing IT infrastructure is critically important.
Security
Among the key requirements in the security section is that agencies should “transition to security and protections at the data layer instead of the network…as well as improve the governance systems.” Critical within this point is effective data management, including the management of data hosted in the cloud. Once data is created, it must be governed. Equally important, the data must be protected and kept secure. These activities make it possible for data to be available when it is needed.
Organizations today struggle with gaining visibility and insight into their data, specifically unstructured data. This type of data — including emails, documents and image files — expose organizations to potentially harmful security vulnerabilities and unintended PII leaks. The storage and maintenance of the non-essential data becomes a huge drag on budgets. Further, agencies routinely express concerns about retention schedules and the need to understand their compliance risks. Whether the regulations are medical, personal or financial, compliance is often reduced to a continuous process of reacting to new rules.
In order to make determinations around the availability of sensitive and high value data, it is important to focus on enhancement of security and privacy controls, while encouraging agencies to implement modern architectures. Technology that will help streamline the process of quickly determining what data is sensitive is key to providing protection and allowing for possible availability and use.
Organizations should be able to quickly scan and tag data to ensure that sensitive or risky information is properly managed and protected. There is a need for broad visibility into PII so that agencies can meet compliance regulations that require discrete retention policies be implemented and enforced across the organization’s entire data estate – regardless of where that data lives. The data governance activities reflected in Cloud Smart should reflect these priorities.
Technologies exist to search across an organization and execute policy-based actions that help enterprises appropriately store, retain and delete this data. These tools include pre-configured patterns that provide for recognition of credit card and social security numbers, medical records and other PII. They also come pre-loaded with policies for GDPR, HIPAA, Sarbanes-Oxley and other regulations to accelerate compliance readiness. Additional features can include dictionaries that identify risky keywords that suggest improprieties, as well as confidence-scoring and quality assurance tools to minimize false positives.
There are additional technologies that deliver risk analytics by triangulating insights from content classification, metadata analytics and user behavior to quickly uncover potential bad actors or malicious activities. By calculating a "User Risk Score”, these tools can serve as a first-line of defense for identifying suspicious activity and initiating remediation efforts to keep sensitive files protected. By incorporating deep learning technologies to correlate risk scores with other file attributes, administrators can hunt for an organization's most sensitive files and recommend next steps. When artificial intelligence is used to prioritize how the files are scanned, these tools can quickly process petabytes of data to make it visible.
Data visibility tools are increasingly valuable when applied to security and compliance teams. These groups can leverage advanced analytics capabilities, robust data permissions, and access policies to more effectively identify PII and help detect ransomware attempts. This range of functionality makes data visibility a key component any organization's hybrid and multi-cloud data management portfolio.
These activities will also help agencies determine what sensitive data can be made available for use, perhaps in redacted or anonymized fashion and what data must remain locked down. Further, this level of data visibility is necessary for the proposed Service Level Agreements (SLA) to provide the agency with continuous awareness of the confidentiality, security, and availability of its data in a cloud solution is deployed by a vendor.
Any data governance strategy for cloud-hosted data should emphasize the need for agencies to procure and deploy technologies such as those described above that can find sensitive data and quickly scan, tag and ultimately protect sensitive information. These same technologies can support agencies in processing log data from third-party information systems in the event of a cyber-incident or other adverse event occurs when data resides on third-party information systems.
Procurement – Category Management
The Procurement section of Cloud Smart discusses how there has been a lack of consistent government-wide guidance and sharing of best practices. This has led to agencies having to search across multiple sources to gain an understanding of what types of cloud services are available. The proposed cloud information center, as well as the category management program help to address this.
The Federal Information Technology Acquisition Reform Act (FITARA) Schedule 70 Enhancement Program is a logical starting point for a discussion of how agencies can begin to more effectively leverage their collective buying power. As part of this program, the U.S. General Services Administration
(GSA) negotiated a new, government-wide enterprise software acquisition agreement with multiple technology vendors, including Veritas Technologies for Enterprise Data Governance and Multi-Cloud Data Management.
