When to move sensitive data to cloud and how to select which cloud?
“Cloudification” has become a hot, problematic and trending topic in recent years. A fast-growing portfolio of cloud providers, services and infrastructure offerings, a variety of options and available packages for customers, combined with prices attractivity has pushed many companies’ to consider putting their infrastructure components, services and their data in to the cloud. Risk analysis of these strategies are a mandatory prerequisite. It is fundamental to choose the most secure option for safe data collection should be based on a risk assessment of entrusting corporate data to third-party providers and study of cloud provider security controls.
Who should decide where and how to move?
The responsibility lies with the Chief Information Security Officer (CISO) and their team. A CISO is usually supported by a Data Protection Officer (DPO). As a team, they need to ensure that all compliance regulations are met and corporate security controls are applied to reduce or mitigate recognized risks.
For many industries, there is a list of criteria which need to be considered when talking about moving into cloud direction., These include local/regional/national regulations, location of cloud data center, data privilege access, data classification, data leakage protection measures, data encryption or secure data exchange methods between on-premises and cloud storage, and methods of reporting the status of security controls. Swiss banks, for instance, have strict regulations on how to store banking data within the country’s borders.
Managing compliance requirements
Nowadays, the leading cloud vendors provide well-defined compliance statements, explaining methods of data storage, encryption and vendor access procedures, while also providing several features and services for securing data exchange and user connections. CISOs and their teams have an easier path to conduct a proper risk analysis, which lists the options included in the license packages from cloud vendors to mitigate some of the risks. Furthermore, such vendors, directly or through their partners, are willing to help CISOs participate in such security assessments. Based on their legal obligation and company goals, CISOs can perform extremely deep and detailed assessments.
Evaluating your readiness
Based on the above statements, the question posed in the title of this article title might be rephrased as: “Are we ready to move your sensitive data to the cloud?”. To evaluate your readiness, your security team should first ensure that your organizational processes related to data protection are:
- Address our firm’s goals
- Aligned with compliance regulations
- Enforced well within the organization
That raises the question, “Are your employees following your company’s data protection rules?”.
It is obvious that even the most tailored procedures and technical solutions will fail if your users don’t follow regulations and procedures. To avoid this situation, you must ensure that they undergo a series of continuous training sessions on a regular basis.
The next crucial step is to ensure that your employees know the company’s data classification methods. CISOs are obligated to verify if data protection processes are well prepared and if the description of each classification level is clear to everybody. Here are a few questions you should ask yourself:
- Do my employees know how to classify a document on which they are working?
- Are they aware of the thresholds determining classification of document as “Public” or “Restricted” or under a higher classification rank?
- In case of any doubt, do they know whom to contact for clarification?
The tools for data protection
To support your data protection strategy, technologies like Data Loss Prevention (DLP), a Data Classification (DC), Cloud Access Security Brokers (CASB), can support the classification process. They can suggest a proper classification level to your employees or decide for them based on document content.
Once you have an optimal data classification strategy supported by any of the tools mentioned above, you must decide on which types of data might be, should be and should never be uploaded to the cloud. The analysis should also cover a case in which a sensitive file is already in the cloud. You must define how the access to the file should look like, how the file can be shared externally or how we can remediate any compromised data. Here again, the data protection process supported by DLP measures becomes crucial.
A visibility study of your organization’s document workflows is a great input for defining the required document workflows and recognizing the risky ones. Based on its results, the DLP/CASB solution can offer granularity in use case separation and differentiation based on data classification level and user types.
Making the best use of your capabilities for evolving needs
Using the capabilities described above, your organization can perfectly keep a close eye on how your data is used and exchanged — and react if data is being misused or transferred improperly. As an output of DLP controls, properly formed Security Operation Center (SOC) processes can easily detect and investigate each risky misuse of data in the customer environment.
Based on gaining maturity of your DLP project, DLP/CASB deployment should evolve along with the changing needs of your organization, legal requirements and new DLP/CASB capabilities. Thanks to DLP/CASB technology support, CISOs can be confident that data protection processes are fulfilled. All major DLP/CASB solutions offer prompts mechanisms which can be incorporated into the user education process.
To summarize and answer the original question, I would say
“Yes, you can move sensitive data to cloud, as long as there are no legal limitations, a proper security assessment and process maturity verification have been performed, and you can implement a technological solution covering at least data classification and DLP. In these circumstances, CISOs should be able to give a green light for moving sensitive data to secure cloud storage.”
About the author
BDS Cybersecurity Consultant, Atos
Krzysztof Staszałek has over 17 years of experience in professional IT, where for over 16 years he has been working in IT & Data Security sector. He was leading IT transformation in Polish Army structure where he was responsible to ensure that actions and processes were according to NATO and Military Counterintelligence standards and regulations. He gained huge experience in Alstom worldwide company in consolidation and integration fragmented infrastructure to global one, where whole process were regulated by many legal and security aspects including shaping enterprise Active Directory central management processes. At Atos he was one of the first member of Global Endpoint Protection Team, starting as Senior Engineer where, as part of the team he needed to support establishing and build services, develop team skills. He was promoted to act as Global Service Architect and Team leader role in DLP streamline. As GSA he was involved in numerous security transitions, consulting and BID’s. He has on account successful projects for biggest worldwide famous brands covering all project phases, starting on pre-BID, consulting, technical implementation and ending on working service. Since two years he is part of Global Consulting team, where he is working on challenging Cybersecurity projects for Atos Global customers.