The adoption of cloud computing is on the rise today and organizations are using it to enable ubiquitous, convenient, on-demand broad network access to provide the required data functionality and information to their employees or partners. While the benefits of cloud computing are clear for many organizations including cost savings, improved operational efficiencies, elasticity, optimization of resources, improved collaboration and mobility, data privacy and protection still remain the biggest concern associated with cloud computing. Organizations are looking for effective strategies to protecting their data while still being compliant to relevant industry regulations. Others are relying on 3rd party or independent software vendors to provide the required protection for their data. According to a report by the Information Security Community on LinkedIn, Encryption of data at rest, and in motion on networks, top the list of most effective security technologies to protect data in the cloud. (‘Cloud Security: 2016 Spotlight Report’). Others are Intrusion Detection & Prevention, and access control technologies such as Cloud Access Security Brokers (CASB).
Choosing the Right Strategy…
Data classification, identifying data protection requirements and the type of processing they require should be part of the first steps for developing effective strategies as adopting ‘one-size-fits-all’ approach may not be appropriate particularly for organizations with different classes of data. Using the Data Security Life Cycle (introduced by Securosis and incorporated into the Cloud Security Alliance (CSA) Guidance) helps identify the different purposes for data and enables the organization to create a more ‘defense-in-depth’- like approach to building security controls based on the different purposes of data and the classification. The data life cycle is composed of six different stages from creation to destruction and while the life cycle may be seen as a linear process, data may skip or switch between the different stages.
Create: Creation is the acquisition or generation of new content or the alteration/update of existing content. This stage is the preferred time to classify content according to its sensitivity and value to the organization in order to implement appropriate security controls.
Store: This is the act of committing the data to storage repository and often occurs simultaneously with data creation. When storing data, it should be protected according to its classification level. Data at rest controls such as encryption, access controls, logging, monitoring and backups may be implemented at this stage.
Use: This is when data is processed, viewed or used for some type of function or activity (excluding modification). Data in use controls may be controls such as Data Loss Prevention (DLP), Information Rights Management (IRM), Database or File Access Monitors which may be implemented to audit access to data or prevent unauthorized access
Share: Data sharing occurs when information is made accessible to colleagues, customers or partners. Maintaining security here may be quite challenging since data that is shared may no longer be within the organization’s control. DLP may be used to detect unauthorized sharing while IRM may be used to maintain control over the data.
Archive: This occurs when data is leaving active use and entering long-term storage. Regulatory requirements should be considered while different controls and providers may be part of this stage
Destroy: Data destruction can mean logical erasure of pointers or permanent data destruction using physical or digital means. Consideration should be made according to regulation or the data classification type used.
The data security life cycle enables the organization to map the different stages of the life cycle against the required controls that are relevant for each phase. When determining the different types of controls to be used at the different stages, the following questions need to be answered:
- Who or what (devices, applications, etc.) can access the data?
- What locations are these ‘actors’ in?
- Where is the data located?
- How does data move between locations?
- At what stages in the life cycle can data move between locations?
Once answers to these questions are known, organizations are more empowered to choosing the right strategies to protecting their data in the cloud and implementing appropriate data security controls based on their data classification and life cycle.