Utilizing Best in Class (BIC) contracts, such as this, is a best practice. When combined with the proposed cloud information center, is an effective starting point for a consistent approach to the acquisition of new technologies. The Cloud Smart strategy also proposes to potentially develop new cloud schedules. What is discussed herein could serve as a model.
Conclusion
The Cloud Smart strategy reflects the maturation of federal IT thinking on cloud. Veritas strongly encourage the Cloud Smart and the Federal Data Strategy teams to work together to ensure agencies focus on proper governance, compliance and portability for our data. In the end, cloud, like all technologies in government, is a mission support tool and the mission always relies on data. Cloud migrations and data management are intrinsically linked and we must treat them that way.
Comments on the Proposed Cloud Smart Strategy Submitted by Veritas Technologies LLC Thank you for the opportunity to provide comments on the proposed Cloud Smart Strategy. As a leading provider of data management, information governance, business continuity and storage management solutions, we look forward to working with you. The proposed strategy offers four primary areas for further exploration: defining cloud, security, procurement, and workforce. While we have strong interest in all of the areas identified, we will focus our comments on the first three, believing these are most critical to understanding how a company such as Veritas can assist the government in the development and implementation of its cloud strategy. General Comments / Defining Cloud The challenges of cloud adoption are exacerbated by the fact that most organizations plan to use multiple public clouds in addition to on-premises private and non-cloud infrastructures. In this “hybrid, multi-cloud” approach, data management is a critical success factor. Implementing a healthy data posture before migrating to the cloud is a foundational best practice. Without proper data management strategies, a multi-cloud environment can quickly become just another silo, compounding costs and risks. In the list of proposed CIO Council Actions, #15 indicates that OMB will be providing “direction to agencies to improve the security and visibility for information systems and data managed in the cloud, beginning with the incorporation of requirements set forth in the updated High Value Asset policy.” Veritas encourage OMB to go beyond the updated HVA policy, and issue guidance to the agencies on the importance of data management for successful cloud migrations. Such policy should include the following data management concepts. The Cloud Smart strategy should sync with the data governance requirements in the Federal Data Strategy for agencies to have a comprehensive view of their data. The draft plan highlights the importance of continuous data protection and awareness. It aptly describes the agency as the “custodian of its data on behalf of the public.” This is an excellent reminder of the great responsibility agencies have to protect and secure data in all of their environments. This is no easy task. Cloud migrations only make this more complicated. The strategy seems to suggest that agencies are to create a data governance plan for their cloud-hosted data only. In this age of hybrid multi-cloud, data governance in isolation is insufficient. Before you can make decisions on what to move to the cloud, you must better understand your data inventory. Unfortunately, research shows that this is not often the case. Veritas’ 2016 Global Databerg Report finds that 52% of data in an organization is dark data, 32% is redundant, obsolete, or trivial (ROT), and just 15% of data is used by the organization to operate. Migrating data that has virtually no use for the business can result in paying for more storage than is necessary. Having visibility into data with limited value means that decisions can be made to remove it, or store it on second or third tier, low cost storage, avoiding first tier cloud storage and egress costs. Only after you have identified what data exists, how it is classified and protected, how it is being used, who owns it and who has access to it can you make a fair determination of how or if to make that data available. The quicker you can conduct these data inventories, the quicker you can make these important determinations and the more effective your data center consolidation activities will be. Therefore, agencies should be required to develop an enterprise data governance strategy for all of their data and this concept should be reflected both in the proposed Cloud Smart strategy and the forthcoming update to the data center optimization policy. Technology exists that allows for greater visibility into data, including data stored in the cloud or legacy systems. These tools allow organizations to visualize their data, not only the typical metadata information, but important details like true ownership, categorization and disposition. Being able to see, understand and categorize your data are the keys to using your data for analytics and machine learning. Further, these tools support automated, policy driven decisions for moving data to the appropriate type of storage solution, based on the type of data, leading to cost reduction through storage analysis and optimization. The Cloud Smart strategy should emphasize the need for data classification prior to cloud migration. Routine requests for