Data Storage: In the Cloud, Or Not?
You want the benefits of cloud computing, but as a sensible IT professional, you also have one eye on security. How can you decide whether to store your data in a cloud environment or locally, and make those decisions systematically?
Earlier this year, HANDD Business Solutions asked 304 IT professionals in the UK what data security challenge kept them up at night. Whether to store data in the cloud or on their premises was by far the top concern, with over a third (35%) fretting about it.
On one hand, IT teams are under increasing pressure to take advantage of cloud computing’s cost savings and flexibility. On the other, they will be on the hook for any data breaches stemming from storing business data on infrastructures that they don’t control.
Know your data
Before they can make any decisions, they should understand what data they’re storing. A competent IT team will review each data record in the context of the business processes that it supports. They will understand the record’s sensitivity, and the privacy implications it carries. Only then can they accurately assess the risk of storing it in the cloud.
As data volumes increase, this information isn’t something they can do manually. Instead, they need an automated approach to classifying data and making routing and storage decisions based on that information.
Metadata is a key asset when classifying data in this way. When employees or business applications create a data record, they can tag it according to its sensitivity level. This then enables data management systems to decide where to store it according to pre-defined policies.
Act on your knowledge
These policies can be intricate, going beyond simple ‘cloud/no cloud’ decisions. If your automated system does store data in the cloud, whether to encrypt or not it will be another critical decision.
Simply encrypting all your cloud-based data regardless of sensitivity will bring its own challenges in terms of system performance and cost. By classifying data at the outset, administrators can automatically make policy-based decisions about data encryption.
Another approach to protecting data, particularly suited to hybrid cloud computing models, is tokenization. This substitutes data stored in the cloud with a token that referring back to data stored on the company’s premises. It is a powerful way to take advantage of the cloud’s capabilities while preserving data security.
These technologies are becoming increasingly important for cloud-based storage, not only for risk mitigation but also for legal compliance. The EU’s General Data Protection Regulation (GDPR) specifically cites encryption and ‘pseudonymisation’ (a concept that often uses token-based data protection) as privacy-enhancing measures.
GDPR will force companies to draw direct connections between the type of data that they store in the cloud with the measures used to protect it.
Which cloud to use?
All clouds are not equal. The kind of cloud service that you store your data in will also be a key consideration, as will your legal relationship with that service provider.
These days, companies often use multi-cloud strategies, storing data with different providers based on different parameters. According to over 1,000 professionals questioned in RightScale’s 2017 State of the Cloud survey, 85% of companies have a multi-cloud strategy. As your cloud strategy matures, you too may find yourself dealing with multiple parties based on the requirements for the data that you’re storing.
One distinction is whether to store data with a public cloud provider which allocates resources from a shared public pool, versus a single-tenant virtual private cloud environment which dedicates physical hardware, storage and network resources to your company alone.
Each of these service types has its pros and cons. Virtual private cloud storage may not offer as much flexibility when provisioning new computing and storage resources. On the other hand, it does provide security and compliance advantages.
Another decision to make when choosing a cloud provider is based on its location options for data storage. Some data in your organization may carry legal constraints around where you can store it. If regulations forbid you storing data about a country’s citizens somewhere else, you must ensure that your cloud service provider won’t violate that policy.
GDPR will also certainly affect how companies deal with their cloud providers contractually. Originally, data controllers (the companies that own the sensitive data), bore the burden of responsibility for protecting its privacy.
Under GDPR, which comes into effect May 25 2018, data processors (third party service providers that handle data) will share that responsibility. This will force cloud service providers to examine contracts more closely and determine the boundaries of liability. Legal discussions with your cloud service provider are likely to become a lot more intense.
Back to basics
Increased liability on the data processor’s part won’t let you off the hook as a data controller, though. Beyond understanding and classifying your data, there are some cybersecurity basics that will be mandatory as you move to a cloud-based world.
One of these is access management. Companies must also consider who will have access to that data, what permissions they will have based on their roles and responsibilities, and how the system will authorise those people securely. Identity and access management (IAM) systems will therefore play an important part in any cloud computing and storage strategy, just as they should do for data stored on your own servers.
Another challenge is data discovery. Creating processes for classifying new data is only the first step. Discovering and classifying the data already in your organization – or spread across your existing data processor service providers – is a critical task that you cannot afford to overlook.
Only after a thorough data audit will you be ready to make intelligent decisions about where and how you store your data in a cloud environment. By the time you complete that data mapping process, you’ll be ready to tackle the cloud, armed with a detailed understanding of what data you have, where it is – and just as importantly, what it means to you.