Migrating sensitive data to the cloud – a detailed look

A checklist helps with migrating sensitive data to the cloud and provides benefits to overcome the common pitfalls regardless of the source of the data. It serves merely as a blueprint for a smooth secure transition.

Characterizing permitted use is the first step data teams need to take to address data protection for reporting. Modern privacy laws specify not only what constitutes sensitive data but also how the data can be used. Data teams must classify the usages and the consumers. Once sensitive data is classified, and purpose-based usage scenarios are addressed, role-based access control must be defined to protect future growth. Examples of sensitive data include confidential corporate information, information licensed for use under a data use agreement, privileged attorney-client data, export-controlled research, details of implemented security controls, credit card and other payment information, public safety information, username/password combinations, calendars and individual schedules, Email, intellectual property and trade secrets, and corporate operations improvement. Sensitive data detection and classification involves both the automated and human assessments to review potentially sensitive data and categorize it to the appropriate data set. Understanding the data consumers and their data usages simplifies building access control policies which in turn reduces administration and enhances security.

Devising a strategy for governance is the next step. This is meant to prevent intruders and is meant to boost data protection by means of encryption and database management. Fine grained access control such as attribute or purpose-based ones also help in this regard. By separating the storage from compute, erstwhile access control policies can be done away with. With unlimited storage and computational resources and data virtualization that simplify data models, access controls can be reframed to accommodate these characteristics.

Embracing a standard for defining data access policies can help to limit the explosion of mappings between users and the permissions for data access. This gains significance when a monolithic data management environment is migrated to the cloud. Failure to establish a standard for defining data access policies can lead to unauthorized data exposure. This is also an opportunity to simplify standardization of data access policies by replacing user-based data policies with abstractions that can manage different data attributes, abstract roles and defined contexts.

When migrating to the cloud in a single stage, an all-at-once data migration must be avoided as it is operationally risky. It is critical to develop a plan for incremental migration that facilitates development testing and deployment of a data protection framework which can be applied to ensure proper governance. Decoupling data protection and security policies from the underlying platform allows organizations to tolerate subsequent migrations. Data protection and governance can be made portable which allows us to move from one cloud service provider to another. The data security and protection aspect of any migration plan must be simplified so it can be easily understood by teams under rotation.

There are different types of sanitizations such as redaction, masking, obfuscation, encryption tokenization and format preserving encryption. Among these static protection in which clear text values are sanitized and stored in their modified form and dynamic protection in which clear text data is transformed into a ciphertext are most used. Static data protection is not flexible to meet the opposing demands for visibility by different sets of consumers. Dynamic enforcement, on the other hand, avoids the need to make copies and enables control based on user-attributes.

Finally defining and implementing data protection policies brings several additional processes such as validation, monitoring, logging, reporting, and auditing. Having the right tools and processes in place when migrating sensitive data to the cloud will allay concerns about compliance and provide proof that can be submitted to oversight agencies.

Compliance goes beyond applying rules and becomes a process to verify that laws are observed. The right tools and processes can allay concerns about compliance.