information, such as an audit, FOIA request, or eDiscovery often become time sensitive and high stakes search and retrieval efforts. Fragmented data environments, across multiple cloud infrastructures, further complicate this process. Blindly moving dark data to the cloud can quickly become a compliance nightmare. Therefore, any data governance strategy for cloud migrations must include data classification technology. The ability to classify data solves a critical problem; the rapid growth of unstructured data exposes organizations to potentially harmful personally identifiable information leaks. Classification technology lets organizations quickly scan and tag data to ensure sensitive or risky information is properly managed and protected. This reduces the risk of a data leakage and supports an enterprise approach to data governance based on prepackaged and in house developed policies and machine learning capabilities. Further, classification tools enable administrators to infuse data archives with intelligence by reclassifying all of their existing content with consistent patterns and policies delivered from an automated data classification process. These solutions align classification tags with retention policies to ensure that all critical data is managed appropriately and support the defensible deletion of data ROT within the normal course of operations. Enhanced classification capabilities provide the foundation for accelerated access to your most important data by making it easier to search for content using tags and expediting the process of responding to discovery or information requests to address compliance regulations. Integrating technologies for automated data classification, along with proactive, defensible and ongoing policy enforcement against common retention requirements, drastically increases the speed, accuracy and efficiency of eDiscovery and other information requests. All of these actions should be tied together to ensure an effective data governance strategy. The Cloud Smart strategy should address the need for data protection in the cloud and the migrations from the cloud to another platform, including other commercial clouds and privately managed infrastructure in a data center to avoid vendor lock in and support disaster recovery requirements. As workloads move to the cloud, agencies must consider how data will be protected, and whether it makes sense to unify data protection under a platform and cloud independent solution. Cloud providers offer built-in snapshot technology that can replicate data across cloud zones and geographic regions. Snapshots and replication are data protection components, not its replacement, especially in a hybrid, multi-cloud environment. Further, cloud service providers often include blanket statements in terms and conditions, placing the onus for data encryption and back up on their customers. Therefore, it is up to the agency to implement a robust data protection strategy. There are considerable efficiencies to be gained with a unified data protection platform that protects workloads across all environments. Independent and disparate point products have a higher total cost of ownership and their lack of integration dramatically complicates operations. Research also shows that most organizations do not give sufficient thought to how they would fail back from the cloud or change providers. The motivation for a multi-cloud strategy is to take advantage of best-of-breed cloud services, avoid cloud lock in, and to have an insurance policy against cloud failure. The ability to reliably move and orchestrate workloads across a heterogeneous IT landscape is necessary in a hybrid, multi-cloud environment. Agency priorities fluctuate over time and may require an organization to move workloads between environments for compliance reasons. Given rising storage and egress costs of data, it becomes even more important to be able to move applications and data between clouds for financial flexibility. Organizations need agility. Enterprise data management provides this by establishing the data ownership and application portability necessary to exit a cloud. Cloud outages occur. So, a multi-cloud strategy is not only prudent, but must include the ability to migrate data and workloads TO the cloud of choice, and also WITHIN zones and regions associated with that cloud for the purposes of disaster recovery (DR). Further, the ability to test the DR strategy without disrupting the existing IT infrastructure is critically important. Security Among the key requirements in the security section is that agencies should “transition to security and protections at the data layer instead of the network…as well as improve the governance systems.” Critical within this point is effective data management, including the management of data hosted in the cloud. Once data is created, it must be governed. Equally important, the data must be protected and kept secure. These activities make it possible for data to be available when it is needed. Organizations today struggle with gaining visibility and insight into their data, specifically unstructured data. This type of data — including emails, documents and image files — expose organizations to potentially harmful security vulnerabilities and unintended PII leaks. The storage and maintenance of the non-essential data becomes a huge drag on budgets. Further, agencies routinely express concerns about retention schedules and the need to understand