(US and Canada) EDM Council Co-founder and COO Mike Meriton speaks with Ricardo Crepaldi, Global Director of Data Foundation at BASF and CDO magazine Editorial Board Member, in a video interview about the inception of the CDMC framework, its six major components, and fourteen key controls. They also discuss how beneficial the framework can be for tech firms and companies.
At the onset, Meriton states that virtually every mid and upper-tier company is using one or more of the cloud companies available in the market, such as Microsoft Azure, Amazon Web Services, Google Cloud, or IBM. He explains that there are tremendous possibilities with cloud but pursuing cloud technologies has a combination of operational and business risks that need to be managed and protected to comply with jurisdictional laws such as GDPR or CCPA.
The topic of discussion, says Meriton, is how to pursue the cloud not only aggressively but also while protecting sensitive data with the right controls. Additionally, leveraging an industry framework that all companies can use as a blueprint when navigating and executing cloud technology. Further, the focus will be on the major cloud companies that are building controls into their platforms to allow businesses to accelerate their trusted cloud adoption.
EDM Council is the global advocate for data and analytics management and professionals in such roles. Established 18 years ago in 2005, the organization has expanded into Europe, Africa, Asia, Australia, and the Americas with over 350 companies and representing 25,000 professionals.
Meriton believes in promoting data literacy and enabling organizations to drive data-driven culture through responsible data usage. He asserts that EDM Council advocates collaboration and is a non-profit organization that does not accept funding for any commercial positions. It works on tackling complicated topics such as how to implement cloud controls in a multi-cloud It also promotes the best practices, standards, training, research, and regulatory engagement.
Delving further, Meriton notes that the motivation for this work began when a group of companies, including Google, Morgan Stanley, and the London Stock Exchange approached the Council in March 2020. He recalls that the companies were creating a series of cloud data management principles that would protect sensitive data in the cloud and multi-cloud implementations. Google contributed to the effort by proposing a partnership with the council for building a common framework. Morgan Stanley donated its principles to the EDM Council and a working group was established.
This group has grown to include over a hundred companies and 300 subject matter experts across all major sectors, including representatives from Microsoft, IBM, Google, Amazon, Collibra, Snowflake, and Informatica. Following a series of 750 meetings over a year and a half and 45,000 hours of work, a framework was finally published on September 28, 2021, as a blueprint for companies to follow.
The 6 Major Components of the Comprehensive Data Management Control (CDMC) framework:
Moving forward, Meriton states that the Comprehensive Data Management Control (CDMC) framework consists of six major components:
The 14 Key Controls of the Comprehensive Data Management Control (CDMC) Framework include:
These are all designed to adhere to jurisdictional laws protecting sensitive data. The key cloud companies Amazon, Microsoft, and Google have implemented these controls in their frameworks.
Additionally, Meriton believes that to protect against data risk, leakage, or any kind of cyber threats, all 14 of these controls must be used. He states that regardless of the industry or use cases, a company can protect its data and use it appropriately by using the listed controls. He sees the controls as a way to enable businesses to use data without risk, rather than a strategy to lock it down.
In continuation, Meriton expresses that a startlingly low amount of company data (10%) is present in the cloud. He explains that the sheer amount of data that needs to travel to the cloud to be available requires proper controls and risk management. To this end, he articulates that a framework of 14 reviewed and accepted controls has been promulgated to enable the transition of the 90% plus data that is yet to be shifted to the cloud.
Meriton confirms that all of the major cloud companies and many technology providers help build the necessary framework for data risk management and cloud data management. The council convened 50 members in a single room where product managers from Google, Azure, Microsoft, and AWS worked together to gain an understanding of the specific requirements of the various companies in attendance.
He notes that the framework was eventually published and the first company to implement it was Snowflake. They worked with KPMG, an independent auditing partner, to run the 14 controls into Azure, AWS, and Google Cloud Platforms. Furthermore, Snowflake made the controls available for anyone to download for free on the web.
AWS followed by announcing a configuration that leverages Glue, the AWS internal cataloging and classification capability. This was followed by Microsoft Azure's full native implementation using the governance platform, Purview. Microsoft rolled out the system to Azure customers worldwide.
Meriton expects that other cloud providers will also follow suit as these controls protect data and instill trust in use cases and confidence in the company. Furthermore, he explains the difference between what technology firms like Microsoft Azure and Google can do versus what companies can do related to their usage of the CDMC framework. Companies can download the framework, use it as a blueprint, and either do an assessment or hire an independent firm to audit and report gaps. After the initial gap assessment, companies should certify, which gap requires an independent partner to confirm that the operating environment is up and running.
Technology firms cannot set up governance and accountability programs, but they can certify that the technical control guidance is being followed. The EDM Council oversees the certification process for companies to become authorized partners and represent the framework, says Meriton. Being a global nonprofit organization, the council helps build the standard. There are 30-40 partners currently signed up and listed on the council’s website.
At an early stage, continues Meriton, companies can download the framework for free, and if they choose to go ahead with a formal assessment or certification, they must contact one of the authorized partners. The authorized partners have consultants who are duly trained and certified by the council. During the assessment, the partner firms review the implementation auditing against the framework and deliver a report to the end company.
According to Meriton, if the company wishes to be certified, it is shared with the council. Once the council verifies it comes from an authorized partner and the framework has been completely certified, a digital certification badge is issued which is valid for 12 months, similar to SOC 2 and ISO certifications.
Thereafter, he informs that there is a two-day training class offered by the council, and ultimately an assessment and certification may follow. Meriton expresses amazement at how many firms were involved in the open-loop collaboration and emphasizes the necessity of an organized cloud framework for successful implementation.
In conclusion, Meriton encourages companies to join the community of the EDM Council. He shares that in addition to cloud services, they also offer insights on ESG data, ROI for CDOs, and training programs.
CDO Magazine appreciates Mike Meriton for sharing his insights and success stories with our global community.