by Sudhindra Kumar
In my previous blog, we took at peek at the key challenges that confront anyone who’s moving their data to the cloud. Let us see how to mitigate some of those challenges. Protecting data in the enterprise comes before protecting it in the cloud. If you don’t have the right data governance policies within the organization, then protecting data in the cloud is going to be a nightmare. Ensure that you have well defined data classification, data tagging and access control guidelines in place before moving your data to the cloud.
This might sound hard to believe, but the truth is that many enterprises do not really know the type and amount of information they have. So the first step would be to perform an audit to identify the data and the access patterns within the organization. The next step would be to classify the data based on the policies defined. Data tagging enables enterprises to track and control its information. This could be achieved by storing the data classification category in the header, footer or the metadata of a file. Once this is done, you need to define guidelines for access control, data storage and archiving, data retention etc.
Regulatory compliance management is a completely different ball game altogether. PCI DSS, HIPAA, SOX, GDPR, GLBA, HITECH, FISMA, ISO, PIPEDA, DPD…These are just a handful of the umpteen directives and regulations that enterprises need to comply with, depending upon the kind of data they handle. Non-compliance with the regulatory standards could lead to severe penalties and humongous business impact. Apart from the penalties, data breaches can severely dent customer confidence, irrespective of whether it was accidental or deliberate. Many of the regulations have overlapping controls and hence enterprises have started adopting consolidated sets of compliance regulations to avoid duplication of effort. For example, there are international standards such as ISO/IEC 27002 from the International Organisation for Standardisation (ISO). The Distributed Management Task Force (DMTF) has the Open Cloud Standards Incubator which provides a platform for standards related to cloud environments.
Data Classification should specifically take into account data that is covered by regulations and this should be reviewed on a regular basis to adapt to new mandates. Data should be classified based on data type, jurisdiction of origin, jurisdiction domiciled, contractual constraints, sensitivity, etc. Pursuant to local laws, anyone (including contractors) who will access sensitive information should be subject to background checks. An information security policy must be published and made accessible to all employees and contractors. In case your organization needs to meet stricter regulatory compliance guidelines, it might be better to maintain liaisons with local legislative/regulatory authorities in accordance with business requirements. All physical assets, data, and applications can be assigned legislative jurisdiction to aid compliance.
In the next blog in this series, we’ll take a look at protecting data at rest and in transit.
Sudhi is a senior software engineer at NextLabs.