CCSK Guide
18May/11Off

Data Governance in the Cloud

Data security should be a primary concern for organizations considering cloud computing. The possibility of having to move their data to the cloud is forcing many organizations to take a close look at their enterprise-wide data security policies and practices. Experts observe that many organizations are attempting to move to the cloud before they have achieved effective data governance. While many organizations treat data governance as a maintenance issue, migration to the cloud is finally highlighting the importance of a sound data governance strategy.

According to John Walker, Professor of Science & Technology, School of Computing & Informatics and member of ISACA (Information Systems Audit and Control Association) Security Advisory Group:

"You are not merely buying a cloud, you are choosing a partner and that choice has to be based on thorough due diligence. This process is essential. The most important barrier to the adoption of cloud computing is assurance - ‘how do I know if it's safe to trust the cloud provider?' With today's complex IT architectures and heavy reliance upon third-party providers, there has never been a greater demand for transparency and objective metrics for attestation."

 

What is Data Governance?

Data governance is a broad and evolving discipline which is concerned about issues of data quality, data management, data policies, business process management and risk management in an organization. The central objective of an effective data governance strategy is ensuring that only the right users have access to the right data at all times. Sound data governance programs should include a governing body, a well-defined set of procedures as well as a plan for executing these procedures. Issues of data governance and compliance are generally the same, whether data is stored in-house, or in a cloud computing environment.

 

Data Governance Considerations in the Cloud

In August 2010, Microsoft released a whitepaper discussing data governance issues specific to the cloud computing context. The whitepaper identified a number of risks to data security, privacy and compliance. These risks are outlined below:

 

–                    Legal implications of moving data to a specific cloud service provider in a geographic location. Service provider rights and possible ownership of data must be clarified beforehand.

–                    Long-term viability of the cloud service provider should be considered. Decision makers should also look at the implications and costs of migrating to a different service provider in the future.

–                    A reasonable level of transparency should be guaranteed from the service provider, especially with regards to the security, privacy and compliance efforts. Transparency could be achieved through a combination of documentation, auditing and third party certifications.

–                    Data flows should be diagrammed, in order to understand security, privacy and compliance risks in the cloud. One way to do this is by using the Risk/Gap Analysis Matrix, which identifies gaps in existing protection and compliance measures of the organization, as well as those of the cloud service provider.

 

Key Services for Data Governance

Effective data governance requires three key services: control, transparency and rules. These services are sketched out below:

–                    Control – Information security professionals have the responsibility to control their organization's data assets. Uncontrolled data moves in a chaotic manner to locations that are often disadvantageous for the oraganization. Control must go beyond a set of policies; it must involve technology that keeps data identifiable, in known locations and in the control of individuals who ensure the data is safe, accessible and reliable.

–                    Transparency – Performance data (e.g. the data that documents control technologies and ensures that services are functioning correctly) must be collected and monitored by information security professionals within the organization. This means that the systems, devices and applications involved with the protected data must generate reports and provide evidence for investigation and remediation. Such transparent reporting can be a challenge when the data custodian is a vendor, contractor, or third party service provider.

–                    Rules – Control and transparency are impossible to attain if there are no rules in place. The organization must define: systems/devices subject to the rules; data to which the rules apply; conditions that trigger the rules; and the reporting data that will be generated. Currently, many data control rules under corporate governance are still rudimentary and based on common sense. This significantly affects the transparency and control of how data is used.

 

Summary

This article looks at the issue of data governance in the cloud. Although data governance concerns are the same whether data is stored on-site or in the cloud, the reality is that many organizations do not have effective data governance. The possibility of having to move to the cloud is highlighting the importance of a sound data governance strategy. This article introduces some key data governance concerns specific to the cloud: legal implications, long-term viability, transparency and data flow diagrams. It also describes the three key services for effective data governance in the cloud: control, transparency and rules.

 

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

–                    Contractual Security Requirements (Domain 2)

–                    Data Security Lifecycle (Domain 5)

–                    Provider Selection (Domain 8)

–                    Key Management Standards (Domain 11)

 

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.

» «

Login

Sponsored Links

Tags

access control Amazon Amazon EC2 API audit authentication authorization best practices compliance contracts CSA data breach data breaches data security disaster recovery encryption EU google government IaaS IAM identity identity federation interoperability lock-in management Microsoft open source PaaS portability private cloud provider selection public cloud risk management risks SaaS security SOA standards threats trends vendors virtualization virtual machines vulnerabilities

Archives

Meta



Our mission: Provide reliable and accurate information to cloud security professionals seeking CCSK certification.



We expect individuals seeking the Certificate of Cloud Security Knowledge will find our information specifically targeted at their CCSK pursuit useful. Our test preparation software and forums give candidates a higher chance for success.

Thank you for visiting. Since you're new to the site:
  • Please review the user agreement.
  • Register for the site so you may use the testing services.



    • We hope you find this service useful, and good luck on the exam!