Security in the cloud is as much about governance as it is about technology. That means your customers must learn how to play their role on the compliance, policy, as well as enforcement side. For customers who are accustomed to traditional IT roles and positions of control in securing their on-premises systems, cloud security can take them out of their comfort zone.
That’s where partners come in. Security in the cloud is still a top concern among IT professionals, according to the 2017 RightScale State of the Cloud Report. It shares the distinction of being the #1 cloud challenge (along with lack of resources/expertise and managing cloud spend) cited by a whole quarter of respondents.
In our ebook Enterprise Cloud Strategy, my co-author Barry Briggs and I liken it to the concept of a bank 150 years ago. In a time when many people kept their cash under their mattresses, it became clear that money was much safer in a bank. A bank’s core mission is to insure a high level of protection, with the added ability to invest far more funds and resources to guarantee the security of the assets. But cloud security differs from banks in an important way: as application and data owners, your customers must be active participants in their own security.
GRC in the Cloud
The need for governance, risk management, and compliance (GRC) persists in the cloud, and the cloud extends your customers existing GRC activities. This includes policy management, incident management, compliance monitoring, field auditing, and vendor management. Let’s face it, who wants to face those challenges on their own? This creates an important opportunity for partners to build long-term relationships by helping customers automate their best practices and GRC workflows, and to make those workflows more scalable in the cloud.
Consider that you are in the best position to understand the scope of the current cloud services in use within their organizations. You can provide better visibility, and help them define policy. Understanding the cloud threat landscape creates a natural extension of your managed services to risk evaluation and mitigation.
The opportunity to deliver managed and IP services in the governance, risk management, and compliance space is huge. The Microsoft Cloud Practice Development Study, completed by MDC Research in June 2017, identified 486 partners worldwide as having an Enterprise Mobility and Security practice. Of the partners surveyed, those offering the more profitable managed and IP services for GRC include the following:
- 26% of Microsoft partners worldwide provide policy recommendation and improvement as a managed service.
- 26% of partners in the survey provided auditing, security and compliance assessments as managed services.
- 22% provided auditing solutions as intellectual property offerings.
- 18% provided auditing, security and compliance enablement as managed services.
- 13% provided data classification and data governance as managed services.
Building a Cloud Security Practice
In our Security Practice Development Playbook, we talk about compliance as a managed service and your opportunity to help customers meet general compliance requirements by:
- Ensuring they are aware of how Customer Lockbox can help them meet compliance obligations for controlling data access by Microsoft support engineers.
- Enabling them with full audit tracking to monitor and investigate events related to their data.
- Reducing their cost and risk with in-place intelligent Advanced eDiscovery.
- Empowering them to efficiently perform risk assessment with Office 365 Service Assurance.
- Managing their data retention with Advanced Data Governance.
Managing regulatory compliance can be a complex and challenging task, especially for multinational organizations. It bears repeating that the new European privacy law, known as the General Data Protection Regulation (GDPR), takes effect May 2018. The Security Practice Development Playbook provides excellent guidance on the opportunity that already exists to help customers prepare for the complexity and global impact of the new requirements for collecting, storing, and using personal information.
The GDPR Opportunity
As a partner, you have multiple opportunities to monetize on GDPR, and the playbook provides recommendations for taking a platform approach and first steps to support your customers with GDPR compliance.
Microsoft provides a helpful tool for assessing a customer’s alignment to the new requirements, the GDPR Detailed Assessment. The assessment provides an IP Kit that partners can use to create or enhance GTM GDPR offerings.
Finally, ensuring data governance and compliance requires unique skills. The Security Practice Development Playbook provides detailed information on the support roles to consider when building a cloud security practice. In particular, the Information Security Analyst and Data Protection Officer roles will be pivotal when managing your customers’ policy, risk, compliance, and audits.
For training in these specialized areas of security, our Massively Open Online Courses (MOOCs) include self-paced courses covering Azure Security and Compliance and Application Monitoring and Feedback Loops.
When it comes to protecting your customers, and preparing them for the ever-changing laws and regulations, Microsoft is here to help. Between your expertise and our resources and support, we will help enable your customers in their journey to the cloud.
How are you making the most of this opportunity? Share your thoughts with the Microsoft Partner Community here.