Loading ...

Private data and public compute | Interconnection Oriented Architecture Knowledge Base & Community

Posted in: All Community Discussions    IOA Knowledge Base Community

Private data and public compute

Subscribe to RSS
  • rmeyer

    Hello experts,

    I understand the value of AWS and Microsoft but being in a highly regulated industry (financial) means our data can't live in amazon. Do you have any specific examples of what other customers have done to deal with this issue?  If so, can you share any ROI or the like as basis for a business case?

    thanks in advance

  • rik.harris
    On 1/9/2018 9:12 AM, rmeyer said:

    being in a highly regulated industry (financial) means our data can't live in amazon.

    Perhaps the above statement deserves a little more nuance.

    Some thoughts:

    • Finance industry regulations vary by country. Some countries do mandate specific physical location of certain kinds of data, others do not. Some I'm aware of (e.g. Australia, Singapore) dictate that certain data must be in-country, but not necessarily that they must not be in a cloud.
    • Most mature organisations will have data classification policies and procedures which allows different treatment for different kinds of data. I'm aware of examples where banks operating in an otherwise quite restrictive regulatory environment have put many systems into cloud platforms (e.g. public web services are an obvious one).
    • Usually, regulations are based around non-technology concepts (e.g. "you must be able to prove within reasonable doubt who has access to the data", rather than "you must store your data on a SATA hard drive in a data centre you own"). If your auditors are sufficiently experienced and up-to-date, they are able to evaluate cloud-based environments as well as traditionally-hosted environments.
    • Some industries (e.g. healthcare) also have believed in the past that they could not use cloud due to regulation. Now, both Azure and AWS have customers who have passed HIIPA assessments.
    • Azure and AWS also have subsets of their services which have been assessed as compliant for federal government/military data which historically could not have been put into cloud platforms.
    • There are options for hybrid architectures which may suit some situations. For example, have data stored outside of the cloud, but processed inside a cloud - subsets of anonymised, redacted/tokenised or encrypted data. Depends greatly on the application.

    Bottom line: this industry moves quickly - you'll need to do the research for your specific situation before a blanket "we can't do cloud" is appropriate. Each of the major cloud providers makes reference architectures available and provides a lot of guidance on how their services can be used to deliver appropriate controls and protections (and pass relevant audits).

    Lastly, I would be wary about cost models or ROI calculators. It is extremely difficult to build apples-for-apples comparisons between very different operational models and many of the calculators are somewhat biased.

  • jpdoolin

    Great question! I definitely agree with Rik.Harris's comments around knowing the industry specific regulations around data governance and how your organization classifies different types of data/applications. Also, I would reiterate that technology and regulations are changing rapidly so the best long term architectures are the ones that allow flexibility in the future. 

    I work with a number of large financial and insurance customers, that want to take advantage of the on-demand nature of the public cloud, but have concerns with landing their data in a single cloud provider. Their concerns are usually because of 2 reasons,

    1. The company’s data security team is not comfortable with sensitive data sitting in a public cloud - either from a regulatory perspective or a organizational data security decision.
    2. The company wants to avoid single cloud lock in as much as possible because once large amounts of data is moved to the public cloud, it’s expensive and time consuming to move it out.

    We’ve worked with those enterprises on a hybrid solution that solves for those 2 concerns; placing your data/storage footprint in a cloud neutral location, and connecting it to compute resources in a public cloud. For this architecture to be successful in the majority of use cases, the connection between the storage and compute needs to "feel" like a high-speed LAN connection instead of a WAN connection – a direct, private, low latency, high throughput connectivity between the neutral data location and public cloud compute becomes a critical requirement. To achieve this we recommend placing your data footprint in cloud neutral data center that has 1) close proximity to the cloud provider(s) where your compute will be running and 2) private, high bandwidth connectivity options to the cloud provider(s).

    This hybrid architecture solves the 2 concerns around data listed above;

    1. The enterprise data lives under the domain and control of the enterprise and only uses the public cloud for processing
    2. Cloud lock in is avoided by storing data in a neutral location which enables the enterprise use multiple cloud providers for the compute environment

    Let me know if this makes sense or if you have any questions. Our team of solution architects can help you with a hybrid and data placement architecture that makes sense for your organization.

Page 1 of 1 (3 items)