Click to learn more about author Tejasvi Addagada.
A recent survey of C-suite, information technology, and artificial intelligence practitioners offers interesting insights on the enablement of digital capabilities using cloud-based data capabilities. For instance, 68% of IT practitioners said they are using the cloud to store most of their data.
Other insights include the planning by the C-level on moving data over to the cloud for storage and using this data to serve artificial intelligence needs while driving strategic decisions: Nine out of 10 IT professionals believe that in the next two years, most of the data will be in the cloud and will aid them to go digital.
Choosing the correct data protection technology is critical in unlocking your data capital for business impact and operational advantages. Today’s majority of challenges in unlocking data protection approaches for organizations are listed below:
- Challenges in discovering exponential growth of data and importantly to identify personal and sensitive data
- Organizations have historically rolled out siloed purpose-based technologies into the landscape that secure only specific type of data, system, or environment
- Simplifying data further into logical partitions like data domains that assist in managing a group of personal data, at a specific pace
Privacy and Security Classifications by Data Privacy Offices
The first step for any data protection program starts with knowing where your sensitive data resides and flows. The next question that remains for global organizations: “How do we put a single privacy classification schema that rationalizes the privacy requirements across the data landscape as data is discovered?”
For example, while GDPR doesn’t classify financial information as personal data (SPDI), the India IT Act classifies such information as personal data. Thus, the context to creation, storage, distribution, and use of data provides direction to the privacy classification.
Data privacy offices can now use a combination of privacy and security classification techniques as listed below. These privacy requirements elicited can then drive the implementation of security controls either on-premise or in the cloud, for data-at-rest and data-in-motion.
- The data privacy office can categorize data into applicable regulatory and policy-based domains like the GDPR, PCI DSS, India IT Act, or SPDI rules.
- Further, the categorization of data can be extended to privacy domains including national identifiers, financial, and behavioral data, to name a few.
- Equipped with the privacy domains and classifications, the data office can classify data based on customer identification mechanisms (direct customer-identifying data, indirect customer-identifying data, or personal, sensitive personal, and special category data).
- The information security function will be more interested in providing information security classification like restricted, internal, or public, to name a few.
Data Management can bring further clarity to security, in the way data is managed in its lifecycle:
A data privacy function can bring focus on a critical technology control: data encryption. Encryption can act as the last line of security defense and applies protection and controls directly to personal data. Encryption of personal data ensures that data remains secure wherever it is distributed and renders it useless to attackers.
These days, the Zero-Knowledge encryption approach has become widely adopted, enhancing the security of data. Zero-Knowledge encryption means that service providers know nothing about the data you store on their servers.
I recently spoke with Ved Prakash, a cloud data security practitioner, about how organizations moving their workload into the cloud are encountering the key functional problem areas below:
- Visibility in encryption keys: Cloud service providers are perceived to provide limited visibility into key management and access by their users and by the internal privileged users
- Risk of data loss: Insufficient authorization control or DR services to ensure keys are not accidentally or intentionally deleted
- Vendor lock: Organizations would want to embrace hybrid cloud capabilities and would not want to be confined to cloud-specific key management services or vault
- Key lifecycle management: Native CSP key management services have limited ability to automate the lifecycle of keys, especially across multiple subscriptions
However, the decision to go with a third-party key store rather than the one provided by the cloud service provider is based on the risk appetite of the organization and perceived risk as well as the opportunity to embrace hybrid clouds.
Data in motion, also referred to as data in transit, is digital bytes of data transferred between locations, either within or between systems and storages. Data in motion can be data sent from an on-premise system to the cloud, or other exit points. Once the data arrives at its final destination, it becomes data at rest.
Securing the Sensitive Data in Transit In-Network and Inter-Data Center Traffic
With the digital transformation journey and the rapid growth of virtualization, big data applications, cloud, and data center services are now increasingly reliant on high-speed, high-availability data networks to deliver information when and where it is required.
Network data is at the greatest risk when it contains sensitive, confidential, or personally identifiable information. The high data volumes involved in everyday tasks become an alluring proposition for cyber-criminals, as they seek financial gain from the data, or metadata, available on the network traffic. The threat of malicious insider abuse also becomes much higher due to this.
As data leaves the perimeter of a controlled environment, one can’t be sure that it remains secure and doesn’t fall into the wrong hands.
When considering the protection of network data, organizations need to consider:
- Securing both the raw data source (video, audio, text, etc.)
- The metadata associated with it
The advanced data analysis tools available today enable unauthorized users to interrogate and interpret high volumes of data, both in transit and at rest.
There is a need to consider the high-speed network encryption technology that serves the data-centric security purpose without impacting network performance and availability.
According to Anirban Guha, a data practitioner and former colleague, the focus of the Data Management function has shifted to maintaining confidentiality, integrity, and availability of personal data on cloud storage. Further aspects to focus on are detailed below:
- Data Quality on the personally identifiable data identifying source systems and its lineage that can be tackled in the cloud
- CIA (Confidentiality, Integrity, Accessibility) rating (1 to 4 scale) on metadata confidentiality, integrity, and availability
- Segmentation based on domain-specific approaches like GDPR, CCPA
- Automatic onboarding of technical metadata by data domain discovery rule and linking with business metadata
Cloud practices can embrace the latest advancements in security that can securely store, move, and back up data in the cloud. One should look out for these aspects in the data as well as security solutions:
- Discovery of data in cloud storages using catalog services
- Automated classification of data in cloud storage
- Entitlement management for data on cloud storages
- Administration of column-level access through entitlements
- Administration of preferred techniques of masking, anonymization, pseudonymization, and redaction for personal data
- Secure management of data-in-motion as well as N-S and Inter-DC traffic
- Centralized management of encryption keys for hybrid cloud
- Full key lifecycle management and control
Various models of key management and encryption, for cloud services, have evolved in the recent past, including:
- Cloud service provider key store and encryption services as SAAS, PAAS, IAAS offerings
- Non-shared key-store services on cloud
- Bring your own key model – customer-managed keys
- Bring your encryption model – customer-managed encryption