their compliance risks. Whether the regulations are medical, personal or financial, compliance is often reduced to a continuous process of reacting to new rules. In order to make determinations around the availability of sensitive and high value data, it is important to focus on enhancement of security and privacy controls, while encouraging agencies to implement modern architectures. Technology that will help streamline the process of quickly determining what data is sensitive is key to providing protection and allowing for possible availability and use. Organizations should be able to quickly scan and tag data to ensure that sensitive or risky information is properly managed and protected. There is a need for broad visibility into PII so that agencies can meet compliance regulations that require discrete retention policies be implemented and enforced across the organization’s entire data estate – regardless of where that data lives. The data governance activities reflected in Cloud Smart should reflect these priorities. Technologies exist to search across an organization and execute policy-based actions that help enterprises appropriately store, retain and delete this data. These tools include pre-configured patterns that provide for recognition of credit card and social security numbers, medical records and other PII. They also come pre-loaded with policies for GDPR, HIPAA, Sarbanes-Oxley and other regulations to accelerate compliance readiness. Additional features can include dictionaries that identify risky keywords that suggest improprieties, as well as confidence-scoring and quality assurance tools to minimize false positives. There are additional technologies that deliver risk analytics by triangulating insights from content classification, metadata analytics and user behavior to quickly uncover potential bad actors or malicious activities. By calculating a "User Risk Score”, these tools can serve as a first-line of defense for identifying suspicious activity and initiating remediation efforts to keep sensitive files protected. By incorporating deep learning technologies to correlate risk scores with other file attributes, administrators can hunt for an organization's most sensitive files and recommend next steps. When artificial intelligence is used to prioritize how the files are scanned, these tools can quickly process petabytes of data to make it visible. Data visibility tools are increasingly valuable when applied to security and compliance teams. These groups can leverage advanced analytics capabilities, robust data permissions, and access policies to more effectively identify PII and help detect ransomware attempts. This range of functionality makes data visibility a key component any organization's hybrid and multi-cloud data management portfolio. These activities will also help agencies determine what sensitive data can be made available for use, perhaps in redacted or anonymized fashion and what data must remain locked down. Further, this level of data visibility is necessary for the proposed Service Level Agreements (SLA) to provide the agency with continuous awareness of the confidentiality, security, and availability of its data in a cloud solution is deployed by a vendor. Any data governance strategy for cloud-hosted data should emphasize the need for agencies to procure and deploy technologies such as those described above that can find sensitive data and quickly scan, tag and ultimately protect sensitive information. These same technologies can support agencies in processing log data from third-party information systems in the event of a cyber-incident or other adverse event occurs when data resides on third-party information systems. Procurement – Category Management The Procurement section of Cloud Smart discusses how there has been a lack of consistent government-wide guidance and sharing of best practices. This has led to agencies having to search across multiple sources to gain an understanding of what types of cloud services are available. The proposed cloud information center, as well as the category management program help to address this. The Federal Information Technology Acquisition Reform Act (FITARA) Schedule 70 Enhancement Program is a logical starting point for a discussion of how agencies can begin to more effectively leverage their collective buying power. As part of this program, the U.S. General Services Administration (GSA) negotiated a new, government-wide enterprise software acquisition agreement with multiple technology vendors, including Veritas Technologies for Enterprise Data Governance and Multi-Cloud Data Management. Utilizing Best in Class (BIC) contracts, such as this, is a best practice. When combined with the proposed cloud information center, is an effective starting point for a consistent approach to the acquisition of new technologies. The Cloud Smart strategy also proposes to potentially develop new cloud schedules. What is discussed herein could serve as a model. Conclusion The Cloud Smart strategy reflects the maturation of federal IT thinking on cloud. Veritas strongly encourage the Cloud Smart and the Federal Data Strategy teams to work together to ensure agencies focus on proper governance, compliance and portability for our data. In the end, cloud, like all technologies in government, is a mission support tool and the mission always relies on data. Cloud migrations and data management are intrinsically linked and we must treat them that way.