Knowing Your Cloud Infrastructure Partners: Tom Keane Weighs In

Cloud Pioneer Tom Keane Urges Businesses to Take a Closer Look at Their Infrastructure Partners

Tom Keane is a technology leader with over 20 years of experience building and leading global engineering teams and high-performance business units. Throughout a 21 oppor-year career at Microsoft, where he served as corporate VP, head of global infrastructure, industry clouds, digital sovereignty, and Azure Space — Microsoft's cloud computing platform — Tom Keane played an instrumental role in driving global cloud adoption by helping businesses in a wide range of niches and industries migrate from legacy systems to fast, flexible, seamless, and customizable cloud-based offerings.

The growth of cloud computing has not been without its challenges, however, and Tom Keane — while still a strong proponent of the benefits of the cloud — urges business leaders to do their due diligence when it comes to launching new tech initiatives or undergoing cloud-based digital transformation. This is especially true for working with external vendors, third parties, and overseas partners. He says that a major concern for anyone using cloud services of any kind should be where and how operational data is stored, processed, accessed, and secured, and where and how mission-critical infrastructures are operated and maintained. Business leaders should ask themselves the following: What standards and safeguards are in place to protect sensitive data and systems? What sorts of vendor risk mitigation policies must I consider? What specific risks will my business be exposed to if I work with an outsourced infrastructure partner, and who are my partner's partners?

For a better understanding of how important the concepts of data sovereignty, data security, infrastructure reliability, and partner transparency are in the cloud computing space, it would help to take a step back to see how we got to where we are today.

Tom Keane's Perspective on the Global Impact of the Cloud

According to Tom Keane, in the early days of the cloud, many C-suite execs were wary of moving from in-house or on-premise servers and data centers to cloud-based models in which the location, physical access, security, and maintenance of critical infrastructure couldn't be as easily managed or guaranteed. However, the benefits of the cloud were too good to pass up. Before long, the ability to effortlessly tap into infinitely scalable computing power while lowering operational costs and shortening development times and times to market by adopting a cloud model helped the forward-thinking business leaders of two decades ago build an almost insurmountable digital lead over the competition.

Tom Keane says that in those early years, while building Microsoft's cloud offerings, there were many challenges he and his teams had to overcome in onboarding users and businesses. However, once they understood what they were getting from the cloud, building a blueprint for success was easy. For example, regarding the deployment of Azure in China — one of the first markets in which Azure was launched — Tom Keane says: "China is an incredibly complicated market because of the regulatory and compliance perspectives. It's also a very large market, and that required a lot of work for Microsoft to build our technology in such a way that it could work for Chinese customers and also work for our multinational customers like Coca-Cola, General Motors, Ford, and L'Oréal — all of whom do business in China."

Different laws apply in different locations and jurisdictions, and systems and products must comply with all applicable laws in any location and/or industry. For example, HIPAA laws set the standard for the protection of sensitive patient health information in the United States, and the EU's Global Data Protection Regulation is designed to give EU residents more control over their personal information, from how and where it's collected to how and where it can be used. This means it applies to all of the EU's 27 members, its more than 440 million inhabitants, and the businesses and corporate branches that operate there. Similar laws and standards exist in other areas and territories, such as Australia's Privacy Act, China's Personal Information Protection Law, Canada's Personal Information Protection and Electronic Documents Act, and so on.

But, what happens when a business in one country contracts with a vendor or provider in another country?

According to Keane: "There are many physical and infrastructure components that power cloud computing around the planet. This includes, among other things, data centers, computing resources, fiber optic cables, and — increasingly — space-based assets that form a global network. And the digital infrastructure that builds this network is owned by dozens of different companies and corporations, such as cloud providers who lease or own infrastructure, their vendors and suppliers, parts manufacturers, and so on. There's a whole variety of different ownership modalities, and as you build a digital infrastructure, often what you are really doing is assembling a set of suppliers."

In accordance with the GDPR, cloud services providers such as Microsoft are required to disclose their vendors, services providers, and third-party partners that have access to different types of Microsoft customer and client data. While Microsoft only permits these outsourced partners to perform the work Microsoft has retained them to perform and prohibits them from using it for any other purpose, there may be enforcement gaps that allow those entities to store, analyze, sell, or perform other operations on that data (even if some of it may be anonymized) that may otherwise be unsafe or prohibited.

Generally speaking, Microsoft has three classification tiers for these kinds of subcontractors (officially referred to as "subprocessors"). The first are those that run integrated cloud technologies for Microsoft. The second includes ancillary service providers. The third are organizations that provide contract staff to Microsoft. While the vast majority of Microsoft's subprocessor partners are headquartered in the U.S., many are subsidiaries of international conglomerates where the parent companies are based everywhere from India and China to Ireland and Israel.

In addition to the above, Microsoft also operates a vast global data center network located across more than two dozen countries, including Chile, China, Finland, France, Germany, Hong Kong, the Republic of Korea, Qatar, Norway, Sweden, South Africa, and more. Ensuring data integrity and privacy and restricting access as needed while meeting the security and data sovereignty expectations of users and clients — many of whom operate with sensitive, high-value, or restricted data, such as financial institutions, health care services providers, and national defense/national security agencies — is a critical undertaking and an ongoing challenge.

Under the GDPR, while Microsoft is obligated to publish information on these subprocessors and inform new users and clients in advance of their first engagement with Microsoft and on an ongoing basis about them, finding this information can be exceedingly tricky. Even when users can find it, they often have little recourse in terms of preventive action or data safeguarding if a subprocessor is deemed by a user to be risky or untrustworthy.

