When to move sensitive data to cloud and how to select which cloud?

“Cloudification” has become a hot, problematic and trending topic in recent years. A fast-growing portfolio of cloud providers, services and infrastructure offerings, a variety of options and available packages for customers, combined with prices attractivity has pushed many companies’ to consider putting their infrastructure components, services and their data in to the cloud. Risk analysis of these strategies are a mandatory prerequisite. It is fundamental to choose the most secure option for safe data collection should be based on a risk assessment of entrusting corporate data to third-party providers and study of cloud provider security controls.

The responsibility lies with the Chief Information Security Officer (CISO) and their team. A CISO is usually supported by a Data Protection Officer (DPO). As a team, they need to ensure that all compliance regulations are met and corporate security controls are applied to reduce or mitigate recognized risks.

For many industries, there is a list of criteria which need to be considered when talking about moving into cloud direction., These include local/regional/national regulations, location of cloud data center, data privilege access, data classification, data leakage protection measures, data encryption or secure data exchange methods between on-premises and cloud storage, and methods of reporting the status of security controls. Swiss banks, for instance, have strict regulations on how to store banking data within the country’s borders.

Nowadays, the leading cloud vendors provide well-defined compliance statements, explaining methods of data storage, encryption and vendor access procedures, while also providing several features and services for securing data exchange and user connections. CISOs and their teams have an easier path to conduct a proper risk analysis, which lists the options included in the license packages from cloud vendors to mitigate some of the risks. Furthermore, such vendors, directly or through their partners, are willing to help CISOs participate in such security assessments. Based on their legal obligation and company goals, CISOs can perform extremely deep and detailed assessments.

Based on the above statements, the question posed in the title of this article title might be rephrased as: “Are we ready to move your sensitive data to the cloud?”. To evaluate your readiness, your security team should first ensure that your organizational processes related to data protection are:

• Valid
• Address our firm’s goals
• Aligned with compliance regulations
• Enforced well within the organization

That raises the question, “Are your employees following your company’s data protection rules?”.

It is obvious that even the most tailored procedures and technical solutions will fail if your users don’t follow regulations and procedures. To avoid this situation, you must ensure that they undergo a series of continuous training sessions on a regular basis.

The next crucial step is to ensure that your employees know the company’s data classification methods. CISOs are obligated to verify if data protection processes are well prepared and if the description of each classification level is clear to everybody. Here are a few questions you should ask yourself:

• Do my employees know how to classify a document on which they are working?
• Are they aware of the thresholds determining classification of document as “Public” or “Restricted” or under a higher classification rank?
• In case of any doubt, do they know whom to contact for clarification?

To support your data protection strategy, technologies like Data Loss Prevention (DLP), a Data Classification (DC), Cloud Access Security Brokers (CASB), can support the classification process. They can suggest a proper classification level to your employees or decide for them based on document content.

Once you have an optimal data classification strategy supported by any of the tools mentioned above, you must decide on which types of data might be, should be and should never be uploaded to the cloud. The analysis should also cover a case in which a sensitive file is already in the cloud. You must define how the access to the file should look like, how the file can be shared externally or how we can remediate any compromised data. Here again, the data protection process supported by DLP measures becomes crucial.

A visibility study of your organization’s document workflows is a great input for defining the required document workflows and recognizing the risky ones. Based on its results, the DLP/CASB solution can offer granularity in use case separation and differentiation based on data classification level and user types.

Using the capabilities described above, your organization can perfectly keep a close eye on how your data is used and exchanged — and react if data is being misused or transferred improperly. As an output of DLP controls, properly formed Security Operation Center (SOC) processes can easily detect and investigate each risky misuse of data in the customer environment.

Based on gaining maturity of your DLP project, DLP/CASB deployment should evolve along with the changing needs of your organization, legal requirements and new DLP/CASB capabilities. Thanks to DLP/CASB technology support, CISOs can be confident that data protection processes are fulfilled. All major DLP/CASB solutions offer prompts mechanisms which can be incorporated into the user education process.