Knowledge Byte: Major Data Protection Considerations in the Cloud

One of the most challenging aspects of moving to cloud deployment is transferring data from your local (on-premises) environment into the cloud.

While there are many criteria to consider when deciding how to implement and leverage file transfer activities within your organization, there are really a few simple areas to focus on:

● Choose a secure protocol such as:

○ SSH File Transfer Protocol (Secure File Transfer Protocol or SFTP)

○ Transport Layer Security (TLS)

○ Secure Sockets Layer (SSL)

● Implement data protection

● Utilize effective encryption technology

● Maximize access controls

● Leverage auditing and reporting functionality

● Adhere to corporate and industry compliance policies

Loss of Control on Data

The biggest risk in expanding existing storage into a public or multi-tenant cloud is a loss of control or perceived loss of control. A minimal outline that an organization should follow for security regulated data in the cloud is given below.

Data Classification

• Policy: Classify all data according to its sensitivity, for example, regulated, commercial, or collaborative data, to ensure secure and compliant handling.
  • Process: Digitally tag or watermark all data according to the defined categories, regulated, commercial, or collaborative prior to transmission, storing, and using within cloud service.

Data Protection

• Policy: Protect all data according to its classification level to prevent misuse or abuse of the data.
  • Process:
    • Define data usage contexts and flows based on known business processes and between systems.
    • Regulated and commercial: Encrypt all data at transfer, if required, by regulation encrypt or create defined security groups.

Data Residency

• Policy: Define the data, residing within cloud contracts (for example, click-through or enterprise agreements) based on geographic boundaries in accordance with the subscribers’ international and local data privacy laws.
  • Process: Define corporate binding rules to restrict data transfer and exchange between systems, sites, and partners per country and regional regulation restrictions.

Data Protection Issues in the Cloud

Some of the prominent issues that are common in relation to data transfer in the cloud are:

Issue 1: The majority of organizations do not have a mature data classification policy, process, or user education schemes for internal use of data.

Issue 2: Most organizations do not have a clean single source of truth for what is their authorized source for data (structured or unstructured).

Issue 3: Moving to the cloud without a data classification policy will only amplify the shortcomings of any data classification policy, process, or procedure.