Data security should be a primary concern for organizations considering cloud computing. The possibility of having to move their data to the cloud is forcing many organizations to take a close look at their enterprise-wide data security policies and practices. Experts observe that many organizations are attempting to move to the cloud before they have achieved effective data governance. While many organizations treat data governance as a maintenance issue, migration to the cloud is finally highlighting the importance of a sound data governance strategy.
"You are not merely buying a cloud, you are choosing a partner and that choice has to be based on thorough due diligence. This process is essential. The most important barrier to the adoption of cloud computing is assurance - ‘how do I know if it's safe to trust the cloud provider?' With today's complex IT architectures and heavy reliance upon third-party providers, there has never been a greater demand for transparency and objective metrics for attestation."
What is Data Governance?
Data governance is a broad and evolving discipline which is concerned about issues of data quality, data management, data policies, business process management and risk management in an organization. The central objective of an effective data governance strategy is ensuring that only the right users have access to the right data at all times. Sound data governance programs should include a governing body, a well-defined set of procedures as well as a plan for executing these procedures. Issues of data governance and compliance are generally the same, whether data is stored in-house, or in a cloud computing environment.
Data Governance Considerations in the Cloud
In August 2010, Microsoft released a whitepaper discussing data governance issues specific to the cloud computing context. The whitepaper identified a number of risks to data security, privacy and compliance. These risks are outlined below:
– Legal implications of moving data to a specific cloud service provider in a geographic location. Service provider rights and possible ownership of data must be clarified beforehand.
– Long-term viability of the cloud service provider should be considered. Decision makers should also look at the implications and costs of migrating to a different service provider in the future.
– A reasonable level of transparency should be guaranteed from the service provider, especially with regards to the security, privacy and compliance efforts. Transparency could be achieved through a combination of documentation, auditing and third party certifications.
– Data flows should be diagrammed, in order to understand security, privacy and compliance risks in the cloud. One way to do this is by using the Risk/Gap Analysis Matrix, which identifies gaps in existing protection and compliance measures of the organization, as well as those of the cloud service provider.
Key Services for Data Governance
Effective data governance requires three key services: control, transparency and rules. These services are sketched out below:
– Control – Information security professionals have the responsibility to control their organization's data assets. Uncontrolled data moves in a chaotic manner to locations that are often disadvantageous for the oraganization. Control must go beyond a set of policies; it must involve technology that keeps data identifiable, in known locations and in the control of individuals who ensure the data is safe, accessible and reliable.
– Transparency – Performance data (e.g. the data that documents control technologies and ensures that services are functioning correctly) must be collected and monitored by information security professionals within the organization. This means that the systems, devices and applications involved with the protected data must generate reports and provide evidence for investigation and remediation. Such transparent reporting can be a challenge when the data custodian is a vendor, contractor, or third party service provider.
– Rules – Control and transparency are impossible to attain if there are no rules in place. The organization must define: systems/devices subject to the rules; data to which the rules apply; conditions that trigger the rules; and the reporting data that will be generated. Currently, many data control rules under corporate governance are still rudimentary and based on common sense. This significantly affects the transparency and control of how data is used.
This article looks at the issue of data governance in the cloud. Although data governance concerns are the same whether data is stored on-site or in the cloud, the reality is that many organizations do not have effective data governance. The possibility of having to move to the cloud is highlighting the importance of a sound data governance strategy. This article introduces some key data governance concerns specific to the cloud: legal implications, long-term viability, transparency and data flow diagrams. It also describes the three key services for effective data governance in the cloud: control, transparency and rules.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
– Contractual Security Requirements (Domain 2)
– Data Security Lifecycle (Domain 5)
– Provider Selection (Domain 8)
– Key Management Standards (Domain 11)