“Better security is not just about saying no and slowing things down. It can really accelerate the business.” – Nong Li, Co-founder and CEO of Okera
It seems that more and more firms across industries are embracing cloud technologies to advance digital transformation but racing to keep up in an increasingly hybrid and competitive world is not without challenges. In fact, most enterprises face a process fraught with data security and privacy perils. While they may understand data management, applying it to systems enterprise-wide is a monumental undertaking.
To better address this issue, the EDM Council brought together 100 top organizations to address the issue. After 45,000 hours of collaboration from leading cloud providers, Fortune 100 companies, and regulatory bodies worldwide, September 2021 brought the launch of the Cloud Data Management Capabilities Framework (CDMC).
As the Co-founder and COO of the EDM Council, Mike Meriton shared in his keynote at Airside LIVE that the CDMC is a playbook “every company in the world can download and access to help accelerate their cloud journey.”
The Need for CDMC
Companies today aren’t just moving to the cloud. The Flexera 2022 State of the Cloud report found that 89% of organizations use a multi-cloud strategy, most (80%) taking a hybrid approach with both public and private clouds. As one might expect, this added layer of complexity brings unique data management challenges. Merriton raised just a few:
- How do you get the data catalogs of two different cloud companies to work together and exchange metadata?
- When you do business in 30 jurisdictions across the world, how do you keep up with the laws and meet the regulatory demands of each locale?
- How do you put in the right controls, processes, and procedures across on-prem, private clouds, and multiple public clouds?
This list could go on for miles, which is exactly what drove the creation of the CDMC.
The CDMC Framework
According to Merriton, the group’s objective is “to create a standard framework for all companies to evaluate and implement the right controls in a hybrid cloud environment.” He describes the outcome as “a series of principles for protecting sensitive data and a series of controls that can be implemented in the cloud to allow [companies] to move faster to accelerate their journey without taking reputational or business risk.”
The framework sets out a foundation of six data management components that organizations must establish to manage data responsibly and comply with applicable regulatory entities:
These six components are further broken down into 14 capabilities and 37 sub-capabilities. Altogether, they define practical goals for data management and set the operational requirements for sustainable cloud data management.
CDMC is not a “how to do it” framework but a “what to do” framework. Merriton goes on to explain: “The 14 key controls specified by CDMC are the global recommendations of what is needed for good hygiene and protecting sensitive data. It does not dictate their coding and their ingenuity on how to solve this [but provides] a common set of requirements.” From there, organizations can use open source tests or use big four consulting firms to help them go through the process as EDM Council member Snowflake did.
How Snowflake Proved CDMC Would Work
What makes CDMC a sustainable framework is that it’s built to stand up to an audit process. As large-scale audit firms helped structure this framework, it meets the same rigor as the SOC 2 or ISO audits they regularly perform.
Snowflake saw the opportunity CDMC presented for their customers. CTO Jonathan Sander shared, “[Customers are] often blocked from moving some of their most sensitive information into a platform like Snowflake. And it’s not because Snowflake is lacking in its security and governance capabilities. It’s because, typically, the cloud represents a new kind of environment for these organizations…And so, they needed a way to have controls that were possible to deliver in the cloud. That’s why Snowflake got involved with this…Our customers were screaming for it.”
To build confidence in the CDMC framework, the Snowflake team built an environment based on Snowflake across Amazon, Microsoft, and Google clouds and replicated data between all of them. Sander shared, “We created the hardest possible circumstances to test on. We created an environment that had realistic data – not real data, [we’re] not crazy. And then we ran all of these controls along with (partner) Alation and produced what would be a realistic environment.”
They then had KPMG independently assess the test environment and establish that Snowflake delivered on the 14 controls. Watch the session to learn more about Snowflake’s journey and find links to valuable Github assets from Sander’s CDMC project.
Getting Started
As Okera is on the front line of data security and governance and can play a role in several controls in the CDMC framework, Co-founder and CEO Nong Li shares valuable advice for companies looking to get started.
Given their clients have massive data platforms, multiple departments, and a multitude of use cases, integrating technology adoption with people and processes can be a challenge. Li suggests completing one use case that captures all of those controls so “you can see the whole thing work end to end — one department, one use case, one team. And from there, take all those learnings, and you can really roll things out very quickly.”
And for companies concerned about resources, it’s crucial to develop a persuasive business case. As Sander puts it, “When the business case is clear, the taps open and resources appear.”
To accelerate your journey to a hybrid cloud environment, you can download the CDMC framework. And if you want to watch the full session first to learn more (and there’s definitely more!), watch the session.
