Moving applications and data to the cloud is no longer a question of if, but rather of how and when. But all data being moved to and stored in the cloud must have protection as strong as data stored on premise. Unfortunately, data protection is too often overlooked.
Increased regulatory attention highlights the need for a strong focus on data protection. The European Union has enacted the Global Data Protection Regulation (GDPR). In the U.S., California has passed the California Consumer Privacy Act, which other states are looking at as a model. Brazil and other countries are following suit. Regulators are backing up demands that organizations maintain visibility into how information is being processed and stored with painfully high penalties for those that fail. Whether your organization is using a hybrid environment with data both on premise and in the cloud, or transitioning fully to the cloud, it is more crucial than ever to develop a strong data protection strategy.
Understand the threats, establish accountability
Accountability is vital. Organizations need to think about data governance in a new way. Your business as a whole is ultimately accountable for data protection. Meeting that responsibility takes an integrated approach involving all functions with day-to-day data responsibilities—the security function should not bear the burden alone. Effective coordination among the privacy, security, risk, and legal functions is crucial for the success of a cloud-based data protection program. Risk mitigation and compliance must also play key roles.
Unfortunately, data protection is frequently not a central focus for organizations migrating to the cloud. Instead of being part of an integrated data protection strategy, key data protection controls such as data classification, use and sharing, retention, encryption, and leakage prevention are addressed on an ad hoc basis and added only when convenient. This leads to the implementation of incomplete and unscalable data protection controls.
“Through 2023, at least 99% of cloud security failures will be the customer’s fault”
- Gartner, “Magic Quadrant for Cloud Access Security Brokers”
The first step to protecting data in the cloud is to understand the threat landscape so that you can put proper data protection measures in place. Strong cybersecurity and data privacy capabilities are a key benefit offered by the major cloud providers. However, you must understand that it is ultimately your responsibility to ensure that your data remains safe. On-premise responsibilities remain, and new responsibilities must be considered. As you move to the cloud, effectively leverage your provider’s capabilities by ensuring they are properly configured and enabled. You may also need to implement an additional layer of security and monitoring. Gartner states that “Through 2023, at least 99% of cloud security failures will be the customer’s fault”. This highlights the criticality for organizations to clearly define a strategy and approach for setting up adequate controls to ensure data security.
Strong fundamentals for a data centric approach
We believe that a data-centric approach based on solid security fundamentals is the right way to protect your data in the cloud. You should introduce, integrate and maintain proper data protection controls before, during and after data migration. Following are five key data protection fundamentals that drive effective data protection:
- Data classification. Implement proper data classification methods. By classifying data, your organization can determine the sensitivity and criticality of information going into the cloud. Since your visibility of both structured and unstructured data is reduced in the cloud, data classification ensures that proper security protocols can be established based on the sensitivity of the data.
- Data use and sharing policies. Define policies and guidelines advising users on how data can be used and shared within and outside the organization. With different types and formats of data created throughout an organization, it becomes difficult for employees to properly identify and handle information based on its sensitivity. The cloud creates a new layer of use cases and data categorization, adding more confusion. Your organization should develop clear data use and handling rules that create a common standard across the organization, allowing employees to apply appropriate safeguards based on how data is classified.
- Encryption. Encryption is one of the most important security controls your organization should consider. Unlike data stored on premise, data stored in the cloud is accessible over the internet, and thus has a greater level of exposure. You can use a variety of cryptographic techniques to ensure that data in transit and at rest maintains confidentiality, integrity, and availability. Service providers sometimes offer some level of encryption. Use them, along with additional levels of encryption that they may enable, such as encryption gateways. Encryption gateways reroute all access of cloud-based data and perform encryption or tokenization of the data in transit, which significantly reduces risks to data as it flows between user devices and the cloud. This is especially important for organizations that allow employees to bring their own devices.
- Data loss prevention technologies (DLP). DLP is also of paramount importance. You lose some visibility to data in the cloud since you no longer have direct access to the infrastructure. Additionally, malicious and insider threats are on the rise, raising serious concerns. By extending on-premise DLP solutions to the cloud you can scan and identify potential risks. This provides your organization with greater visibility and holistic security monitoring of all your data, whether it resides on premise or in the cloud. Any threats that arise will trigger alerts for appropriate administrators and data owners, providing the organization with a more comprehensive capability to address them.
- Data retention and deletion rules. Your organization must establish and enforce proper data retention and deletion rules. With increasing amounts of information being migrated to the cloud, it can quickly become unmanageable for organizations to control and limit proliferation of sensitive information. Defining proper retention periods up front that are in alignment with company policy will help to ensure information is appropriately deleted at the end of its business purpose. The focus behind a strong data retention and deletion practice is storing data that will be needed in the future, organizing data so it can be easily searched and accessed when requested, and discarding data that is no longer required.
By integrating these fundamentals with the right tools and key processes like accountable governance, well-defined processes, clear communication, effective sustainment, and timely and accurate reporting, your organization can develop a balanced strategy that significantly improves compliance with legal regulations and reduces the risk of data related incidents. Our recent webinar
on trends in data security and privacy in the cloud offers more detail.
How Grant Thornton can help
While many companies understand the challenges presented by the cloud, taking the first step is often difficult. Companies are still relying on legacy processes which leave them vulnerable to human error and malicious attacks. With a lack of strategy and deficit of cloud and data protection talent, it is hard for an organization to make headway.
At Grant Thornton, we have developed a proprietary framework that can be utilized to implement strong protection and security controls around your data. By leveraging our data protection and cloud experience, we can assure that you will be prepared to handle any issues that arise. The best time to handle an attack is before it happens. Together, we can help ensure that your data remains only your data.
+1 312 602 8940
+1 312 602 8945