Within this context, Tom Keane says it's clear that businesses such as Microsoft and others may have resources that they own and others that they lease, and they may have joint ventures or contracts and agreements of other kinds with different players worldwide. There's a whole variety of different elements to the equation, so it's critical that business leaders thoroughly vet their partners and understand who they are working with, who their partners work with, where everyone is located, and what standards, guidelines, best practices, laws, and regulatory frameworks apply to different parts of their overall cloud network and its infrastructure.

The world's cloud infrastructures are critical to the safe and continuous operation of countless mission-critical services and capabilities, from health care and power generation to national security and defense. With its all-encompassing global footprint, massive attack surface, and changes and challenges on the geopolitical and cyber-warfare fronts, the global cloud can be as big a vulnerability as it is an asset — but only if we don't address issues pertaining to the security, reliability, transparency, processes, and standards of our infrastructure partners.

The issue is a global one that impacts millions of users every day in every imaginable industry and business line. The extraordinary success of the cloud in the modern world is what's transformed it from a fancy new tech idea to a competitive must-have. However, according to Tom Keane, the data sovereignty and privacy concerns of the cloud — not to mention risks and concerns pertaining to vendors and third-party partners — have yet to be fully addressed.

Tom Keane on Vendor Risk Management

This is where vendor risk management comes in. VRM is a risk management discipline that helps businesses identify and mitigate the risks associated with vendors, partners, suppliers, and other stakeholders. It provides users with visibility into the different entities they work with so that they can evaluate everything from financial security and operational risks to compliance with workplace safety standards and environment, social, and governance issues.

VRM is a rapidly changing field, and businesses face different challenges in the areas of security, privacy, compliance, and business continuity every day. Consequently, every business will have its own unique VRM plan based on its size, its industry, where it operates, the laws in those areas, and more. With the right VRM policies, companies can save money, improve efficiency, lower risks, eliminate vulnerabilities, improve vendor/supplier/partner onboarding, and streamline access to the right tools for the right people at the right time.

In general, VRM should be used by businesses to help hold vendors accountable to their contracts; reduce spending by pinpointing redundant parties and/or processes; ensure compliance with applicable regulations and requirements; understand data flows, data/resource access, and deliver on commitments to data sovereignty and privacy; and improve the overall security of its infrastructure.

Industry experts such as Keane recommend business leaders take the lead in VRM by first defining their risk appetite and then managing risks down to the product, service, or vendor level. There are many industry-specific control frameworks and assessment standards that can be used for this (such as HITRUST for health care and HECVAT for higher education); these should be chosen based on the industry in question and the types of risks that are most important to the organization. Vendors can then be categorized based on their criticality, and various risk assessment and mitigation solutions can be used to iteratively enhance the security of all parties and processes.

The first thing recommended by Keane is to identify the risks you care about. Are you worried most about strategic risk, which evaluates how well your vendor's strategy aligns with yours? What about cybersecurity, financial, compliance, or geographic risks? How difficult would it be to replace a given vendor (replacement risk), and what kinds of business continuity and operational risks do your vendors expose you to? Are there any reputational risks to think about? What about worker safety/welfare and environmental concerns, such as only contracting with green suppliers or operating in regions that ban child labor and don't have any human rights violations?

According to Keane, one of the challenges here is a lack of transparency and standards for cloud operations that transcend industries, countries, and use cases. Since the global cloud is made up of so many interrelated players operating from everywhere in the world, how can a business make sure that its data, systems, and infrastructure meet the standards, address the risks, and have the security and compliance they need?

While industry- and location-specific standards are a good start, vendor risk assessments can help until a seamless and comprehensive set of standards that can be used by anyone, anywhere, for any use case is developed for the tangled web that is the global cloud. With effective vendor risk management and risk assessments, however, businesses using the cloud can enjoy cost savings, increased security, better consumer trust, improved vendor transparency, and lower risk — all in the different flavors, variations, and amounts needed by the countless businesses and entities around the world that rely on the cloud for safe, fast, and reliable operations.

Final Thoughts

Outsourcing cloud, digital, and tech infrastructures and working with specialized partners and providers offers many advantages. Businesses can access more agile, faster, and reliable resources while benefiting from professional support. This can help reduce capital expenditures, optimize processes, and reduce the costs associated with owning and operating fully-fledged infrastructures such as data centers. However, doing this also carries certain risks. There's a risk that providers may not perform as expected, resulting in service interruptions, data loss, or security breaches. There are also risks associated with an overreliance on a given service provider, which could make it difficult for businesses to switch providers if needed.

A lack of governance and standards around data, processes, and partners in cloud computing presents other risks and challenges to today's businesses. For example, overseas data centers may be cheaper, but data stored outside the home country may mean that a foreign government can access that data without the owner's knowledge or consent. Businesses may also be subject to foreign laws and regulations they may not have considered when storing their data overseas. Data stored in overseas data centers may be physically accessed or compromised by malicious actors or natural disasters, and a larger attack surface can expose businesses to all manner of cyberattacks.

Organizations must enact the proper risk identification, assessment, and mitigation policies for their partners, vendors, and collaborators. This includes well-defined policies and processes around data storage, access, and security, as well as plans for responding to attacks or data breaches. Clear and comprehensive contracts and high provider reputability are also important. Finally, organizations must ensure they are aware of the data sovereignty regulations relevant to their business and that they are compliant with those regulations.

While there's no going back to the old days when businesses could effectively operate in relative isolation from others for years on end, the future is bright. With the wide availability of effective cloud services such as those built by Keane and Microsoft, today's businesses have access to resources and capabilities that businesses from just a few decades ago could not even imagine. There are risks, of course, but with the right VRM processes in place and with proactive approaches in the areas of vendor and partner assessment and risk mitigation, Tom Keane says businesses can securely and confidently continue to grow and innovate and improve offerings year after year.