Table of Contents
Share this entry
We recently updated this blog with new strategy and an in-depth review of data classification & data tagging. Find the updated piece available here.
————————–
Not too long ago, crude oil was the most valuable commodity. Today, data replaces it as the most valuable commodity by far. Every business runs on data, whether it’s their own or someone else’s. So, data governance, and data classification specifically ― locating, identifying, organizing, and maintaining data ― is critical to your company’s short and long-term success. There’s simply no other way to ensure that you can access it efficiently or protect it effectively.
How do you begin on your data security plan? According to security experts Eric Kedrosky and Dave Shackleford, methodical data classification starts with one simple question: “What is my data?”
Finding Your Data
While the question, “What is my data?” is simple, putting it into practice is not easy. A basic step in data governance is first finding your data.
Chances are, your company is suffering from data sprawl. You may store some of your data locally and the rest on one or more cloud storage platforms. Data sprawl can be a serious issue, particularly when it comes to sensitive data.
It’s no longer enough to say that this data is sensitive, and that data is not. In fact, it’s no longer a binary conversation at all, because there are gradations of data sensitivity. And there are different data formats, data structures, and types of data storage, including the software-defined storage infrastructure that proliferates in cloud-based scenarios.
Not All Data Is Created Equal
Most organizations have a policy problem with data classification and data control, the management oversight of their information. This stems from treating all data as if it’s equal. In a security program, you need to understand what your data is, and how important it is to your business, so you can apply the right focus, the right resources, and the right controls to it.
Ask yourself what data drives your business and pays your bills. If bad actors steal the information on your company blog, for example, it probably won’t destroy your business. On the other hand, if they steal customer data, it could prove catastrophic.
Taming the Tiger
Your company undoubtedly has one or more documents defining its data classification standards, including access tiers, naming conventions, and so forth. But it probably doesn’t include sufficient emphasis on the disastrous ramifications of exposure, the end-game that could result if that data ends up in the wrong hands.
That’s why it’s time for you to review those documents. Were they created to protect PDFs and Word documents? What types of data do you have stored in the cloud today? Make sure that your classifications and standards are relevant and that your processes are pertinent to working in the cloud as well. Rewrite your data security policy based on the type of data that you have currently and where it’s stored. Establish clear guidelines that consider what would happen if this data was stolen or improperly exposed, and create a viable maintenance plan.
Consider Context and Risk
Adjust your data classification tiers according to context and risk. Data can apply to an individual, such as an HR record, a specific team within a company, or a group of people on a particular insurance plan.
Another consideration is data that applies to external entities. Many organizations are born in the cloud and offer services in the cloud, and they do data processing services for other companies. What are the potential risks of these types of third-party relationships on your company’s data? Do the different tiers of data applicability or data sensitivity applicability reflect potential negative outcomes?
The following examples drive these questions home.
Let’s say you’re Apple and that you stored your plans for the next iPhone or iPad in the cloud. That data applies to your entire organization. If it’s compromised, lost, or tampered with, the results on your company will be devastating.
In the FinTech space, third-party companies routinely take banking records from America’s largest banks, run analytics on them, process them, and provide an agreed-upon service using their data.
With these examples in mind, some questions to ask yourself are:
- How sensitive is the data that you’re sharing with a third party?
- How can you ensure they are taking the right precautions?
- How can you be sure that they’re transferring your data securely?
The Real Cost of Compromised Data
Data breaches and the resulting negative press can irreparably tarnish a company’s reputation. And organizations, including the GDPR (General Data Protection Regulation), levy hefty fines for data security breaches. The top fine to date is $746 million euros ($887 million).
Remember, they could fine your company for a data breach today … or years from now. That’s why you must update your data security documentation regularly to reflect new and updated regulatory controls and requirements.
And you should monitor your data continuously. Checking every 90 days is no longer a valid methodology. You must audit your data continuously to remain compliant.
No One-Click Solution
Each of the cloud providers ― Google, Azure, AWS ― has tools that can help you implement new or modified categories and security levels to your data. Because of data sprawl, this means that you’ll have to manage your data across multiple clouds using multiple tools.
Similarly, if you change from one cloud provider to another, many of your lessons learned, controls, and processes won’t be applicable.
Also, as tempting as it may seem, you can’t take data from one cloud storage account and run an analytic to mix it with similar data from another cloud storage account. The data from both accounts may have been labeled as sensitive, for example, but the output is likely to be a combination of different tiers.
But classifying your data doesn’t have to be cumbersome. Sonrai Security has a data classification engine that works across all cloud providers. You can also use its out-of-the-box classifiers and build your own custom classifiers.
To learn more about data classification, please watch our webinar.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditRead the latest news and insights
Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.